Port forwarding host to guest (NAT)

Terrum

Renowned Member
Mar 7, 2014
36
4
73
From my previous post (at http://forum.proxmox.com/threads/17988-Web-interface-not-working-after-installation-from-provider) that I managed to solve myself, everything has been going very smoothly with the virtualisation.


EDIT: (Network/Host Settings from my previous post on the link above)
My host is Hetzner and I am using their provided Proxmox installation. The network settings are untouched as I am not really a techie when it comes to Linux.


After installing Windows Server 2008 on the guest (the host is Linux Proxmox-VE.localdomain 2.6.32-26-pve #1 SMP Mon Oct 14 08:22:20 CEST 2013 x86_64 GNU/Linux) I set the network to NAT and, as I'm a newbie to Linux, I'm not really sure what to do next to get ports working on the Windows Server 2008 environment. I'm trying to start by getting MSTSC (remote desktop) working on the virtual machine.

Basic Question:
Is possible to run servers/ports on the NAT setting of a VM with the same IP as the host, provided that the port isn't being used on the host? If yes, then I would very much appreciate knowing how. If not, then you close this thread as it would be pointless to continue any further.


Anyone able to help? Many thanks!
 
Last edited:
perhaps the question is not so clear?

btw, for a server vm, I would not use NAT but bridged.

Marco
If the question isn't clear, it shouldn't just be ignored and feared. Someone should say it's not clear then I would do my best to rewrite it. But as far as I can see it can't be any clearer in detail, otherwise it would be rambling.

I would use bridged however I only have one IP, and as far as I'm aware you need a different IP to use bridged networking. So is it not possible to use NAT on ports for services like Remote Desktop (MSTSC), and such?
 
If the question isn't clear, it shouldn't just be ignored and feared.

I never said that you should be ignored/feared (why?). But this is a free support forum, and sometimes proxmox team is busy (3.2 just came out today), so if you wish other users to help you better, it helps you to be as simple and detailed as possibile.

So is it not possible to use NAT on ports for services like Remote Desktop (MSTSC), and such?

I never said that. I just wrote what I would do. I think NAT mode in pve atm is just "thought" to give easy networking to vm clients (not servers), while for servers bridged mode is generally used.
eg: there is no nat config, anywhere, if not in pve code, I guess. But I could be wrong.

Yes, afaik, you would need another IP address, but depending on your network/host setup (which is not that much detailed) you could need only one public IP address

Marco
 
I never said that you should be ignored/feared (why?). But this is a free support forum, and sometimes proxmox team is busy (3.2 just came out today), so if you wish other users to help you better, it helps you to be as simple and detailed as possibile.
I think you're misunderstanding due to your possible lack of English - I only stated that it shouldn't be ignored/feared because if the question was unclear as you claimed, in most forums someone would say so rather than just ignore it. Also, 'simple' and 'detailed' are antonyms - I cannot be simple and detailed at the same time.

I never said that. I just wrote what I would do. I think NAT mode in pve atm is just "thought" to give easy networking to vm clients (not servers), while for servers bridged mode is generally used.
eg: there is no nat config, anywhere, if not in pve code, I guess. But I could be wrong.
Yes, afaik, you would need another IP address, but depending on your network/host setup (which is not that much detailed) you could need only one public IP address
Well, again, due to your possible lack of English, I understood what you said as 'I would use NAT so I recommend you use it too' rather than 'I use NAT so I'm just going to say this anyway'. I added more information about my host in the first post, however I can't see what else would need to be added. It's basically just a simple 'yes or no' question as to whether it was possible first, and if it was possible, then more detail could have been presented in later posts. Hopefully it clearer to you now as I even added a 'simple question' paragraph.
 
Last edited:
Thanks a ton for that, mir. I had a look into it and tried executing some of the iptables commands, however doesn't seem to have had any effect on the issue. Proxmox confirms my NAT is 'eth0', so I executed:

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT

I also edited the sysctl.conf file and set net.ipv4.ip_forward to 1, and rebooted. Is there anything else in particular I have to do? I apologise for being a Linux newbie!

If it makes it any easier, I'm trying to allow port 3389 on the VM through the public IP of the host. The NAT IP shown on the VM is 10.0.2.15. Can you let me know what I would need to type to accomplish this?

Edit: I also attempted 'iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d my.public.ip -j ACCEPT'

Edit2: I also tried a few commands, whilst editing the appropriate parts from here: http://www.linuxquestions.org/quest...iptables-nat-port-forwarding-rule-set-492758/

Thanks.
 
Last edited:
You miss this:
Below will port forward to a webserver behind NAT on IP 172.31.0.23
1) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
2) iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
3) iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT

If you want to make it permanent copy the lines to /etc/rc.local
 
Thanks again, mir. I executed the lines below:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.0.2.15:3389
iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 10.0.2.15 -j ACCEPT

With still no luck to the port forwarding. I'm now trying to follow this here as it appears like a helpful solution cloest to my problem: http://forum.proxmox.com/threads/895-Forward-ports-to-KVM-XP-Guest

However I still can't seem to work it out. If I knew exactly what to type to port forward 3389 to the NAT VM IP this would probably then be less confusing. I'm also happy to provide any network configuration details any requirements to ensure a proper linkage.

