Container - How to NAT without IPTables or Masquerading

B

bdunbar

New Member
Aug 23, 2013
10
0
1
I have three prox hosts in a cluster, ProxMox 3.1. They're in a rack at a colocation site.

I wish to have some containers without a public IP route to the internet via gateway, for software updates, NTP and so on.

Before Prox, I'd standup a linux host, use iptables masquerade and we're good. But that's not an option with Prox.

So ... how does one NAT without IPTables and/or masquerade. Can it be done?

Note - one can do this with the prox host itself. But I'd really like to do it with a HA container. Also we can (will) introduce a dedicated firewall in the near future, but that's in a few weeks and I'd really like to get these guys routed this weekend.
 
I guess I am a little confused. For sure it is easy enough to do from the host. How does doing it inside an HA container, help you or mitigate anything?
 
We are new to prox in production, and clustering. We may be operating under some bad assumptions.

Generally we are operating with a model where there is a logical break between 'services provided for (and by) the containers' and 'hyper visor stuff'. A network bit running on a hyper visor -for- a container would cross that logical break.

This might be wrong in the context of proxmox but it did serve me well at a prior employer with Solaris zones. Comments welcome!

Additionaly,

NAT on the host means duplicating the setup across 3x hyper visors. Not impossible, but just one more thing to break. NAT on a HA container means we only need one server to configure.
 
Well, the host node / hypervisor usually sits on the first vmbr (bridged device), that is how it is able to "see" even containers that have completely different IP addresses.

You could make a second bridge, put all the NATted VMs on that. But the problem as I see it, in order for the hypervisor to let your HA container see the NATted VMs , it will still know about all the networks on each node. So you are still doing your configuration over and over.

You could have a separate firewall, say a KVM install of PFsense or OpenBSD, put all NATted VMs on a bridge connected to the second Ethernet device (most servers have 2x. Gbit Ethernet these days). Then make the OpenBSD install be the only 1 with a public IP address.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back