[TUTORIAL] HOWTO - Proxmox VE 8-1.2 Wifi w/ SNAT

[jeenam]

This is a HOWTO for configuring Wifi for Proxmox VE 8-1.2 w/ SNAT. I've read a bunch of various writeups but none of them are consistent so hopefully this will be a one-stop shop for people to get Wifi w/ SNAT configured. Hopefully this can be added to the Wiki.

Note: This configuration DOES NOT use DHCP for anything. It uses all static addressing.



Prerequisites:

1) Wired ethernet connection - this is required to install wpasupplicant

2) Configure your wifi router to route to networks that will be associated with wifi adapter. Example for /24 network:

Destination = 192.168.3.0
Netmask = 255.255.255.0
Gateway = 192.168.1.100 (specify IP address of wifi adapter)



Setup:

1) Connect ethernet cable.

2) Install Proxmox 8-1.2.

3) After the install completes and the system has rebooted, install wpasupplicant (and install vim while you're at it):

apt update && apt install wpasupplicant vim
systemctl disable wpa_supplicant

4) Configure wpasupplicant:

wpa_passphrase SSIDNAME PASSWORD >> /etc/wpa_supplicant/wpa_supplicant.conf

5) Determine wireless adapter device name:

root@px1:/etc/pve/qemu-server# dmesg | grep -i wlp
[    4.984791] mt7921e 0000:02:00.0 wlp2s0: renamed from wlan0

6) Create /etc/systemd/system/wpa_supplicant.service and add configuration:

touch /etc/systemd/system/wpa_supplicant.service

[Unit]
Description=WPA supplicant
Before=network.target
After=dbus.service
Wants=network.target
IgnoreOnIsolate=true
 
[Service]
Type=dbus
BusName=fi.w1.wpa_supplicant1
ExecStart=/sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlp2s0  ## specify your wireless device here
Restart=always
 
[Install]
WantedBy=multi-user.target
Alias=dbus-fi.w1.wpa_supplicant1.service

7) Enable wpasupplicant service:

systemctl enable wpa_supplicant

8) Configure /etc/network/intefaces:

auto lo
iface lo inet loopback

iface enp1s0 inet manual

auto wlp2s0
iface wlp2s0 inet manual
    address 192.168.1.100/24
    gateway 192.168.1.1

auto vmbr0
iface vmbr0 inet static
    address 192.168.2.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

## uncomment these lines after completing step 13
#iface vnet1 inet static
#       address 192.168.3.1/24
#        bridge-ports none
#        bridge-stp off
#        bridge-fd 0
#        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
#        post-up iptables -t nat -A POSTROUTING -s '192.168.3.0/24' -o wlp2s0 -j MASQUERADE
#        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone zone1
#        post-down iptables -t nat -D POSTROUTING -s '192.168.3.0/24' -o wlp2s0 -j MASQUERADE
#        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone zone1


source /etc/network/interfaces.d/*

9) Restart wpa_supplicant and networking services to connect wireless adapter to wifi network:

systemctl restart wpa_supplicant && systemctl restart networking

10) Remove subscription nag message:

sed -Ezi.bak "s/(Ext.Msg.show\(\{\s+title: gettext\('No valid sub)/void\(\{ \/\/\1/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js && systemctl restart pveproxy.service

11) Log into proxmox web interface: https://<ip_of_your_wifi_adapter>:8006

12) Create SDN config (Datacenter --> SDN):

Zone: Simple, ID = Zone1 (use any name you like for ID)
Vnet: Name = vnet1 (use any name you like for Name), Zone = Zone1 (must match Zone ID)
Subnet: Subnet = 192.168.3.0/24, Gateway = 192.168.3.1, SNAT (check)

