Is possible open all ports for an VM?

[JonatanP]

Hello, I have an dedicated server but no are option for buy "IP-Failover" then I need to use the same IP what have the dedicated server and the problem are the ports.

I have Windows server installed, I only want one VM with this S.O and use the same IP what have the dedicated server.

If no is possible open all ports I want open port by port then, no problem.


I hope what this is possible, I search much on Google but I do not find any what work.

Thanks.

 

[Mr.Holmes]

Hello JonatanP,

Depends what your needs are exactly and how your configuration looks like.

I suppose:

- the dedicated server has PROXMOX installed (if not: this is not the convenient forum, but you should consider to use PROXMOX, it is free and simple in installation and usage)

- has just one kvm which is a Windows server

If so you have the following possibilities (maybe more):

- port forwarding via "iptables -t nat", you can decide which protocols/ports are treated by the host and which by the VM

- make a vpn tunnel to your server and connect then directly to the VM using it´s local address (preparation at remote client necessary)

- use ipv6

If you specify more details it would be easier to suggest an optimal solution.

Kind regards

Mr.Holmes

 

[JonatanP]

Hello JonatanP,

Depends what your needs are exactly and how your configuration looks like.

I suppose:

- the dedicated server has PROXMOX installed (if not: this is not the convenient forum, but you should consider to use PROXMOX, it is free and simple in installation and usage)

- has just one kvm which is a Windows server

If so you have the following possibilities (maybe more):

- port forwarding via "iptables -t nat", you can decide which protocols/ports are treated by the host and which by the VM

- make a vpn tunnel to your server and connect then directly to the VM using it´s local address (preparation at remote client necessary)

- use ipv6

If you specify more details it would be easier to suggest an optimal solution.

Kind regards

Mr.Holmes

Hello, thanks for your reply Mr.Holmes

Yes, I have an dedicated server, but this dedicated server now no allow buy IP-Failover also install Windows, and I need Windows for hosting websites with ASP.NET an Microsoft SQL Server (MSSQL).

I need open this ports for example: 8443 (For Plesk Panel Power Pack 11.5), and 1443 for MSSQL and others. and because I can't buy an IP-Failover I need use the same IP what have the dedicated server.

Regards.

 

[Mr.Holmes]

Hello JonatanP,

In this case I´d recommend the solution with iptables:

specify something like this (in order fo leave only ssh access and port 9999 for e.g. VPN at the server and forward everything else to VM)

iptables -t nat -A POSTROUTING -s 192.168.1.10 -j SNAT --to-source 91.92.93.94
iptables -t nat -A PREROUTING -d 91.92.93.94 -p tcp ! --dport 22 -j DNAT --to-destination 192.168.1.10
iptables -t nat -A PREROUTING -d 91.92.93.94 -p tcp ! --dport 9999 -j DNAT --to-destination 192.168.1.10

etc.

91.92.93.94 is an example for public IP
192.168.1.10 is an example for windows´ local IP

In addition to it you can install a VPN (at port 9999 in the example above) to the server in order to keep full maintainance access.

Note: iptables are very powerful and flexible, but also very complex - a test of the settings in a local environment is strongly recommended in order to not block access to your productive environment. Moreover this solution is not PROXMOX or kvm specific. Google for iptables examples in order to get a good understanding for how to use!

Kind regards

Mr.Holmes

 

[wahmed]

How about setting up a virtualized firewall such as pfSense with one WAN IP address and one virtual IP for multiple LAN? That way you can install multiple Windows Server with multiple LAN side IP. In pfSense you have to setup one common virtual IP such as 192.168.1.254.

WAN Modem --> pfSense ----> LAN 1 192.168.1.252 \ / Windows Server #1 192.168.1.1
| ---> Virtual IP 192.168.1.254 -->
|--> LAN 2 192.168.1.253 / \ Windows Server #2 192.168.1.2

Then just do port forwarding from WAN IP to Virtual IP. Not sure if it all make sense to you. But if i understand right these should accomplish what you are trying to do. FYI, the pfSense in this example is virtualized. I am sure you already a physical firewall between WAN Modem and your Proxmox cluster.

 

[JonatanP]

Hello JonatanP,

In this case I´d recommend the solution with iptables:

specify something like this (in order fo leave only ssh access and port 9999 for e.g. VPN at the server and forward everything else to VM)

iptables -t nat -A POSTROUTING -s 192.168.1.10 -j SNAT --to-source 91.92.93.94
iptables -t nat -A PREROUTING -d 91.92.93.94 -p tcp ! --dport 22 -j DNAT --to-destination 192.168.1.10
iptables -t nat -A PREROUTING -d 91.92.93.94 -p tcp ! --dport 9999 -j DNAT --to-destination 192.168.1.10

etc.

91.92.93.94 is an example for public IP
192.168.1.10 is an example for windows´ local IP

In addition to it you can install a VPN (at port 9999 in the example above) to the server in order to keep full maintainance access.

Note: iptables are very powerful and flexible, but also very complex - a test of the settings in a local environment is strongly recommended in order to not block access to your productive environment. Moreover this solution is not PROXMOX or kvm specific. Google for iptables examples in order to get a good understanding for how to use!

