Differences

This shows you the differences between two versions of the page.

--- vpn_site2site_usando_zerotier_con_bridge_en_lxc [2024/10/28 17:26] – [Troubleshooting Guide: Enabling Forwarding Between LXC and ZeroTier Networks] oso
+++ vpn_site2site_usando_zerotier_con_bridge_en_lxc [2025/07/10 15:41] (current) – oso
@@ Line 107: / Line 107: @@
 ----
-===== About the IPTables Setup =====
-**Summary of IPTables Configuration for Gateway Setup**
-We configured IPTables to allow `srv05` to act as a gateway between the `10.241.0.0/16` network (Zerotier subnet) and `192.168.88.0/24` (homelab subnet). Key adjustments included using network addresses rather than specific interface names to facilitate flexible routing and translation between subnets.
-### IPTables Rules Configuration
-The configuration is as follows:
-<code>
-# Generated by iptables-save v1.8.10 (nf_tables) on Sun Oct 27 21:46:33 2024
-*filter
-:INPUT ACCEPT [27860:3271118]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp -m tcp --dport 6162 -m comment --comment "Veeam transport rule" -j ACCEPT
--A INPUT -p tcp -m tcp --dport 6160 -m comment --comment "Veeam deployment rule" -j ACCEPT
-COMMIT
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o lxcbr0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.88.84
-COMMIT
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD DROP [0:0]
--A FORWARD -s 10.241.0.0/16 -d 192.168.88.0/24 -j ACCEPT
--A FORWARD -s 192.168.88.0/24 -d 10.241.0.0/16 -j ACCEPT
-:OUTPUT ACCEPT [0:0]
-COMMIT
-</code>
-==== Notes ====
-  * **Routing**: By using network address-based rules instead of specific interfaces, the configuration is more adaptable to interface changes, simplifying maintenance.
-  * **SNAT Rule**: The ''POSTROUTING'' rule in the ''*nat'' table ensures that traffic originating from the `10.241.0.0/16` network and routed through `lxcbr0` is translated to the source IP `192.168.88.84`.
-  * **Unprivileged LXC Consideration**: If switching to unprivileged LXC containers, additional permissions or network namespace adjustments may be required, as unprivileged containers have restricted access to networking by default.
-----
-==== Troubleshooting Guide: Enabling Forwarding Between LXC and ZeroTier Networks ====
-When troubleshooting connectivity between an LXC bridge (''lxcbr0'') and a ZeroTier VPN interface, follow these steps to ensure proper forwarding of traffic.
-=== Step 1: Log All Forwarded Packets ===
-Yes, you can enable logging in ''iptables'' to capture details about forwarded packets and potentially see why pings from your router aren’t reaching the ZeroTier VPN.
-Here’s a basic process to enable logging and capture relevant details:
-== Step 1: Add a Logging Rule in ''iptables'' ==
-You can add a logging rule before the DROP rule on the ''FORWARD'' chain. Here’s how:
-<code>
-# Log all forwarded packets
-sudo iptables -I FORWARD 1 -j LOG --log-prefix "FORWARD DROP: " --log-level 4
-</code>
-This command inserts a logging rule at the top of the ''FORWARD'' chain with:
-  - ''--log-prefix "FORWARD DROP: " '' to make it easy to identify in the logs.
-  - ''--log-level 4'' to set the logging priority (INFO level).
-== Step 2: Check the Logs ==
-After adding the logging rule, you can view logged packets in the system log files, typically in ''/var/log/syslog'' or ''/var/log/messages'', depending on your system configuration.
-Use this command to see recent logs:
-<code>tail -f /var/log/syslog | grep "FORWARD DROP:"</code>
-This will show only the logs with the prefix `FORWARD DROP:`, making it easier to analyze just the forwarded traffic.
-== Step 3: Analyze the Log Output ==
-In the log, you should see details like the source and destination IP addresses, ports, and interfaces involved. If the packets are getting dropped, `iptables` might be blocking them for one of the following reasons:
-  * A DROP rule after your LOG rule.
-  * Missing MASQUERADE/SNAT rule (for forwarding between interfaces).
-  * Routing issues on the router or VPN settings.
-== Step 4: Remove Logging Rule After Debugging ==
-Once you've found the issue, remember to remove the logging rule to avoid excessive log entries:
-<code>sudo iptables -D FORWARD -j LOG --log-prefix "FORWARD DROP: " --log-level 4</code>
-If you’re still having issues, it might help to check if the NAT configuration is correct for forwarding traffic from your router to ZeroTier.
-=== Step 2: Allow Forwarding from lxcbr0 to ZeroTier Interface ===
-Allow traffic from ''lxcbr0'' (LXC bridge) to reach the ZeroTier interface (e.g., ''ztkse3ixxp''):
-<code> sudo iptables -I FORWARD 2 -i lxcbr0 -o ztkse3ixxp -j ACCEPT </code>
-=== Step 3: Allow Reverse Path for Response Traffic ===
-Add a reverse rule to allow return traffic from ZeroTier to the LXC bridge:
-<code> sudo iptables -I FORWARD 2 -i ztkse3ixxp -o lxcbr0 -j ACCEPT </code>
-=== Step 4: Enable NAT (If Required) ===
-Enable NAT to allow traffic between ZeroTier and ''192.168.88.0/24'' if required:
-<code> sudo iptables -t nat -A POSTROUTING -o ztkse3ixxp -s 192.168.88.0/24 -j MASQUERADE </code>
-=== Step 5: Verify IP Forwarding is Enabled ===
-Check and enable IP forwarding if not already active:
-<code> sysctl net.ipv4.ip_forward sudo sysctl -w net.ipv4.ip_forward=1 </code>
-To persist this change, add ''net.ipv4.ip_forward=1'' to ''/etc/sysctl.conf''.
-=== Step 6: Test and Monitor ===
-After applying these configurations, test connectivity and monitor the syslog for any packets dropped by the ''FORWARD'' chain. Reviewing logs can help identify further firewall adjustments if needed.