NAT-ed VMs and LXCs with a single public IP on the host -- help


Feb 4, 2021
What I'd like to do: Migrate away from a host with about 15 public IPs to a single public IP with all VMs getting static or DHCP addresses in the 10.10.10.x space. Many of these VMs serve up multiple services -- for example, a dozen WordPress sites on a single Webinoly or WordOps VM.

Where things are going south: Having installed Dnsmasq and set up both vmbr0 (public IP) and vmbr1 (private IP range), I can get the VMs to communicate with the outside world for requesting apt updates, etc. But trying to spin up a WordPress site on a VM with Word Ops installed, with the domain pointed at the host's public IP, gets me an in-browser error with connection refused, every time, whether the 10.10.10.x IP is static or DHCP..

Any idea what I'm doing wrong? Or is what I want simply impossible without moving every hosted service/site to its own mini VM or LXC?

My /etc/network/interfaces data below. Note that the problem exists both with and without the last two "raw" iptables instructions:

auto lo
iface lo inet loopback

iface lo inet6 loopback

iface eno1 inet static
up route add -net x`` netmask gw dev eno1
# route via x``

iface eno1 inet6 static
address xxxxx/64
gateway xxxx::1

auto vmbr0
iface vmbr0 inet static
bridge-ports none
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
bridge-ports none
bridge-stp off
bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '````' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '' -o eno1 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
NAT is only one direction. How do you forward the ingress traffic and how do you route it to the VMs? Normally, you would use a reverse proxy for that.
Oh, look -- it's the missing piece of the puzzle! Thanks @LnxBill!

Glancing around the internet, it seems my best options are Nginx Proxy Manager or Caddy, with the latter either in an LXC/VM or installed on the Proxmox host. Assuming I put either in an LXC or VM, what's the right way to direct essentially all inbound traffic (other than the Proxmox UI at 8006) to the reverse-proxy container?


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!