1 public ip forward to 1 vm / NAT / Masquerade / Bridge

M

Michael-stk

New Member
Dec 20, 2022
17
1
3
Hi all, hope someone can give me some help with this.

I need masquerade as I am only allowed to use 1 mac for the server

My setup now (running just fine so far)
Nginx Proxy running on ip 10.0.0.1:80/433 (for future hosting purposes and loop back to voip web panel)
Game Server 10.0.0.3:2533
Hosting Server 10.0.0.2:80/433
Voip Server 10.0.0.100:5060

Code: 
auto lo
iface lo inet loopback

auto ens6
iface ens6 inet static
    address PUBLIC IP/32
    gateway PUBLIC GATEWAY IP

auto vmbr0
iface vmbr0 inet static
    address 10.0.0.254/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens6 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens6 -j MASQUERADE
    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
  
    # Poort 80 web to Proxy
    post-up iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
    post-down iptables -t nat -D PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
 
    # Poort 443 web to Proxy
    post-up iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to 10.0.0.1:443
    post-down iptables -t nat -D PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to 10.0.0.1:443
 
    # Poort 2533 to game server
    post-up iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 2533 -j DNAT --to 10.0.0.3:2533
    post-down iptables -t nat -D PREROUTING -i ens6 -p tcp --dport 2533 -j DNAT --to 10.0.0.3:2533
  
    # Poort 5060/50611  to voip server
    post-up iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 5060 -j DNAT --to 10.0.0.100:5060
    post-down iptables -t nat -D PREROUTING -i ens6 -p tcp --dport 5060 -j DNAT --to 10.0.0.100:5060
    post-up iptables -t nat -A PREROUTING -i ens6 -p udp --dport 5060 -j DNAT --to 10.0.0.100:5060
    post-down iptables -t nat -D PREROUTING -i ens6 -p udp --dport 5060 -j DNAT --to 10.0.0.100:5060

The problem now is that I can't get the voip server to work as it needs the public ip directly.

Is there a way to overhaul my configuration by giving the voip server my public ip, capturing some ports and forwarding them internally to other servers?

For example

Public IP assign Voip Server (and also an internal ip for internal communication)
Some ports intercepted and forwarded to other servers with an internal IP (other bridge?)

Voip server - Public ip and an internal ip (So that I can run the web pannel through nginx proxy)
Nginx proxy - Internal ip
Hosting server - Internal ip
Game server - Internal ip

See image for example

Kind regards
Michael
 

Attachments

  • Proxmox_voorbeeld.png
    Proxmox_voorbeeld.png
    36 KB · Views: 13
Last edited:
Nobody has an idea?

I did find that I can assign my public ip to a VM but not that I can intercept any ports and run them to other VMs.

hopefully someone can help me with this.
 
Hello,

I don't think there is a way to give the single IP to a VM and 'highjack' some of the ports for other stuff pre-transfer. You either have to configure the port forwarding in your voip-server or set up a fully-fledged firewall VM that holds the public IP and does all the needed stuff.

In both cases you have to be careful about the Proxmox connection, because if the VM fails you won't be able to connect to your Proxmox through the usual means.

In any way, to move the public IP from your Proxmox to a VM you need to set up a 'public bridge' - say vmbr1 - like so:

Code: 
iface ens6 inet manual

auto vmbr0
iface vmbr0 inet static
    address 10.0.0.254/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    bridge-ports ens6
    bridge-stp off
    bridge-fd 0

Then you connect a VM to the bridge vmbr1 and the VM now gets your public IP.

Note that you are pulling away the IP from your Proxmox host, which means that you need to secure another way to connect to it in the case that some configuration goes wrong.

Also for normal management stuff you have to configure a way to connect to your Proxmox GUI/SSH through your new public VM and into the IP 10.0.0.254. Same applies to masquerading rules, since your internal VMs on vmbr0 can't connect to the internet through your Proxmox anymore.

Overall, that would mean a lot of configuration, so I suggest you find a way for your voip-server to work without a public IP. With the right configuration these servers should work without directly exposing them to the internet.

Kind regards,
Benedikt
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom