Only one MAC address is allowed, then how can I build the virtual network?

[slj]

Hi there,

I installed Proxmox VE 5.0 and after registration of the MAC address by our network administrator, I can ssh into ProxmoxVE on another computer.

But when I create a VM, only when choosing NAT I can access the internet (I mean I can access the internet from the VM). If I choose bridge (vmbr0), it will fail. It seems our network does not allow any device without registering the MAC address.

How can I build the virtual network so that I can ssh the VM on another computer in my case?

 

[pabernethy]

If the network uses MAC whitelisting and you don't have administrative access to the responsible device you can either configure your virtual machines in a separate, virtual network and have a virtual router to connect it to the physical network. You can then ssh into the VMs by IP or domain name, if desired. Alternatively you can connect the VMs via NAT and configure port forwarding in the virtual router.

 

[slj]

Thanks, pabernethy!

I have applied the "NAT with port forwarding" way to solve my problem. It works well (for the time being).

In the case of building "a virtual network and have a virtual router to connect it to the physical network" as you mentioned, since the server only has one public IP, how can I ssh into the VMs through the "virtual router"? Suppose the public IP is 10.101.65.1 and one VM's IP is 10.0.2.5,

do I ssh into that VM by ssh 10.0.2.5 ?

What is the difference between the "virtual router" way and "NAT with port forwarding"?

 

[pabernethy]

If only one public IP is available NAT is the only possibility. The NAT can be managed by qemu (I suppose that's your current setup) or a virtual router, which is assigned the public IP on one NIC and has the virtual network with all other VMs and the host on the other NIC. With multiple public IPs the host can be made responsible for delivering the packages to the various VMs. Your hoster can help you with this setup.

 

[slj]

I used the following command for port forwarding (I guess that's qemu as you mentioned):

qm set 104 -args "--redir tcp:10422::22"

Unfortunately, I am only given one public IP. Worse still, only a single MAC address is allowed for security reason. So "NAT with port forwarding" seems to be the only card I can play? Now I have two problems with "NAT with port forwarding":

1. I cannot ping outside in the VMs (it's fine, though, since I can still access the Internet by browser)
2. I cannot access the file server on the same LAN (Active Directory)

Is there any way to work around the 2nd one?

 

[pabernethy]

1. I cannot ping outside in the VMs (it's fine, though, since I can still access the Internet by browser)

Whether or not a host responds to a ping is entirely decided by that host. Web servers mostly do. I usually test outside connectivity with one of Google's DNS servers, like 8.8.8.8.

2. I cannot access the file server on the same LAN (Active Directory)

I'm not entirely sure I understand what you mean. Be aware that Qemu's NAT capability is not meant for anything more than giving a VM easy internet access. Two VMs on the same host won't be able to reach each other if even one of them is connected in that manner. The setup described in the Wiki sets you up with a proper NAT.

 

[slj]

Be aware that Qemu's NAT capability is not meant for anything more than giving a VM easy internet access. Two VMs on the same host won't be able to reach each other if even one of them is connected in that manner.

I believe that is the reason why I cannot access the file server (Active Directory), thanks, pabernethy, I learned a lot.

 

[Schrifti]

I believe that is the reason why I cannot access the file server (Active Directory), thanks, pabernethy, I learned a lot.

Did you get it to work and could you post a guideline for someone doing the same? I'm facing the same problem

 

[bobmc]

Microsoft does not support Active Directory over NAT and work-arounds are not easy to accomplish.

I would suggest you explore creating a new Domain on the private network and then explore creating a domain-trust relationship with the corporate domain.

 

[Schrifti]

Microsoft does not support Active Directory over NAT and work-arounds are not easy to accomplish.

I would suggest you explore creating a new Domain on the private network and then explore creating a domain-trust relationship with the corporate domain.

thx for the quick reply. Do you think it is possible to share a Folder from an Ubuntu System over NAT to the corporate LAN?

 

[bobmc]

yes, it's possible and there are a variety of ways to accomplish this. Depends if you need read/write access and any form of user restrictions

 

[Schrifti]

yes, it's possible and there are a variety of ways to accomplish this. Depends if you need read/write access and any form of user restrictions

I think I have an idea, how I want to build the system. But the NAT is not really working for me. Currently I can access the internet from my proxmox host but not from my VMs. Can you share how you set up your NAT or give me some other websites?

 

[bobmc]

I'd suggest you start a new topic of your own, give details of your setup and your environment and what you would like to accomplish