Hello! So I self-host several things across many VMs and LXC containers. The self-hosted projects need to be accessible from the internet and so my way of doing that was to use iptables to say anything on port 3000 will get directed to the IP of the LXC container that had the project on port 3000 that needs to be accessible from the internet. Unfortunately, it's annoying when I have to create many of these a day. I wrote a script to do this for me but I'm wondering if there is a better or easier way to do this (maybe even from inside the proxmox control panel). Does anyone know of a better way to direct ports to go to certain IPs? Or maybe have a similar way to how in a docker container you can set the network mode to host? Thanks!
Easy Way to Automatically Forward Ports to VM's / LXC Containers
- Thread starter bugattiguy527
- Start date
did you check out the datacenter firewall, node firewall and vm firewall ? create security groups, on datacenter level, and assign it to your desired vms.
to be honest: i have a more complex setup and it penetrated me from back, after 3 days i stoped it. nothing worked proper. but to be fair, i think i knew where my main error was. this is a typically linux issue: 90% or the guide are correct, the other 10% not or the most important point is missing.
to be honest: i have a more complex setup and it penetrated me from back, after 3 days i stoped it. nothing worked proper. but to be fair, i think i knew where my main error was. this is a typically linux issue: 90% or the guide are correct, the other 10% not or the most important point is missing.
Sounds like a great idea. A Proxmox server directly on the internet, with a script that opens random ports for random self-hosted stuff in containers. I hope there’s no important data on this server and that it’s on a isolated network or in a DMZ, because sooner or later it’s going to get owned
That's kind of the default, isnt it? I mean, by default, VMs and containers are connected to one or more Linux bridges, which in turn are accessible from the outside via the corresponding network interface. However, every container and VM needs its own IP address, and they cannot expose any services via the host’s IP like Docker containers can.
That said, you can configure NAT, routed networking, SDN overlays, VLANs, firewalling, etc., so not every VM/container necessarily needs to expose a directly reachable IP externally. However, in order for the experts here to help you with that, you’d probably need to provide more information about your network environment and the Proxmox network settings, firewall, SDN setup, etc.
My recommendation, though, would be to use a firewall in front of Proxmox, and, more importantly, to reverse proxy the requests to the appropriate ports rather than making them directly accessible from the internet. But maybe that’s just me.
Last edited:
Yes, that's a "classic" approach. You will end up with a) open ports and b) the problem of a dynamically changing external IP address and c) some glue in form of those forwarding rules.
If you have an external VPS or are willing to rent one for ~two Dollars per month, take a look here: https://github.com/fosrl/pangolin = "Tunneled Reverse Proxy Server with Access Control - Your own self-hosted zero trust tunnel."
This is a free Cloudflare Tunnel clone. Some (many?) features are missing, of course - e.g. the DDOS-protection part. But it successfully and completely removes the necessity to open any ports on your home router. All (tunnel-) connections are initiated from home = zero open ports = zero (direct) attack surface.
I am using/testing it since spring 2025; until now it works really great. (Unfortunately I still have some local npm running - for "historical" reasons and mostly because of mass inertia...)
Have fun
If there is no specific reason to keep the CT/LXC behind a Proxmox-internal NATed bridge, I would consider attaching the CT/LXC directly to vmbr0 and giving it an IP address on the same LAN as your Internet router.
Then the port forwarding can be configured directly on the router, for example:
WAN:3000 -> CT_LAN_IP:3000
In that setup, Proxmox does not need to handle DNAT/iptables port forwarding at all. It only acts as a bridge, and the CT/LXC behaves like a normal host on the LAN.
Proxmox-side DNAT makes sense if the CT/LXC is on an internal bridge that the router cannot reach, or if you intentionally want to isolate that network from the main LAN. But if there is no such requirement, vmbr0 + router-side port forwarding is usually simpler and easier to maintain.
Then the port forwarding can be configured directly on the router, for example:
WAN:3000 -> CT_LAN_IP:3000
In that setup, Proxmox does not need to handle DNAT/iptables port forwarding at all. It only acts as a bridge, and the CT/LXC behaves like a normal host on the LAN.
Proxmox-side DNAT makes sense if the CT/LXC is on an internal bridge that the router cannot reach, or if you intentionally want to isolate that network from the main LAN. But if there is no such requirement, vmbr0 + router-side port forwarding is usually simpler and easier to maintain.
But that’s still much better than simply forwarding traffic directly to the relevant apps on port 3000, etc., which suggests to me that many apps likely use plain HTTP or self-signed certificates. An absolute no-go in 2026, and never a good idea even in the past ;-).