[SOLVED] Configuring NIC as WAN input

generalproxuser

Active Member
Mar 14, 2021
107
34
33
44
I am at work as I am writing this so I don't have config files ready.

Currently I have a server that I have been working on. The goal is to virtualize openwrt (succeeded) and use openwrt as my primary router/gateway for my private LAN.

I have a couple of ct/vms on the LAN bridge of openwrt and they successfully get a dhcp IP. I also have the physical LAN port going to a switch that extends the private LAN. Any device connected to this switch (host, wap etc.) also get a dhcp IP from openwrt.

Where I am having concerns is my WAN side of the setup.

My proxmox host has a bridge (vmbr1) that is set to dhcp (from my ISP) and is using my WAN physical port (bridge-port).

This physical port, when hooked up to my existing network (emulating an ISP connection) gets two IP addresses from dhcp. 1 for the openwrt WAN and 1 for the proxmox host. What this does is allow me to access the proxmox host AND the openwrt webgui through two different dhcp IPs.

I am trying to use the physical WAN port as my outgoing interface and only get 1 ip (openwrt WAN).

My openwrt is in a container and I haven't seen/found a way to passthrough the adaptor directly so that it is only directed to openwrt.

Am I on the wrong path? Is it possible for one physical port to simply act as an outgoing interface without an IP?
 
Last edited:
I wouldn't give your PVE host a IP on the WAN interface. Keep in mind that your PVE host isn't behind your routers firewall and all management stuff like SSH, WebUI and so on is freely available to everyone worldwide.

And yes, you can tell the LXC to directly use a physical NIC by manually editing the LXCs config (/etc/pve/lxc/VMID.cfg) file with something like this:
Code:
lxc.net.0.type: phys
lxc.net.0.link: enp1s0
 
Last edited:
  • Like
Reactions: generalproxuser
@Dunuin

I only had one IP assigned to my host for webgui access. That was on vmbr0.

Like you said, with my current config I was able to access my webgui from it's "public IP" on vmbr1 as well as it's private IP on vmbr0. I am trying to kill the vmbr1 access.

Thanks for the lxc commands. i will give that a shot later today and see if that resolves my issue.
 
Hi,
i do this like this in my PVE that has four physical NICs:
physical-NIC1 = vmbr0 = LAN switch
physical-NIC2 = vmbr1 = "DMZ" switch
physical-NIC3 = vmbr2 = ISP modem

on PVE only vmbr0 has a LAN IP assigned
vmbr1 and vmbr0 have no IP configured at all

if you do the setup likewise, then you configure your openWRT to have at least 2 vm-NICs.
connect vm-NIC1 to vmbr0
connect vm-NIC2 to vmbr2
...now you have a dedicated physical port mapped to the outside interface of your openWRT. but remember to not connect any other VM/Ct to your vmbr2 !...

rgds
Stephan
 
Yes you can put a move the Proxmox management interface from the current Wan vmbr* to the openwrt lan vmbr* and no longer expose Proxmox directly to wan. You will need to choose a new management IP CIDR within a vlan/subnet openwrt control and set the gateway to openwrt.

You can follow the guide below to make that change.
 
@Dunuin

I only had one IP assigned to my host for webgui access. That was on vmbr0.

Like you said, with my current config I was able to access my webgui from it's "public IP" on vmbr1 as well as it's private IP on vmbr0. I am trying to kill the vmbr1 access.

Thanks for the lxc commands. i will give that a shot later today and see if that resolves my issue.
Where do you have a gateway defined in pve-networks on vmbr0 or vmbr1?

Use the serve the home link I posted below to completely erase/remove remove public the IP/CIDR and gateway from vmbr1 and only have a cidr/ip and gateway listed for vmbr0.
 
@vongehlens

I was doing the same setup for my openwrt. vmbr0 was my proxmox host management and it was connected to the LAN side of openwrt. vmbr1 was my WAN side bridge and connected to the WAN side of openwrt. However, the WAN resulted in two dhcp IP from the "ISP". ISP being my existing network for now/testing purposes. I didn't set any IP manually to the WAN physical port or to the WAN vmbr. But it always got two IPs from dhcp.

@vesalius

The management interface was configured on vmbr0 (LAN side). My gateway for vmbr0 (LAN) is the openwrt LAN side and my gateway for vmbr1 (WAN) is whatever the upstream dhcp server for my ISP is. My ISP assigns my IP via dhcp. Right now I use my existing dhcp network to emulate my ISP. So my proxmox host ends up with two IPs, one for the WAN proxmox and one for the WAN openwrt. It should only be one for the WAN openwrt.

I don't currently see any links in your previous posts.
 
@vongehlens

However, the WAN resulted in two dhcp IP from the "ISP". ISP being my existing network for now/testing purposes. I didn't set any IP manually to the WAN physical port or to the WAN vmbr. But it always got two IPs from dhcp.
See it positive. If you are using IPv4 your ISP probably won't give you two public IPv4 IPs because they need to pay for them and most likely only one IPv4 is included in your contract. ;)

You said your host gets it WAN IP by DHCP. MAybe you should remove DHCP from your vmbr1 and use it as "iface vmbr1 inet manual"
 
Last edited:
  • Like
Reactions: vesalius
Thanks everyone for the replies.

@Dunuin

The lxc commands and the interface suggestion did the trick. Now my WAN port is direct to my openwrt container. When connecting to my existing network it only gets 1 dhcp IP which is openwrt. The proxmox host still gets to the outside world but I can only access the gui from inside the private LAN :)

Code:
auto lo
iface lo inet loopback

# Right side ethernet port LAN
iface enp2s0 inet static

# Left side ethernet port WAN
auto eno1
iface eno1 inet manual

# Proxmox host
auto vmbr0
iface vmbr0 inet static
        address 192.168.20.1
        netmask 255.255.255.0
        gateway 192.168.20.1
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
 
  • Like
Reactions: Dunuin

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!