Is it possible to do port forwarding when using sdn?

R

rhx9

Member
Sep 15, 2022
2
2
8
Hi,
In the past i have setup a nat network manually using the /etc/network/interfaces file, using something like:


Code: 
iface vmbr1 inet static
        address 192.168.1.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        # post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to 192.168.1.2:22
        post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

This sets up a network in addition to a port forwarding rule that i can enable/disable by commenting



Now that i have read about SDN i switched to SDN because it has a gui, but now i don't see a way to setup port forwarding.

Is there a way to set up port forwarding when using SDN?
 
  • Like
Reactions: Romaq and pazter1101
I am also interested in this question. I have 5 pve nodes, each has a chr, EoIP tunnels are forwarded between the chrs, VLANs go in the tunnels - this is a large complex structure distributed across data centers in different countries. And I was very happy when SDN appeared in proxmox 8.. but I really need port forwarding from the external interfaces of the nodes to VM/LXC. I want to understand the architecture, how to set this up
 
  • Like
Reactions: Romaq and rhx9
currently you need to keep your "post-up" iptables PREROUTING rule , as port forwarding need to done manually.

Would be great if PREROUTING rules can be managed by PVE Firewall directly.
 
Last edited:
  • Like
Reactions: Romaq, rhx9 and pazter1101
So, for those who wish to do SDN but *NOT* deal with Port Forwarding... https://thelinuxforum.com/articles/924-how-to-create-a-private-nat-network-interface-on-proxmox-ve-8 works well. Admirably well. Does exactly what it says on the tin. No problem. Life is happy.

Except for ONE THING:

I'm really not clear AT ALL how to go about setting up port forwarding. I have the machine I selected to NAT on the new 10.10.10.100/24 network. I'm comfortable I can assign it to 10.10.10.2. I'd much prefer to continue to manage the network using the SDN through the GUI.

I grasp that port forwarding is *NOT* an option at all in SDN, although for the life of me I don't grasp why port forwarding wasn't rolled out with it. So my questions, one of course depending on the other:

1) Do I explicitly have to abandon SDN entirely to manually do what SDN is doing *JUST* to have port forwarding?
2) If so, what is the best current page for duplicating entirely (but manually) cook up what joy SDN does for me but add port forwarding to it?
3) If I do NOT have to abandon SDN entirely, is there a link for me to set up IPTables for PVE 8.3.0 and manage that while enjoying the benefits of SDN, which is my preferred level of managing this?

And, 4) of course: Would Proxmox be so inclined to build in the port forwarding option missing from SDN/NAT within the near future? It does seem a rather glaring missing component to the benefits of using NAT on VMs.

EDIT: Extending this while I chew on the problem.
https://bobcares.com/blog/setup-nat-on-proxmox/ looks like it covers how to deal with this manually tinkering with the /etc/network/interfaces. I attempted to follow the directions last month, but I quickly got into a confusing mess setting up two network interfaces so I could keep my LAN routed VM's vs. NAT'ing ALL the VMs. It felt like I was tinkering with on-user-serviceable parts, and I really don't want to brick my PVE messing around here.

https://forum.proxmox.com/threads/nat-and-port-forwarding.108667/ prefers to "PFSense" and tinkering with one of the interfaces, it would appear.
`iptables -t nat -L --line-numbers` will return a table I can make sense of:

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- 10.10.10.0/24 anywhere to:192.168.1.2
2 SNAT all -- 10.10.10.0/24 anywhere to:192.168.1.2

Odd that it's in there twice, but it's working and I'm not going to worry about it. I believe I can tinker with the port forwarding by examples, but I'm not clear *where* to put in a table for the system to load it at the proper time. I'm guessing it should be after the SNAT rules inserted by the SDN as the PVE machine boots up. I have NO idea how to ensure this happens correctly, or to what extent it really matters. It also looks like I have to set the kernel port-forwarding flag. I believe that is an /etc/network/interfaces script, which again, seems like I should put the port forwarding part of IP Tables in there too.

Ok, I see /etc/network/interfaces.d/sdn and what appears to be things I could tinker with to insert port forwarding. I'll see what I can do there to have it act properly based on examples.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back