Internet on KVM

[Afox]

Hello,

in my setup, some VMs (KVM) need Internet access. They don´t need to be reachable from the outside but must reach one point in the internet. I don´t want to give them a static public IP.

What would be the solution for this? Is it possible to use the proxmox-firewall to regulate traffic, e.g. only allow output to a special IP?

Thanks in advance,

Afox

 

[dietmar]

See

http://pve.proxmox.com/wiki/Network...ith_tt_span_class_monospaced_iptables_span_tt

And yes, you can restrict traffic with the proxmox-firewall.

 

[Afox]

hello, thanks for the hint. The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?

On the VM, do I have to chose "NAT Mode" on the NIC? Does the Proxmox Firewall also work for the NIC on the VM?

 

[Afox]

Anyone can answer my questions?

 

[manu]

> The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?
Not that easily.

Try the following sequence:
* create a bridge called vmbr1
* add the IP
10.10.10.1
to this bridge* configure all your VMs so that their NIC are in this bridge
* add an IP adress to each VM in the private network range 10.0.10.0/24

at that point you should be able to ping each VM from the host and vice versa

* now open the file /etc/network/interfaces file and add at the end of the *vmbr1* entry

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

 

[Afox]

thank you. I did all the steps as described and now have successfully enabled an internet-connection. On this way I stumbled on a DNS-issue as I was naming 10.10.10.1 as primary DNS-server. But this does not work as it seems. Do i have to use a public DNS-provider or is there any other solution for this?
Also I was wondering what ports I have to open on the VM-NIC for services like web or any other special port. Currently I can only browse the web if I disable the Firewall for this NIC.

Edit: Additional question: what is with the "VLAN aware"-option of the bridge? Will it work in this case?

 

[Medvenda]

> The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?
Not that easily.

Try the following sequence:
* create a bridge called vmbr1
* add the IP
10.10.10.1
to this bridge* configure all your VMs so that their NIC are in this bridge
* add an IP adress to each VM in the private network range 10.0.10.0/24

at that point you should be able to ping each VM from the host and vice versa

* now open the file /etc/network/interfaces file and add at the end of the *vmbr1* entry

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Hello,
I did the same steps and i created a Centos 7 VM with ip "10.10.10.5" and gateway "10.10.10.1" (ip of vmbr1) but when i ping 8.8.8.8 in the created VM i have "Destination Host Unreachable". Any suggestion to solve this problem?