"isolating/hiding" a VM with ip overlapping from LAN network with NAT

Chris&Patte

Renowned Member
Sep 3, 2013
43
0
71
Hello,
for some test scenarios i need to isolate a copy of VM from the network itself but still need to be access it via dedicated ports.

Example.
Proxmox host: 192.168.0.10/24
I have a VM0 (bridged) with IP 192.168.0.1 in a LAN with network 192.168.0.0/24 and LAN gateway 192.168.0.254.
Now i make a copy of the VM0 named VM1. The VM has a fixed IP and therefore the VM1 has also IP 192.168.0.1.

I now want to "hide" VM1 behind a NAT device and portforward port 22,80 from VM1 to Proxmox IP 192.168.0.10 Port 12322, 12380 (or any free port)

How can i do such stuff?
I have read the manual and it seems clear that this is possible, but i didn't figure out the correct way.

Thanks for any help
 
if i create a new NAT network with the IP from the LAN network, i got a error

[root@iteanova015 iteanova]# virsh net-start nat223
Fehler: Netzwerk nat223 konnte nicht gestartet werden
Fehler: Interner Fehler: Netzwerk wird bereits von Schnittstelle eno1 verwendet

but somehow it should be possible to do such stuff, as it happens sometimes in hosting environments.
 
Hi,

virsh is not part of Proxmox VE and also not compatible.
And if I get you write you try to NAT from 192.168.0.0/24 in 192.168.0.0/24 network?
Because this is not possible.
You would need an perimeter network to bring this to work.
 
Well, i know it's not common to use ip overlapping networks, but in fact it's possible and also in the official RFC.
I have done it easily before in a Virtualbox envoironment, also i have done it more often with a physical pfsense-Box as NAT device.
But the only good documentation you find on the net is from Cisco. Well, in enterprise environments such things happens more often.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13774-3.html

Well, however, how to do this is Proxmox? Anybody got any idea.?

The main idea is to create a NAT rule not only with network-ranges, but also with interfaces where the packets arrive.
If you have a rule just to NAT everything coming into a dedicated interface (instead from a dedicated network range), then you got it.
 
OK, because i#m curious about this thing i now tried it under hyperV with a pfsense vm as NAT device.
I managed to configure the pfsense with the same network ranges on both sides, created a portforwarding and tested it.
But in the end i did not got any response via the forwarded port.

And now i wonder how i made this stuff work some years ago. And i#m not sure any more if i did not used some sort of VPN to connect to the pfsense box. If this was the case, then the VPN acted as perimeter network and the ip overlapping NAT is not generally possible....
 
The problem is this is a very network dependent setup.
And also must the original VM still available and what is about the clone VM.
Is it enough if the VM can send packages out but can't receive it?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!