13) Apply config: SDN --> Apply

14) Edit /etc/network/intefaces and uncomment lines that were previously commented out:

auto lo
iface lo inet loopback

iface enp1s0 inet manual

auto wlp2s0
iface wlp2s0 inet manual
               address 192.168.1.100/24
               gateway 192.168.1.1

auto vmbr0
iface vmbr0 inet static
               address 192.168.2.1/24
               bridge-ports none
               bridge-stp off
               bridge-fd 0

iface vnet1 inet static
               address 192.168.3.1/24
               bridge-ports none
               bridge-stp off
               bridge-fd 0
               post-up echo 1 > /proc/sys/net/ipv4/ip_forward
               post-up iptables -t nat -A POSTROUTING -s '192.168.3.0/24' -o wlp2s0 -j MASQUERADE
               post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone zone1  ## Zone ID
               post-down iptables -t nat -D POSTROUTING -s '192.168.3.0/24' -o wlp2s0 -j MASQUERADE
               post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone zone1  ## Zone ID


source /etc/network/interfaces.d/*

15) Restart network service:

systemctl restart networking

16) Done. Profit.

 

[gfngfn256]

Probably should be tagged in title with [Tutorial]

 

[phamtrongthang123]

This is very helpful. It is actually possible to install wpa supplicant by downloading the .deb files too. So anyone can install it even if they don't have ethernet cable.

 

[jeenam]

This is very helpful. It is actually possible to install wpa supplicant by downloading the .deb files too. So anyone can install it even if they don't have ethernet cable.

This will gather up the wpasupplicant package and dependencies for offline install:

apt install apt-rdepends && mkdir /tmp/wpasupplicant && chown _apt /tmp/wpasupplicant && cd /tmp/wpasupplicant
apt-get download $(apt-rdepends wpasupplicant | grep -v "^ " | sed 's/debconf-2.0/debconf/g')
tar czf /path/to/destination.file.tar.gz /tmp/wpasupplicant

 

[hellcatvn]

When I try to install proxmox + HomeAssistant through will it can't get network and IP do you know how to solve this problem ?

 

[jeenam]

When I try to install proxmox + HomeAssistant through will it can't get network and IP do you know how to solve this problem ?

I think you should start a separate forum thread specifically for the problem you are having.

 

[jeenam]

Update for anyone who is using a Windows VM that connects using this setup. I noticed that every time my Windows 11 VM's would boot they would change the network name assigned to the network interface. The names would increment on every reboot. e.g. Network 2, Network 3, Network 4...on to infinity. With the creation of a new network profile on boot, Windows would also reset the network profile from Private to Public, which could potentially cause issues with the Windows Firewall (e.g. SMB is not permitted by default on Public networks).

The problem is caused by Proxmox dynamically assigning a MAC address to bridge devices on each restart. I figured this out by inspecting the output of arp -a in a Windows CMD prompt and seeing the address of the gateway (the Proxmox bridge device) reported itself as dynamic. The fix for this is as follows:

1. On the Proxmox host, find the MAC address of the bridge device with ip a show <device>. In my case the bridge is named vnet1 so the command is ip a show vnet1.

root@px1:~# ip a show vnet1
6: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:c7:43:09:0b:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 scope global vnet1
       valid_lft forever preferred_lft forever
    inet6 fe80::f4c7:43ff:fe09:b45/64 scope link
       valid_lft forever preferred_lft forever

2. Edit /etc/network/interfaces and add hwaddress <mac_address> to the device you're using as the wireless bridge device for SNAT.

auto vnet1
iface vnet1 inet static
               address 192.168.3.1/24
               bridge-ports none
               bridge-stp off
               bridge-fd 0
               hwaddress f6:c7:43:09:0b:45

Now your bridge device will have a consistent MAC address.

