IPv4 Forwarding (NAT) only works after toggling IPv4 forwarding to off then on

debian nat routing ufw proxmox

This literally makes no sense and I'm stumped about why this is happening, but hear me out.

Currently I'm using Proxmox 6 (Debian) and I created a NAT so VMs/LXC containers can communicate between them + having internet connectivity to the outside world. I'm also using ufw for firewall stuff.

I was able to create the NAT connection fine, VMs can communicate between them, great!

...but internet connectivity doesn't work at all, why? I have no idea, but I found out that if I do this...

echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward

The issue is magically fixed. Yes, ip_forward is enabled on UFW's config

#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#

# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

And if I reboot the machine and do cat /proc/sys/net/ipv4/ip_forward, the result is 1, but internet connectivity is broken until I toggle it on and off!

So I'm stumped, I have no idea why this is happen and while there is a dirty workaround (toggling it off and on) I wanted to know if there is a correctly to fix this issue.


The manual of ip_forward configuration parameter says:

This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers)

So, the simplest hypothesis is that something else (of sysctl) is misconfigured and the problem disappears only when it is reset to default.


This is a bug in ifupdown2, dhcp interfaces are not being IPv4 forwarded by default, even if you set the forwarding in sysctl.conf

Here's a thread where spirit found out about this bug: https://forum.proxmox.com/threads/reloading-ifupdown2-breaks-internet-connectivity-within-containers-vms-until-toggling-ip-forward.78933/#post-349753

As a workaround, you can add ip-forward 1 to the /etc/network/interfaces or you can toggle IPv4 forwarding manually (just like what I did in the question)

Related

How to use different network interfaces for different users?
How to run Ghost and PrestaShop on the same domain, when hosted on different providers?
Restart Django/uWSGI vassal in uWSGI emperor mode
Problem with symbolic links in FTP client
Can I set dmarc to tell receiver to fail if no DKIM signature provided in email?
How often do apps go on sale in the App Store?
Resetting Advertising ID on iPad does not work?
Toggling between chunk of input in iterm2 with "Alt + arrow left/right" writes "[D" instead jumping from chunk to chunk
Restore previous-released OS version(mojave) from catalina public beta
How to rebuild my Font Book database
Updating to a newer macOS version - how can I avoid potential pitfalls? [duplicate]
For 10.14.6 what does "Improves file-sharing reliability over SMB" mean, specifically?