NAT and bridged networking with one NIC?

[onik]

Hi,

We're planning to add a dedicated IP to one of our VMs. However, we currently use NAT for all VMs. Am I correct in thinking that the following is the correct procedure?

Current config (one static IP):

auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
    address  xxx.xxx.xxx.148
    netmask  255.255.255.128
    gateway  xxx.xxx.xxx.254
    post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp


iface eth1 inet manual


auto vmbr0
iface vmbr0 inet static
    address  10.0.0.1
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -d xxx.xxx.xxx.148/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
    post-up iptables -A FORWARD -d 10.0.0.2/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE

Planned additions (add new static IP which will be assigned to one VM):

auto eth0:1
iface eth0:1 inet manual

iface vmbr1 inet static[INDENT]address xxx.xxx.xxx.152
netmask 255.255.255.128
gateway xxx.xxx.xxx.254
bridge_ports eth0:1
bridge_stp off
bridge_fd 0[/INDENT]

Is this the proper way to setup the network?

 

[lastguru]

you can't bridge eth0:1 - this should never work. you can bridge and nat the same interface, though... but there will be no separation between the traffic.

 

[onik]

you can bridge and nat the same interface, though... but there will be no separation between the traffic.

I don't quite follow you. How will this accomplish having one VM at a separate IP?

 

[lastguru]

you cannot bridge one IP. bridge will work only on physical interface and for all traffic going to this interface regardless of IP addresses.