 

[jeenam]

For those who would prefer Wifi with a routed configuration my other TUTORIAL is available at the link below. I prefer the Wifi with routed configuration as it eliminates the problems with using SNAT, such as inability to utilize services that don't play nice with NAT, and no need for explicit port forwarding rules to access services behind the NAT from outside the NAT'd subnet.

https://forum.proxmox.com/threads/howto-proxmox-ve-8-x-x-wifi-with-routed-configuration.147714/

 

[ibus]

=============================================

3) After the install completes and the system has rebooted, install wpasupplicant (and install vim while you're at it):

apt update && apt install wpasupplicant vim
systemctl disable wpa_supplicant

==============================================

6) Create /etc/systemd/system/wpa_supplicant.service and add configuration:

touch /etc/systemd/system/wpa_supplicant.service

[Unit]
Description=WPA supplicant
Before=network.target
After=dbus.service
Wants=network.target
IgnoreOnIsolate=true
 
[Service]
Type=dbus
BusName=fi.w1.wpa_supplicant1
ExecStart=/sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlp2s0  ## specify your wireless device here
Restart=always
 
[Install]
WantedBy=multi-user.target
Alias=dbus-fi.w1.wpa_supplicant1.service

7) Enable wpasupplicant service:

systemctl enable wpa_supplicant

Thank you for your tutorial.

My question is:
1. what the purpose of step 3, disable wpa_supplicant service?
2. If we want to edit setting of wpa_supplicant service by step 3, why in step 6 we create a new setting for wpa_supplicant, but we create it in /etc/systemd/system/, NOT in the actual service /lib/systemd/system/. If, we want to use the new one in /etc, no setting that propagate that new setting in /etc.

CMIIW.

regards

 

[jeenam]

Thank you for your tutorial.

My question is:
1. what the purpose of step 3, disable wpa_supplicant service?
2. If we want to edit setting of wpa_supplicant service by step 3, why in step 6 we create a new setting for wpa_supplicant, but we create it in /etc/systemd/system/, NOT in the actual service /lib/systemd/system/. If, we want to use the new one in /etc, no setting that propagate that new setting in /etc.

CMIIW.

regards

1. Probably redundant. Just figured I'd stop the service before configuring it.

2. You can create the systemd service conf wherever you like. Doesn't have to be in /etc/systemd/system/. My systemd-fu isn't expert level at this point. I'm still catching up from sysv/rc.d init systems as I took a few years off. If you can suggest a more ideal method that would be great.

 

[ibus]

1. Probably redundant. Just figured I'd stop the service before configuring it.

2. You can create the systemd service conf wherever you like. Doesn't have to be in /etc/systemd/system/. My systemd-fu isn't expert level at this point. I'm still catching up from sysv/rc.d init systems as I took a few years off. If you can suggest a more ideal method that would be great.

2. can you show "systemctl status wpa_supplicant.service"?
This is my service status. I'm not modified it yet. loaded setting still use /lib
Can you check yours?

#systemctl status wpa_supplicant.service
● wpa_supplicant.service - WPA supplicant
Loaded: loaded (/lib/systemd/system/wpa_supplicant.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-05-28 11:47:15 UTC; 1min 12s ago
Main PID: 1603 (wpa_supplicant)
Tasks: 1 (limit: 19081)
Memory: 1.0M
CPU: 4ms
CGroup: /system.slice/wpa_supplicant.service
└─1603 /sbin/wpa_supplicant -u -s -O "DIR=/run/wpa_supplicant GROUP=netdev"

I thought you did symlink from /etc/systemd/system/wpa_supplicant.service to /etc/systemd/system/wpa_supplicant.service
but, I don't find symlink reference in your tutorial.

CMIIW

Regards.

 

[jeenam]

2. can you show "systemctl status wpa_supplicant.service"?
This is my service status. I'm not modified it yet. loaded setting still use /lib
Can you check yours?

#systemctl status wpa_supplicant.service
● wpa_supplicant.service - WPA supplicant
Loaded: loaded (/lib/systemd/system/wpa_supplicant.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-05-28 11:47:15 UTC; 1min 12s ago
Main PID: 1603 (wpa_supplicant)
Tasks: 1 (limit: 19081)
Memory: 1.0M
CPU: 4ms
CGroup: /system.slice/wpa_supplicant.service
└─1603 /sbin/wpa_supplicant -u -s -O "DIR=/run/wpa_supplicant GROUP=netdev"

I thought you did symlink from /etc/systemd/system/wpa_supplicant.service to /etc/systemd/system/wpa_supplicant.service
but, I don't find symlink reference in your tutorial.

