Internet on KVM

Afox

Active Member
Dec 18, 2014
232
11
38
Hello,

in my setup, some VMs (KVM) need Internet access. They don´t need to be reachable from the outside but must reach one point in the internet. I don´t want to give them a static public IP.

What would be the solution for this? Is it possible to use the proxmox-firewall to regulate traffic, e.g. only allow output to a special IP?

Thanks in advance,

Afox
 

Afox

Active Member
Dec 18, 2014
232
11
38
hello, thanks for the hint. The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?

On the VM, do I have to chose "NAT Mode" on the NIC? Does the Proxmox Firewall also work for the NIC on the VM?
 

manu

Proxmox Staff Member
Retired Staff
Mar 3, 2015
806
66
28
> The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?
Not that easily.

Try the following sequence:
* create a bridge called vmbr1
* add the IP
10.10.10.1
to this bridge* configure all your VMs so that their NIC are in this bridge
* add an IP adress to each VM in the private network range 10.0.10.0/24

at that point you should be able to ping each VM from the host and vice versa

* now open the file /etc/network/interfaces file and add at the end of the *vmbr1* entry

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
 

Afox

Active Member
Dec 18, 2014
232
11
38
thank you. I did all the steps as described and now have successfully enabled an internet-connection. On this way I stumbled on a DNS-issue as I was naming 10.10.10.1 as primary DNS-server. But this does not work as it seems. Do i have to use a public DNS-provider or is there any other solution for this?
Also I was wondering what ports I have to open on the VM-NIC for services like web or any other special port. Currently I can only browse the web if I disable the Firewall for this NIC.

Edit: Additional question: what is with the "VLAN aware"-option of the bridge? Will it work in this case?
 
Last edited:

Medvenda

Member
Oct 5, 2016
40
0
6
35
> The node already has a vmbr0 with a static puplic IP and eth0 as bridge port. Can I add the masking snippet to the existing vmbr0?
Not that easily.

Try the following sequence:
* create a bridge called vmbr1
* add the IP
10.10.10.1
to this bridge* configure all your VMs so that their NIC are in this bridge
* add an IP adress to each VM in the private network range 10.0.10.0/24

at that point you should be able to ping each VM from the host and vice versa

* now open the file /etc/network/interfaces file and add at the end of the *vmbr1* entry

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
Hello,
I did the same steps and i created a Centos 7 VM with ip "10.10.10.5" and gateway "10.10.10.1" (ip of vmbr1) but when i ping 8.8.8.8 in the created VM i have "Destination Host Unreachable". Any suggestion to solve this problem?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!