[SOLVED] How to configure the network correct

t_b

New Member
Nov 4, 2015
22
2
1
Hi,

I'm new to proxmox as well as advanced network configuration. I have a KMV vServer which should host some lxc container.
This picture is the goal i want to reach:


postimg.org/image/4cv00dh8v/full/


Some additional informations:

proxy should become a (reverse-)proxy which routes the traffic for each (sub-)domain and filter not wanted traffic. Therefore, the network 10.0.0.0/30
A direct connection is only allowed for some machines like mail server, the 10.0.1.0/28 network
The third network is only for internal communication between al vms, the 10.0.2.0/24 network



This is the current (default configuration)

Code:
auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
        address 188.68.49.XXX
        netmask 255.255.252.0
        gateway 188.68.48.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

I've read two or more days but nobody has a configuration like that nor i can find a "simple" turorial for that.

Could someone help me with the basics, configuring the networks on proxmox and the container?
 
Last edited:
proxy should become a (reverse-)proxy which routes the traffic for each (sub-)domain and filter not wanted traffic. Therefore, the network 10.0.0.0/30
A direct connection is only allowed for some machines like mail server, the 10.0.1.0/28 network
The third network is only for internal communication between al vms, the 10.0.2.0/24 network

AFAIU you need 3 virtual networks, each virtual network has to defined in Proxmox Host as bridge (such a bridge can be seen as a switch). Call them e.g. vmbr1,2,3 (all 3 without any physical NIC connected).

Assign to two of them addresses in the host (the third is for 10.0.2.0/24 and only for containers, above named "VMs" are lxc container I guess - to not mix up them with "KVM" I prefer to use categorically "container" for them ).

Assign then the virtual NICs in the container definition to that bridges according to your needs as well as their IP addresses.

This is the current (default configuration)

Code:
auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
        address 188.68.49.XXX
        netmask 255.255.252.0
        gateway 188.68.48.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

Since there is no direct connection from containers to public net planned you can delete vmbr0 and assign all these data to eth0 (can be done by GUI),
finally your /etc/network/interfaces will look like

Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 188.68.49.XXX
        netmask 255.255.252.0
        gateway 188.68.48.1
        
auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1
        netmask 255.255.252.0
        bridge_ports none
    bridge_stp off
    bridge_fd 0

auto vmbr2
iface vmbr2 inet static
        address 10.0.1.1
        netmask 255.255.240.0
        bridge_ports none
    bridge_stp off
    bridge_fd 0
        
auto vmbr3
iface vmbr3 inet manual
    bridge_ports none
    bridge_stp off
    bridge_fd 0

[/QUOTE]


Communication from containers to public has to be controlled by

Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

in the host and

Code:
route add -net default gw 10.0.0.1

etc. in the containers.
 
Last edited:
Damn Bullitin Board! Third time i write this....

Now in short:

A typo in subnet in your reply (255.255.255.240 vs 255.255.240.0): ?
Communication between containers: ok (see screenshots)
Configuring gateway: failed, "SIOCADDRT: File exists", do i have to remove an existing entry before (see screenshots) => no communication with the outside
DNS: for resolving container names in container only network i do have to install a dns server, map ip to name, add dns form proxmox and e.g. google dns as secondary dns?

Screenshots: picsurge.com/g/AaMI3L

Thanks for your response and your support
 
A typo in subnet in your reply (255.255.255.240 vs 255.255.240.0): ?

Yes indeed - sorry for that

Configuring gateway: failed, "SIOCADDRT: File exists", do i have to remove an existing entry before

Yes, but normally you should reboot the node after changing of IP configuration and something like this should not occur


Screenshots: picsurge.com/g/AaMI3L

no screenshot attached
 
Try this:




auto lo
iface lo inet loopback


auto vmbr0
iface vmbr0 inet static
address 188.68.49.XXX
netmask 255.255.252.0
gateway 188.68.48.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
# default route to access subnet
up route add -net 188.68.49.0 netmask 255.255.252.0 gw 188.68.48.1 eth0


auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.252.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE






auto vmbr2
iface vmbr2 inet static
address 10.0.1.1
netmask 255.255.240.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.1.0/24' -o vmbr0 -j MASQUERADE




## Transfer port 80 to VM venet network




post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.0.1.xxx:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.0.1.xxx:80








Now you can have VMs with venet networks.
 
Sorry for the late reply:

i finally managed to get the network work as expected (some days before your post, as i said, i'm sorry). So here is what i've did:


netwotrk interfaces on proxmox
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 188.68.49.XX
netmask 255.255.252.0
gateway 188.68.48.1

auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.252
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr2
iface vmbr2 inet static
address 10.0.1.1
netmask 255.255.255.240
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr3
iface vmbr3 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0





Commmands on proxmox
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2
iptables-save > /etc/iptables/rules.v4





Changes in /etc/sysctl.conf on proxmox
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
fs.inotify.max_user_watches=16384






Hope that will help others.
 
With this way every iptables rules are permanent. If you add your rules in network interfaces then every time the network is up will be add the rules and every time is down remove the rules.
So you have a better control.
Of course this is my opinion and nothing more.
 
Sorry for the late reply:

i finally managed to get the network work as expected (some days before your post, as i said, i'm sorry). So here is what i've did:


netwotrk interfaces on proxmox

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 188.68.49.XX
netmask 255.255.252.0
gateway 188.68.48.1

auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.252
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr2
iface vmbr2 inet static
address 10.0.1.1
netmask 255.255.255.240
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr3
iface vmbr3 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0




Commmands on proxmox

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2
iptables-save > /etc/iptables/rules.v4




Changes in /etc/sysctl.conf on proxmox

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
fs.inotify.max_user_watches=16384





Hope that will help others.
This help me a lot , can you share the (reverse-)proxy How do you configurated?
 
Sorry for the late reply:

i finally managed to get the network work as expected (some days before your post, as i said, i'm sorry). So here is what i've did:


netwotrk interfaces on proxmox

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 188.68.49.XX
netmask 255.255.252.0
gateway 188.68.48.1

auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.252
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr2
iface vmbr2 inet static
address 10.0.1.1
netmask 255.255.255.240
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr3
iface vmbr3 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0




Commmands on proxmox

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2
iptables-save > /etc/iptables/rules.v4




Changes in /etc/sysctl.conf on proxmox

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
fs.inotify.max_user_watches=16384





Hope that will help others.
Hi ... i have question that you wrote commands on proxmox. Do we have to run those command or do we have to save them
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!