Proxmox Firewall for NAT

vikozo

Renowned Member
May 4, 2014
781
30
93
suisse
www.wombat.ch
Hello
it is possible to use the Proxmox Firewall as NAT?

I would imagine to use the (1) WAN IP Port and translate it to (x) Private IP Address on different Container and KVM.
If my provider would change my Router IP - I would have a down time - but this is no Problem. I think as soon I have changed Internic Nameserver IP to the new Router IP and changed the Firewall Rule it should be working again, after a delay.

I hope my thoughts would work.

have a nice day
vinc
 
i have been reading it and a bit confused
should i give the container which have to be connected a ip address from another IP Range

i have this network setup till now
bond0.PNG


have a nice day
vinc
 
would it be better to have a vmbr2 identical to the vmbr1 above

with this code
auto vmbr2
iface vmbr2 inet static
address 10.147.42.193
netmask 255.255.255.192
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.147.42.192/26' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.147.42.192/26' -o eth0 -j MASQUERADE

# information:
# Range for Virtuell Server would be
# 10.147.42.194 to
# 10.147.42.254
# GW would be 10.147.42.193

would this be working?
But how the traffic would go - because the Router still have 10.147.42.1/24

have a nice day
vincent
 
Just set the GATEWAY to 10.147.42.1
i would belive this is not working because of the wrong Subnetmask - but not to sure, would be nice to find a confirmation befor i do the change!

Another Question
post-up iptables -t nat -A POSTROUTING -s '10.147.42.192/26' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.147.42.192/26' -o eth0 -j MASQUERADE
would it be possible to change the eth0 to bond1 so i would have the traffic over both ports
have a nice day
vinc
 
I'm also wondering if there is anyway to do this through the web interface, possibly utilizing the new Firewall feature. I'm a little surprised I would have to log into the console and edit the text file for every virtual machine and on every machine in the cluster that they might migrate to. I'm new to Proxmox, but it seems like a pretty basic functionality and should be possible through the web interface.
 
Hello is there a way or tutorial to do the NAT with proxmox Firewall feature?
have a nice day
vinc

Hi, you need kernel 3.10 and add specials rules

iptables -t raw -A PREROUTING -i fwbr100i0 -j CT --zone 1

iptables -t raw -A POSTROUTING -i fwbr100i0 -j CT --zone 1

(replace fwbr100i0 , with 100 is your vmid)
 
Hello,

This is not working for me. Can some one help ?

I'm tring to setup a VM with NAT and ProxmoxVE Firewall.
My config is:
on the host with ProxMox 3.4-1:

Upgraded to kernel 3.10:
Code:
# uname -a
Linux XXXX 3.10.0-7-pve #1 SMP Thu Jan 22 11:20:00 CET 2015 x86_64 GNU/Linux

/etc/network/interfaces
Code:
auto vmbr2
iface vmbr2 inet static
   address 192.168.0.254
   netmask 255.255.255.0
   bridge_ports none
   bridge_stp off
   bridge_fd 0
   post-up echo 1 > /proc/sys/net/ipv4/ip_forward
   post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
   post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE

On the VM:
/etc/network/interfaces
Code:
iface eth0 inet static
   address 192.168.0.1
   netmask 255.255.255.0
   network 192.168.0.0
   broadcast 192.168.0.255
   gateway 192.168.0.254

Without PVE firewall activated it is ok.

I have also tried on host the suggestion of spirit (replaced fwbr100i0 with tap100i0):
Code:
# iptables -t raw -A PREROUTING -i tap100i0 -j CT --zone 1
# iptables -t raw -A POSTROUTING -i tap100i0 -j CT --zone 1
On the second command I got the error:
Code:
iptables v1.4.14: Can't use -i with POSTROUTING

Does someone can help please ?
@spirit do you have any idea ?

Regards,
Flav
 
Hi,
maybe -o

(postrouting is for output)

Looks somehow better... but still not ok:
Code:
# iptables -t raw -A POSTROUTING   -o tap100i0 -j CT --zone 1
iptables: No chain/target/match by that name.
 
Hi,
Issue solved.
Do not need to add any rule in raw table.

You just need to add a some firewall rules to allow your VM to access your virtual network.

eg from 192.168.0.0/24 to some_internal_IP on ICMP
 
iptables -t raw -A PREROUTING -i fwbr100i0 -j CT --zone 1

iptables -t raw -A POSTROUTING -i fwbr100i0 -j CT --zone 1

(replace fwbr100i0 , with 100 is your vmid)


Thanks, it's been a long while since your post but this did the trick for me.

I only needed the first rule:

iptables -t raw -A PREROUTING -i fwbr100i0 -j CT --zone 1
 
Hi,
Issue solved.
Do not need to add any rule in raw table.

You just need to add a some firewall rules to allow your VM to access your virtual network.

eg from 192.168.0.0/24 to some_internal_IP on ICMP

Hi, I have your same situation, kvm internal virtual machine not reaching internet when firewall is activated. Could you please be more precise and explain me which rules you have applied?

Thanks in advance
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!