Differences

This shows you the differences between two versions of the page.

--- vpn_site2site_usando_zerotier_con_bridge_en_lxc [2024/10/28 16:57] – [Notes] oso
+++ vpn_site2site_usando_zerotier_con_bridge_en_lxc [2025/07/10 15:41] (current) – oso
@@ Line 107: / Line 107: @@
 ----
-===== About the IPTables Setup =====
-**Summary of IPTables Configuration for Gateway Setup**
-We configured IPTables to allow `srv05` to act as a gateway between the `10.241.0.0/16` network (Zerotier subnet) and `192.168.88.0/24` (homelab subnet). Key adjustments included using network addresses rather than specific interface names to facilitate flexible routing and translation between subnets.
-### IPTables Rules Configuration
-The configuration is as follows:
-<code>
-# Generated by iptables-save v1.8.10 (nf_tables) on Sun Oct 27 21:46:33 2024
-*filter
-:INPUT ACCEPT [27860:3271118]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp -m tcp --dport 6162 -m comment --comment "Veeam transport rule" -j ACCEPT
--A INPUT -p tcp -m tcp --dport 6160 -m comment --comment "Veeam deployment rule" -j ACCEPT
-COMMIT
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o lxcbr0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.88.84
-COMMIT
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD DROP [0:0]
--A FORWARD -s 10.241.0.0/16 -d 192.168.88.0/24 -j ACCEPT
--A FORWARD -s 192.168.88.0/24 -d 10.241.0.0/16 -j ACCEPT
-:OUTPUT ACCEPT [0:0]
-COMMIT
-</code>
-==== Notes ====
-  * **Routing**: By using network address-based rules instead of specific interfaces, the configuration is more adaptable to interface changes, simplifying maintenance.
-  * **SNAT Rule**: The ''POSTROUTING'' rule in the ''*nat'' table ensures that traffic originating from the `10.241.0.0/16` network and routed through `lxcbr0` is translated to the source IP `192.168.88.84`.
-  * **Unprivileged LXC Consideration**: If switching to unprivileged LXC containers, additional permissions or network namespace adjustments may be required, as unprivileged containers have restricted access to networking by default.
-----
-==== Troubleshooting Guide: Enabling Forwarding Between LXC and ZeroTier Networks ====
-When troubleshooting connectivity between an LXC bridge (''lxcbr0'') and a ZeroTier VPN interface, follow these steps to ensure proper forwarding of traffic.
-=== Step 1: Allow Forwarding from lxcbr0 to ZeroTier Interface ===
-To allow traffic from ''lxcbr0'' (LXC bridge) to reach the ZeroTier interface (e.g., ''ztkse3ixxp''), add an ''iptables'' rule in the ''FORWARD'' chain:
-<code>
-sudo iptables -I FORWARD 1 -i lxcbr0 -o ztkse3ixxp -j ACCEPT
-</code>
-This command permits traffic from ''lxcbr0'' to the ZeroTier VPN interface.
-=== Step 2: Allow Reverse Path for Response Traffic ===
-To allow return traffic from ZeroTier to the LXC bridge, add a reverse rule:
-<code>
-sudo iptables -I FORWARD 1 -i ztkse3ixxp -o lxcbr0 -j ACCEPT
-</code>
-This allows responses from ZeroTier-connected devices to reach devices on the ''lxcbr0'' network.
-=== Step 3: Enable NAT (If Required) ===
-If the ZeroTier network doesn’t natively recognize the ''192.168.88.0/24'' network, enable NAT to masquerade the source IP for outgoing packets. This ensures return traffic finds its way back to the originating network:
-<code>
-sudo iptables -t nat -A POSTROUTING -o ztkse3ixxp -s 192.168.88.0/24 -j MASQUERADE
-</code>
-This step is essential if routing between networks is not configured.
-=== Step 4: Verify IP Forwarding is Enabled ===
-Check if IP forwarding is active:
-<code>
-sysctl net.ipv4.ip_forward
-</code>
-If the output is ''0'', enable IP forwarding temporarily with:
-<code>
-sudo sysctl -w net.ipv4.ip_forward=1
-</code>
-To make this change persistent across reboots, add the following line to ''/etc/sysctl.conf'':
-<code>
-net.ipv4.ip_forward=1
-</code>
-=== Step 5: Test and Monitor ===
-After applying these configurations, test connectivity (e.g., with ''ping'') and monitor the syslog or ''dmesg'' for any ''FORWARD DROP'' entries.