Hello, I am running Proxmox VE 8.1 and I find myself in a really difficult situation regarding NAT.
Important to mention: I already searched through Proxmox documentation and similar issues here on the forum but I didn't find anything that matched my specific case, or that, with a few tweaks, could make it work.
I configured proxmox making vmbr0 vlan-aware, created vmbr0.10 (for access to my LAN, which in turn has internet access) and vmbr0.100 (containers and VMs network)
I have one physical interface, for now the traffic of my LAN is all untagged VLAN 1 but that will soon change (I'm overhauling my network)
So I have my one physical interface in access mode to VLAN 10
Let's assume my LAN has 172.16.0.0/16 and my containers 10.0.0.0/24
I want NAT masquerading on my containers so they can update and access the internet, this is my interfaces file detailing how I implemented it.
Note, I had to add 4 firewall rules to the node because it blocked the container from talking to the vmbr0.100 interface, you will find the rules after the interfaces file
I know that there is probably a batter way than trying to NAT everything between 2 VLAN interfaces (using two separate bridges works) but I really need this to work this way.
Thank you in advance for your help
Important to mention: I already searched through Proxmox documentation and similar issues here on the forum but I didn't find anything that matched my specific case, or that, with a few tweaks, could make it work.
I configured proxmox making vmbr0 vlan-aware, created vmbr0.10 (for access to my LAN, which in turn has internet access) and vmbr0.100 (containers and VMs network)
I have one physical interface, for now the traffic of my LAN is all untagged VLAN 1 but that will soon change (I'm overhauling my network)
So I have my one physical interface in access mode to VLAN 10
Let's assume my LAN has 172.16.0.0/16 and my containers 10.0.0.0/24
I want NAT masquerading on my containers so they can update and access the internet, this is my interfaces file detailing how I implemented it.
Note, I had to add 4 firewall rules to the node because it blocked the container from talking to the vmbr0.100 interface, you will find the rules after the interfaces file
Code:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
auto lo
iface lo inet loopback
iface eno1 inet manual
bridge-access 10
auto vmbr0
iface vmbr0 inet static
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 1 10 100
auto vmbr0.10
iface vmbr0.10 inet static
address 172.16.0.2/16
gateway 172.16.0.254
# VLAN for internet access
auto vmbr0.100
iface vmbr0.100 inet static
address 10.0.0.254/24
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0.10 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0.10 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
# VLAN for container interconnection
source /etc/network/interfaces.d/*
Code:
[OPTIONS]
log_level_out: nolog
log_level_in: nolog
tcp_flags_log_level: nolog
enable: 1
[RULES]
OUT ACCEPT -dest 10.0.0.0/24 -log nolog
OUT ACCEPT -source 10.0.0.0/24 -log nolog
IN ACCEPT -dest 10.0.0.0/24 -log nolog
IN ACCEPT -source 10.0.0.0/24 -log nolog
I know that there is probably a batter way than trying to NAT everything between 2 VLAN interfaces (using two separate bridges works) but I really need this to work this way.
Thank you in advance for your help