Internet on KVM

Afox

Renowned Member
Dec 18, 2014
257
14
83
Hello,

in my setup, some VMs (KVM) need Internet access. They don´t need to be reachable from the outside but must reach one point in the internet. I don´t want to give them a static public IP.

What would be the solution for this? Is it possible to use the proxmox-firewall to regulate traffic, e.g. only allow output to a special IP?

Thanks in advance,

Afox
 
hello, thanks for the hint. The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?

On the VM, do I have to chose "NAT Mode" on the NIC? Does the Proxmox Firewall also work for the NIC on the VM?
 
> The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?
Not that easily.

Try the following sequence:
* create a bridge called vmbr1
* add the IP
10.10.10.1
to this bridge* configure all your VMs so that their NIC are in this bridge
* add an IP adress to each VM in the private network range 10.0.10.0/24

at that point you should be able to ping each VM from the host and vice versa

* now open the file /etc/network/interfaces file and add at the end of the *vmbr1* entry

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
 
thank you. I did all the steps as described and now have successfully enabled an internet-connection. On this way I stumbled on a DNS-issue as I was naming 10.10.10.1 as primary DNS-server. But this does not work as it seems. Do i have to use a public DNS-provider or is there any other solution for this?
Also I was wondering what ports I have to open on the VM-NIC for services like web or any other special port. Currently I can only browse the web if I disable the Firewall for this NIC.

Edit: Additional question: what is with the "VLAN aware"-option of the bridge? Will it work in this case?
 
Last edited:
> The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?
Not that easily.

Try the following sequence:
* create a bridge called vmbr1
* add the IP
10.10.10.1
to this bridge* configure all your VMs so that their NIC are in this bridge
* add an IP adress to each VM in the private network range 10.0.10.0/24

at that point you should be able to ping each VM from the host and vice versa

* now open the file /etc/network/interfaces file and add at the end of the *vmbr1* entry

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
Hello,
I did the same steps and i created a Centos 7 VM with ip "10.10.10.5" and gateway "10.10.10.1" (ip of vmbr1) but when i ping 8.8.8.8 in the created VM i have "Destination Host Unreachable". Any suggestion to solve this problem?