EDIT: If it helps, below is my network configuration:
# device: eth0auto eth0
iface eth0 inet static
address 88.198.51.248
broadcast 88.198.51.255
netmask 255.255.255.224
gateway 88.198.51.225
# default route to access subnet
up route add -net 88.198.51.224 netmask 255.255.255.224 gw 88.198.51.225 eth0


iface eth0 inet6 static
address 2a01:4f8:131:142d::2
netmask 64
gateway fe80::1

I also tried pinging the IP 10.0.2.15 from the host and it has 100% packet loss. It's possible I need route like in the other thread I provided above in this post. Although I don't really understand how I would do that from the link provided.
 
Last edited:
With your setup I would create a bridge, assign this bridge to your server and forward request to this bridge.

Code:
auto vmbr1
iface vmbr1 inet static
    address  [COLOR=#333333]10.0.2.1[/COLOR]
    netmask  255.255.255.0
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

Use this bridge for your server and maintain the iptables rules:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.0.2.15:3389
iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 10.0.2.15 -j ACCEPT

PS. above is untested.

PPS. Forgot to mention that your server must have
10.0.2.1 as default route.
 
Last edited:
With your setup I would create a bridge, assign this bridge to your server and forward request to this bridge.

Code:
auto vmbr1
iface vmbr1 inet static
    address  [COLOR=#333333]10.0.2.1[/COLOR]
    netmask  255.255.255.0
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

Use this bridge for your server and maintain the iptables rules:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.0.2.15:3389
iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 10.0.2.15 -j ACCEPT

PS. above is untested.

PPS. Forgot to mention that your server must have
10.0.2.1 as default route.
Would I be able to use the Network tab on the Proxmox VE control panel to create the vmbr1 request above? If so, what would I make the gateway? Also if I changed to a bridge, wouldn't the 10.0.2.15 IP shown in the iptables you provided above be non-existant?

EDIT: I tried adding the following settings: http://terrum.co.uk/uploads/1394572216.png However after rebooting the machine, it lost internet connection and I couldn't access it via SSH or anything. So I had to go into KVM and remove the changes I made to fix this. It may be because I didn't set the server as the default route like you said. Would this be the issue? Currently my network configuration looks like this now after a few changes, as the 'default route' comment appears to have moved:
# network interface settingsauto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
address 88.198.51.248
netmask 255.255.255.224
gateway 88.198.51.225
broadcast 88.198.51.255
up route add -net 88.198.51.224 netmask 255.255.255.224 gw 88.198.51.225 eth0
# default route to access subnet


iface vmbr0 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
So what exactly must I do to make it the default route seeing as there's already a default route there that appears to be set by the host?
 
Last edited:
nothing here helps?

pve.proxmox.com/wiki/Network_Model

all options I know of should be covered there...

Marco
Yeah, I already looked there. It doesn't help sadly. When I installed Proxmox my /etc/network/interfaces was nothing like the one in 'Default Configuration (bridged)'. My starting interfaces looked like this:
# device: eth0auto eth0
iface eth0 inet static
address 88.198.51.248
broadcast 88.198.51.255
netmask 255.255.255.224
gateway 88.198.51.225
# default route to access subnet
up route add -net 88.198.51.224 netmask 255.255.255.224 gw 88.198.51.225 eth0


iface eth0 inet6 static
address 2a01:4f8:131:142d::2
netmask 64
gateway fe80::1
And anything I try to edit stops the internet connection on the host. So I'm in need of great help. (I've restored the old config so the internet works again however I still have no idea how to fix up the issue)
 
Looks, NAT possible. But with few extra configuration. You can try this one. In my case its working without any problem.
Newly created machine put this IP. Should work. Tested on real condition.

Connect into vmbr2 network.
IP: 10.21.21.5
MASK: 255.255.255.0
GATEWAY: 10.21.21.254
DNS 1: 10.21.21.254
DNS 2: 8.8.8.8

Proxmox VE - One Public IP


https://raymii.org/s/tutorials/Proxmox_VE_One_Public_IP.html

# /etc/network/interfaces:
auto vmbr2
iface vmbr2 inet static
address 10.21.21.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3389 -j DNAT --to 10.21.21.5:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3389 -j DNAT --to 10.21.21.5:3389
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.21.21.6:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.21.21.6:80

When you create a KVM VM, make sure it is attached to the bridge vmbr2. It should also have a static IP configured in the range you define. OpenVZ venet interfaces with an IP in this range automagiaclly work.
 
Last edited:
  • Like
Reactions: untoreh
When you create a KVM VM, make sure it is attached to the bridge vmbr2. It should also have a static IP configured in the range you define. OpenVZ venet interfaces with an IP in this range automagiaclly work.
also make sure the gateway of the guest interface matches the ip specified in the proxmox bridge interface
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!