How to configure single nic proxmox

[netbela]

Hi All,

I have a server with just one physical network interface that has a external IP assigned to it. Now I want to create VLAN's to add VM's in and then use this single physical network interface as the gateway to route all traffic out. The setup is currently as described in the attached drawing.
For some reason the VM's in the network (192.168.100.0/24) are able to ping the 192.168.100.10 interface as wel as the external IP of the proxmox node. However are unable to connect to the internet or the gateway of the external ip.

What can I do to solve this issue?

Kind regards

 

[Dunuin]

What is cat /etc/network/interfaces returning?

Did you set a VLAN Tag for your guests virtual NICs?

 

[netbela]

The interfaces looks as following:

root@px01:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto ens6
iface ens6 inet manual
        dns-nameservers 1.1.1.1

auto vmbr0
iface vmbr0 inet static
        address ext.er.nal.ip/24
        gateway external.ip.gate.way
        bridge-ports ens6
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0.100
iface vmbr0.100 inet static
        address 192.168.100.10/24

I have the bride 'vmbr0' attached to the VM and am tagging vlan '100'.

 

[Dunuin]

And there is a router routing between vlan100 and its 192.168.100.0/24 subnet and the subnet of the external ip/gateway?

 

[netbela]

No, there isn't. I assumed the bridge would be smart enough to route all traffic coming from 192.168.100.0/24 outside through the external ip.

 

[Dunuin]

No, the bridge won't NAT anything, it just bridges.

 

[netbela]

So, in my case I would have to setup a VM that routes all traffic from the vlan 100 to the External IP?
How is this normally setup?

 

[Dunuin]

You could run a pfsense/OPNsense VM for that or manually configure PVE to route:
https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_routed
https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_masquerading

 

[netbela]

Even with the routed and masquerading configuration mentioned by Dunuin the VM's are unable to communicate to the internet. Perhaps the hosting provider is still dropping some?

/etc/network/interfaces:

auto ens6
iface ens6 inet static
    address public.ip/24
    gateway public.gw
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/ens6/proxy_arp


auto vmbr0
iface vmbr0 inet static
        address  10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

On the VM i set the following:

IP: 10.10.10.10
NETMASK: 255.255.255.0
GATEWAY: 10.10.10.1

EDIT:
The iptables NAT rules were wrong. After assiging them to the correct port (ens6) I am able to communicate with the internet.