CMIIW

Regards.

root@px1:~# systemctl status wpa_supplicant
● wpa_supplicant.service - WPA Supplicant
     Loaded: loaded (/etc/systemd/system/wpa_supplicant.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-05-27 20:23:02 EDT; 6h ago
   Main PID: 1026 (wpa_supplicant)
      Tasks: 1 (limit: 30930)
     Memory: 3.8M
        CPU: 110ms
     CGroup: /system.slice/wpa_supplicant.service
             └─1026 /sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlp4s0

 

[galere]

i have wifi on my debian-proxmox but not in my VM.
i have add static route in my router, etc/network/interfaces, SDN are ok but my vm are no network. i don't understand why.
my vm is on bridge vnet1 but can't have network...

i need help, i try resolve this but i can't....

 

[galere]

it's ok with routed configuration

 

[jeenam]

Remove the # comments from the /etc/network/interfaces file. It will cause the network service to fail to load the config. The ## were there for guidance and not meant to actually be placed into the config file.

You can verify your wireless interface is online with the command ip a

 

[georgenoob1234]

Remove the # comments from the /etc/network/interfaces file. It will cause the network service to fail to load the config. The ## were there for guidance and not meant to actually be placed into the config file.

You can verify your wireless interface is online with the command ip a

that was a fast reply, im online but i still cant connect to my web interface for some reason (sory for deleting the original post)

 

[jeenam]

that was a fast reply, im online but i still cant connect to my web interface for some reason (sory for deleting the original post)

You didn't mention whether you checked the output of 'ip a'. My guess is either the wpa supplicant service isn't loading (could be bad syntax in config/service file) or the networking service isn't restarting properly because your /etc/network/interfaces file has bad syntax. Regardless, 'ip a' will show the status of the network interfaces so you can see if they are online.

 

[georgenoob1234]

i did 'ip a' and it showed this (if there are any spelling mistakes its cuz i used my phone to grab the text since i cant connect to the pc)

1: lo: <LOOPBACK, UP, LOWER UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 br 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host 1o
    valid_Ift forever preferred _Ift forever inet6 ::1/128 scope host noprefixroute
2: enp1s0: ‹BROADCAST, MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether e8:ff:le:d2:69:01 brd ff:ff:ff:ff:ff: ff
3: wlo1: <BROADCAST, MULTICAST, UP ,LOWER_UP mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether f4:36:8:70:c7:2c brd ff:ff:ffeffeff:ff altname wip0s20f3
    inet 192.168.1.61/32 scope global wlo1
    valid_Ift forever preferred_Ift forever
    inet6 2a00:1370:8196:3591: f63b: d8ff: fe70: c72c/64 scope global dynamic mngtmpaddr
    valid Ift 594sec preferred_Ift 594sec inet6 fe88:: f63b:d8ff: fe70:c72c/64 scope link valid_Ift forever preferred_Ift forever
4: vmbr0: ‹BROADCAST. MULTICAST, UP, LOWER UP› mtu 15B gdisc noqueue state UNKNOWN group default qien 1880
    link/ether 3a:85:ea:2:63:20 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/32 scope global vmbrO valid_Ift forever preferred_1ft forever inet6 feBB:: 3885:eaff: fe2a:6320/64 scope link valid_Ift forever preferred_Ift forever
S: vmbr1: <BRORDCAST, MULTICAST, UP LOWER UP> mtu 1508 qdisc noqueue state UNKNOWH group default gien 1008
    link/ether 9a:f3:9c:be:58:89 brd ff:ffff:ff:ff:ff
    inet 192.168.3.1/24 scope global vet1 valid_Ift forever preferred_Ift forever inet6 fe80:: 983:9cff: febe:5889/64 scope link valid_Ift forever preferred_Ift forever

 

[georgenoob1234]

ok im a dummy and some how i missed a /24 in the interfaces file all is good