Kind regards

Mr.Holmes

Hello, Mr.Holmes
I see and understand, but im very newbie on this and I don't know how configure this, I configure the server how NAT or vmbr2? (I would like to know all the steps I should do. Right now I have installed my machine, and have Internet)
I think what I need an full guide for configure this, no is nothing easy for me configure this. I hope what you understand me.

Thanks.

How about setting up a virtualized firewall such as pfSense with one WAN IP address and one virtual IP for multiple LAN? That way you can install multiple Windows Server with multiple LAN side IP. In pfSense you have to setup one common virtual IP such as 192.168.1.254.

WAN Modem --> pfSense ----> LAN 1 192.168.1.252 \ / Windows Server #1 192.168.1.1
| ---> Virtual IP 192.168.1.254 -->
|--> LAN 2 192.168.1.253 / \ Windows Server #2 192.168.1.2

Then just do port forwarding from WAN IP to Virtual IP. Not sure if it all make sense to you. But if i understand right these should accomplish what you are trying to do. FYI, the pfSense in this example is virtualized. I am sure you already a physical firewall between WAN Modem and your Proxmox cluster.

Hello, symmcom
I don't know what is pfSense, I go now to Google for learn about this, seems interesting.

Thanks.

 

[wahmed]

I don't know what is pfSense, I go now to Google for learn about this, seems interesting.

pfSense is one of very best Firewall based on FreeBSD. It can be used both on Physical Hardware or Virtualized. Its ability can be extended significantly through different modules and services. The entire firewall can be configured through GUI. By using a virtualized firewall you can truly create fully isolated multiple virtual networks within one Proxmox cluster. The best part of pfSense is FREE. There are many other virtual firewall options out there, but i prefer pfSense because of its simplicity yet extremely powerful.

 

[JonatanP]

pfSense is one of very best Firewall based on FreeBSD. It can be used both on Physical Hardware or Virtualized. Its ability can be extended significantly through different modules and services. The entire firewall can be configured through GUI. By using a virtualized firewall you can truly create fully isolated multiple virtual networks within one Proxmox cluster. The best part of pfSense is FREE. There are many other virtual firewall options out there, but i prefer pfSense because of its simplicity yet extremely powerful.

Hello symmcom
I see, you have any tutorial for install this on proxmox and use the same IP on VM what have the dedicated server?
I don't find this on Google.
I would like to know more and ask less, but I need to learn to do this and do not know where to start.

Thanks.

 

[wahmed]

Does this diagram makes sense to you? Subnet #2 is what you possibly need for your setup. In the diagram, Subnet #2 is fully isolated network of 3 VMs with its own subnet. All VMs within this subnet can communicate outside world through internet.
View attachment 2071

I do not have any tutorial on hand for pfSense setup. Just download the iso from pfSense site and install it as another VM to get to know it first. Once you understand how pfSense works (vLAN, vNIC etc. ) then try to study the diagram below to proceed with your setup. Although somewhat complex the following diagram is a real world example of Virtual Firewall isolating multiple Subnets on same hardware. No iptable configurations has been used. Just ask if something you do not understand.

 

[mir]

on youtube you can find dozens of video's demonstrating install and configuration of pfsense. Just remember to add at least two nic's to the virtual server running pfsense.

 

[mir]

@symmcom
Have you been able to properly use virtio net inside a virtualized pfsense?
The drivers are correct installed and the nic's are found but packages are not flowing through the devices. With E1000 I see no such problems, though a bit less performance than with virtio.

 

[wahmed]

@symmcom
Have you been able to properly use virtio net inside a virtualized pfsense?
The drivers are correct installed and the nic's are found but packages are not flowing through the devices. With E1000 I see no such problems, though a bit less performance than with virtio.

I have not tried with virtio. All my setups are with e1000. I have not faced any performance issue since all the WAN connections are no more than 10mbps per vNIC per subnet. So even with all subnets accessing internet simultaneously the bandwidth of virtual pfsense WAN side vNIC never exceeds 300mbps. Thats probably why i never noticed performance issue.

 

[mir]

I have not tried with virtio. All my setups are with e1000. I have not faced any performance issue since all the WAN connections are no more than 10mbps per vNIC per subnet. So even with all subnets accessing internet simultaneously the bandwidth of virtual pfsense WAN side vNIC never exceeds 300mbps. Thats probably why i never noticed performance issue.

Outside connections are no problems since I don't have gbit internet but inter lan communication are seeing a 30% performance degration (I have compared iperf with linux clients compared to freebsd clients). It is also a FreeBSD 8 only thing because my FreeBSD 9 and 10 clients have no problems with virtio net.

 

[wahmed]

Outside connections are no problems since I don't have gbit internet but inter lan communication are seeing a 30% performance degration (I have compared iperf with linux clients compared to freebsd clients). It is also a FreeBSD 8 only thing because my FreeBSD 9 and 10 clients have no problems with virtio net.

Ah I see. I dont have any FreeBSD based VMs within subnets. The one and only FreeBSD i have is the virtual pfSense firewall. All VMs are either Windows, RedHat and Ubuntu based. But good to know about the e1000 performance issue with FreeBAS 8.

 

[mir]

But good to know about the e1000 performance issue with FreeBAS 8.

This is not a specific FreeBSD problem. Using e1000 for any VM will reduce performance with ≃ 30% compared to virtio.