How to port forward to a VM on Proxmox 4.2

[vm1990]

it so annoying finding guides for this sort of stuff, everything either outdated or dosnt work with OVH servers, and from what iv read the new 'firewall' wont do it, not sure why it has options if it cant do something.

trying to forward a port from main server ip to the guest (sounds simple)

 

[Richard]

trying to forward a port from main server ip to the guest (sounds simple)

Use iptables in proxmox host, e.g.:

iptables -t nat -A PREROUTING -p tcp --dport 8188 -j DNAT --to-destination 192.168.1.10:80
iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.1.10 -j SNAT --to-source 213.214.215.216:8188

which forwards port 8188 to 80 to virtual machine at address 192.168.1.10, assuming your public IP is 213.214.215.216

 

[vm1990]

sorted perfect guide is here https://mrkmg.com/posts/2016/01/proxmox-4-with-single-public-ip-private-network/

Proxmox 4 with a Single Public IP - Setup a Private Network
Written by Kevin on January 10, 2016
Proxmox 4 can easily be configured to put all or some of your VM/Containers in a NATed private network. You can even forward ports from your public IP address to your containers. Unfortunately, it is not possible to configure this setup from the Web GUI, but the changes to the configuration file are very simple. All changes and additions are outlined in this post.

The Setup
We are going to assume we have 3 VMs/Containers on our Proxmox server.

1. VM-WEB (Web server, needs ports 80 and 443)
2. VM-SMTP (Mail Server, needs ports 25 and 465)
3. VM-CAPP (Custom App, run on port 5000, but needs outside port 1025)

• Public IP: 1.2.3.4
• Private Network: 192.168.0.0/24 (192.168.0.1 - 192.168.0.254)
• Private IP of Host: 192.168.0.254
• Private IP of VM-WEB: 192.168.0.1
• Private IP of VM-MAIL: 192.168.0.2
• Private IP of VM-CAPP: 192.168.0.3

Configuring the Hosts Network
The first task is to create a network bridge. We are going to call this bridge vmbr2.

SSH into your host and add the following to /etc/network/interfaces

auto vmbr2
iface vmbr2 inet static
address 192.168.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE

# VM-WEB HTTP 80:192.168.0.1:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80

# VM-WEB HTTPS 443:192.168.0.1:443
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443

# VM-SMTP SMTP 25:192.168.0.2:25
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25

# VM-SMTP SMTPtls 465:192.168.0.2:465
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465

# VM-CAPP CustomApp 1025:192.168.0.3:5000
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000

Lets explain what is going on here.

The first whole block, from auto vmbr2 to the first post-down sets up the bridge, assigns an the ip 192.168.0.254 to the host, and enables NAT from vmbr0 to vmbr2.

The next sets of blocks setup the individual port forwards. Each port forward requires a post-up and post-down. To create your own port forwards, follow the template below.

#Outside XXX -> LO.CA.AL.IP:YYY
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY

Making the Changes Active
Once all your port forwards are setup, either restart your host, or run systemctl restart networking from the CLI.

Setup of the VMs/Containers
The only thing that is left is to setup your VMs. Thankfully, this is very easy.

When you are setting up your VM, select the vmbr2 bridge.

Now configure your VM with the following network settings:

• IP Address: 192.168.0.X (where X is the private ip of the Machine)
• Network Mask: 255.255.255.0
• Gateway: 192.168.0.254

Try it Out
If all went to plan, you should have a web server, mail server, and custom app all running from your public IP. Try http://1.2.3.4

 

[19lawrence83]

sorted perfect guide is here https://mrkmg.com/posts/2016/01/proxmox-4-with-single-public-ip-private-network/

Proxmox 4 with a Single Public IP - Setup a Private Network
Written by Kevin on January 10, 2016
Proxmox 4 can easily be configured to put all or some of your VM/Containers in a NATed private network. You can even forward ports from your public IP address to your containers. Unfortunately, it is not possible to configure this setup from the Web GUI, but the changes to the configuration file are very simple. All changes and additions are outlined in this post.

The Setup
We are going to assume we have 3 VMs/Containers on our Proxmox server.

1. VM-WEB (Web server, needs ports 80 and 443)
2. VM-SMTP (Mail Server, needs ports 25 and 465)
3. VM-CAPP (Custom App, run on port 5000, but needs outside port 1025)

• Public IP: 1.2.3.4
• Private Network: 192.168.0.0/24 (192.168.0.1 - 192.168.0.254)
• Private IP of Host: 192.168.0.254
• Private IP of VM-WEB: 192.168.0.1
• Private IP of VM-MAIL: 192.168.0.2
• Private IP of VM-CAPP: 192.168.0.3

Configuring the Hosts Network
The first task is to create a network bridge. We are going to call this bridge vmbr2.

SSH into your host and add the following to /etc/network/interfaces

auto vmbr2
iface vmbr2 inet static
address 192.168.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE

# VM-WEB HTTP 80:192.168.0.1:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80

# VM-WEB HTTPS 443:192.168.0.1:443
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443

# VM-SMTP SMTP 25:192.168.0.2:25
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25

# VM-SMTP SMTPtls 465:192.168.0.2:465
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465

# VM-CAPP CustomApp 1025:192.168.0.3:5000
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000

Lets explain what is going on here.

The first whole block, from auto vmbr2 to the first post-down sets up the bridge, assigns an the ip 192.168.0.254 to the host, and enables NAT from vmbr0 to vmbr2.

The next sets of blocks setup the individual port forwards. Each port forward requires a post-up and post-down. To create your own port forwards, follow the template below.

#Outside XXX -> LO.CA.AL.IP:YYY
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY

Making the Changes Active
Once all your port forwards are setup, either restart your host, or run systemctl restart networking from the CLI.

Setup of the VMs/Containers
The only thing that is left is to setup your VMs. Thankfully, this is very easy.

When you are setting up your VM, select the vmbr2 bridge.

Now configure your VM with the following network settings:

• IP Address: 192.168.0.X (where X is the private ip of the Machine)
• Network Mask: 255.255.255.0
• Gateway: 192.168.0.254

Try it Out
If all went to plan, you should have a web server, mail server, and custom app all running from your public IP. Try http://1.2.3.4

I believe i'm trying to do the same thing as the OP.

brief explanation of my situation.
I have a pfsense router (not vm) and a ProxMox server with different VMs and one in particular i've decided to try and host a website from. The VM is an ubuntu desktop. So far I can open the VM and inside open a browser and browse the internet fine. If i'm on my desktop I can type the VM's internal ip 192.168.XX.XX/api/employees in my browser and see the swagger page. BUT if i replace the 192.168.XX.XX with my public IP the page wont load.

I'm thinking that i can do this to solve my solution but my first question is when you say "SSH into your host and add the following to /etc/network/interfaces" what do you mean? My VM ubuntu? my PFSense?

Thanks,

 

[zeki893]

If PFSense is your public facing router then you would do it on there.