How do I use NAT with the Proxmox Firewall?

P

ParzivalSpace

New Member
Jan 26, 2024
2
0
1
Hi,
I want to use the Proxmox VE firewall to prevent my VMs on the NAT network (vmbr1) from accessing my local network.
My first thought was to use the firewall, but after enabling it, my NAT setup collapsed.
I'm pretty sure I did something wrong, but I just can't see it.... I'm not a networking guy, I work in software development :/

When I enable the firewall, DHCP discovery is no longer possible. I tried allowing DHCP ports on the host, but it still didn't work.
And for some reason, no requests from the vmbr1 interface are logged in the firewall when I open the firewall logs (I have all incoming connections set to info).

Does anyone have any idea what I have done wrong?


My current setup:
I have configured a new interface for my NAT network and I also configured dnsmasq to act as a DHCP server for dynamic IPv4 assignments.

My interfaces:
Code: 
auto lo
iface lo inet loopback

iface enp0s25 inet manual

auto vmbr0
iface vmbr0 inet static
        address x.x.x.10/24
        gateway x.x.x.1
        bridge-ports enp0s25
        bridge-stp off
        bridge-fd 0
#Bridged Network

auto vmbr1
iface vmbr1 inet static
    address  10.0.0.1
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
#NAT Network

source /etc/network/interfaces.d/*

My dnsmasq configuration:
Code: 
interface=vmbr1
dhcp-range=10.0.0.2,10.0.0.253,255.255.255.0
dhcp-option=option:router,10.0.0.1
dhcp-option=option:dns-server,x.x.x.1
 
Likely that you solved it already. :)

With NAT you are doing prot-forwarding to get VM ports reachable from the internet. And you masquerade all the traffic leaving the PVE node. Which is not how the pve-firewall will setup the rules.
 
Yes, I have solved this for now.
The firewall configurations also work as expected now.

To be honest, my whole setup is perhaps a little sub-optimal, but this is how it works for my current requirements.

Just for reference in case anyone else tries something like this for some reason, my current configurations:

/etc/network/interfaces
Code: 
auto lo
iface lo inet loopback

iface enp0s25 inet manual

auto vmbr0
iface vmbr0 inet static
        address x.x.x.10/24
        gateway x.x.x.1
        bridge-ports enp0s25
        bridge-stp off
        bridge-fd 0
#Bridged Network

auto vmbr1
iface vmbr1 inet static
    address  10.0.0.1
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE

    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
#NAT Network

/etc/dnsmasq.d/vmbr1.conf
Code: 
interface=vmbr1
dhcp-range=10.0.0.2,10.0.0.253,255.255.255.0
dhcp-option=option:router,10.0.0.1
dhcp-option=option:dns-server,x.x.x.1
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back