NAT Port Forwarding

[elvinmammadov]

Hello,

We have a server in Datacenter and it has 2 partitions, the one for Proxmox system, and the other for VMs. It has 1 public IP Address.
We have installed Veeam Backup agent to take backup of Proxmox partition every day. Backup server is located in other Datacenter.
Backup job fails, because it tries to connect the internal ip of Veeam Backup Server, even if in the configuration we have written the Public IP.

In the past we had the same problem for VMs, but in Opnsense Firewall, in NAT, we have added the rules, the it started to work. I would like to know how I can make the same thing in Proxmox?

The following rule works in Opnsense Firewall.
NAT \ Port Forwarding
Source: any
Destination: Internal IP of Veeam Backup Server
Destination Port: 2500
Redirect target IP: WAN IP of Veeam Backup Server
Redirect target port: 2500

 

[Moayad]

Hello,

Maybe you have to use iptables port forwarding in the PVE network configuration.

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <PORT> -j DNAT --to <VM or CT Ip address>:<PORT>
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport <PORT> -j DNAT --to <VM or CT Ip address>:<PORT>

FYI: Proxmox provides a PBS (Proxmox Backup Server) solution [0] as well.

[0] https://proxmox.com/en/proxmox-backup-server

 

[elvinmammadov]

Thank you for your reply.

I added it to network interface file, but it still gives the same error, cannot reach the internal ip address.

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2500 -j DNAT --to 192.168.105.1:2500
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2500 -j DNAT --to 192.168.105.1:2500

 

[Moayad]

Probably the host should restart after editing the config file.

 

[elvinmammadov]

Unfortunately reboot didn't help.

 

[Moayad]

Hi,

Can you please share the network configuration?

In general, you should use Masquerading [0] see section [3.3.6] for more information.

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration (3.3.6)

 

[elvinmammadov]

Hello,

I would like to mention that, the Veeam Backup Server is on different location. In the backup configuration I have typed the Public IP of Veeam Backup, but in the backup process the agent also tries to connect to internal IP address. That's why in the past we have used NAT Forwarding in OPNsense for the VMs.

Proxmox Server	Proxmox Server
Opnsense Firewall	Opnsense Firewall (IP: XX.XX.XX.115)
VM - Linux	VM - Veeam Backup Server (IP: 192.168.105.1)
VM - Windows

This following rule works in Opnsense Firewall where "VM - Linux and VM - Windows" are located.
NAT \ Port Forwarding
Source: any
Destination: 192.168.105.1
Destination Port: 2500
Redirect target IP: XX.XX.XX.115
Redirect target port: 2500

I am attaching the network configuration file:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface eth0 inet manual

# Proxmox WAN interface
auto vmbr0
iface vmbr0 inet dhcp
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0
        bridge_hw eth0

# Interface for VMs
auto vmbr1
iface vmbr1 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2500 -j DNAT --to 192.168.105.1:2500
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2500 -j DNAT --to 192.168.105.1:2500

 

[Moayad]

Hello,

Thank you for the network configuration.

As said you have to use Masquerading [0] in your vmbr1 interface config, I personally use this in my public server and works well

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_masquerading

 

[ThomasH]

Hello,

Maybe you have to use iptables port forwarding in the PVE network configuration.

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <PORT> -j DNAT --to <VM or CT Ip address>:<PORT>
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport <PORT> -j DNAT --to <VM or CT Ip address>:<PORT>

FYI: Proxmox provides a PBS (Proxmox Backup Server) solution [0] as well.

[0] https://proxmox.com/en/proxmox-backup-server

Thanks a lot. After LOTS(!!!!) of tries, many tears, curses and bad words, THIS saved my day!

 

[RAA]

Hi Everyone,

I am new in Proxmox Server and I am fighting with NAT forwarding to reach out to internal servers, so I have the same problem.

Could you share how you solved the iptables configuration using the masquerading method? Maybe it will reduce my tears

Thank you

 

[ThomasH]

Sure:

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto eno1                                  # make sure, your hardware network card is called "eno1". Otherwise change this name!
iface eno1 inet manual           # activate IPV4
iface eno1 inet6 manual         # activate IPV6

auto vmbr0                              # THIS is your first virtual network card
iface vmbr0 inet static           # you got a static address from your provider (hope so)
        address <the external IPV4-address of your server>/32    # given from your provider!
        gateway <your providers gateway>            # The provider gives you ip-address and gateway
        bridge-ports eno1                   # change eno1 to the name of network interface
        bridge-stp off
        bridge-fd 0

iface vmbr0 inet6 static
        address <the external IPV6-address of your server>/64
        gateway fe80::1

        post-up echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
        up sysctl -p

auto vmbr1
iface vmbr1 inet static
        address 10.0.0.254/24             # this is the *internal* address of vmbr1, given by myself (could also have chosen 192.168.0.1)
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE                      # maybe change here to your own internal address. watch the "0/24" at the end! NOT the given address 254/24 above!
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <portnumber> -j DNAT --to 10.0.0.2:<portnumber VM-service listens to>
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <other portnumber> -j DNAT --to 10.0.0.3:<other portnumber>
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <yet another portnumber> -j DNAT --to 10.0.0.4:<yet another portnumber>
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <my last special portnumber>-j DNAT --to 10.0.0.4:<my last special portnumber>
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport <special port for putty> -j DNAT --to 10.0.0.4:<special port for putty>
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE

You must make sure, that the services on your VMs really listens to the port!

Example: You have installed an Apache webserver on one VM and this webserver shall listen to port 6000.
so in the ports.conf in /etc/apache2 you change the

Listen 80

to

Listen 6000

Same of course - if wanted - for SSL

Of course you can run it on port 80 and 443, because proxmox is running on port 8006

So one of the lines above would be:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.0.0.2:443

BUT!!! You can only forward each port once, not a second time! So if you have another VM with a webserver, running a diffrent domain you cannot do this:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.0.0.2:443   # https://www.john-doe.com - watch the ip-address
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.0.0.3:443   # https://www.jane-doe.com - watch the ip-address

All traffic will send to https://www.jane-doe.com and none to https://www.john-doe.com

And for your first (two) functioning VMs, here the /etc/network/interfaces for:

a VM with a real existing external address:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

#The primary network interface
allow hotplug ens18                 # AGAIN: make sure, the system called the network interface like this, otherwise change here!

iface ens18 inet static
          address <given another external IPV4-adress from the provider>/32   # 32 = ONLY this ip-adress, no network
          gateway <gateway IPV4 address , given from provider, too>

iface ens18 inet6 static
          address <IPV6-address>  # made of: IPV6-address of your proxmox-server + ":2" or ":3" or ":4" etc.
          netmask 64
          gateway <IPV6-address of your proxmox-server>  # defined in /etc/proxmox/interfaces of your proxmox-server

a VM with a self-given INTERNAL address:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback
iface lo inet6 loopback

#The primary network interface

iface ens18 inet static
          address 10.0.0.2/24   # 24 = for addresses from .1 to .254
          gateway 10.0.0.254    # remember: we defined this for vmbr1 in the /etc/network/interfaces of proxmox-server

iface ens18 inet6 static
          address <IPV6-address>  # made of: IPV6-address of your proxmox-server with following ":2" or ":3" or ":4" etc. f.e. 2d88:5d9:3a:35c::2:2 BOLD=proxmox-server
          netmask 64
          gateway <IPV6-address of your proxmox-server>  # defined in /etc/proxmox/interfaces of your proxmox-server