proxmox 4.4 multiple public ips nat 1:1 to private

S

Stéphane MERLE

New Member
Mar 8, 2017
3
0
1
50
Hi,
I try to do the following that was perfectly working in openvz.
I have multiple /27 ip bound to a dedicated server, this server host a proxmox node.
I want each VM (container lxc) to have her own public ip.

My provider cannot handle more than 64 mac address per server, so I have to manage the redirect from within proxmox (which was done directly by openvz before by just adding :
File: /etc/vz/vz.conf : NEIGHBOUR_DEVS=detect par NEIGHBOUR_DEVS=eth0)

I tried by editing : /etc/ufw/before.rules

and adding :
# NAT table rules
*nat
:pREROUTING ACCEPT [0:0]
:pOSTROUTING ACCEPT [0:0]

#YYY.XXX.62.0/24
-A PREROUTING -o vmbr0 -d YYY.XXX.62.0/24 -j DNAT --to-destination 192.168.62.0/24
-A POSTROUTING -o vmbr1 -s 192.168.62.0/24 -j SNAT --to-destination YYY.XXX.62.0/24

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


or by editing the /etc/network/interface and manually adding the /27 class
but none of this worked ....

the old way was GREAT, no need to add any lines anywhere, I didn't need to edit a file each time I added a class of ip .... I am missing openvz ...

please HELP ...

Stéphane
 
Why don't you use routing for that and not bridging? You do not have problems with MAC addresses and can use the public ip directly on your LXC container.

Normally, your provider routes the subnets over your main public ip, so you create a bridge without any "real" nics and use, e.g. the first (useable) IP on that subnet as the PVEs address and configure all your LXC containers with public addresses from that subnet and that "private" bridge and set your PVE address in that subnet as router. Enable routing in general and enjoy the simplicity of this setup, no natting or hacks like that, just use public IPs and route everything.
 
Hi LnxBil,
I aggree, that would be way more easy .... BUT ... I cannot ... my provider (online.net) lock to 64 mac address/server so if I route directly my vm, I get it lock ...
That's why I was using the NEIGHBOUR_DEVS=eth0
I did manage a vmbr1 for private ips and to create vmbr0:X for each public ip in /etc/network/interface
with a nat rule in /etc/ufw/before.rules

-A PREROUTING -d external_ip -j DNAT --to-destination internal_ip
-A POSTROUTING -s internal_ip -j SNAT --to-source external_ip

but that's a BIG pain to handle ...

still looking for a better way (like a complet lan to lan nat 1:1, instead of one for each ip)

Stéphane
 
Hi Stéphane,

Sorry, I don't understand you MAC address problem. Routing solves this, because MAC routing ends at the router (layer 2), so your own machine. Routed packages (layer 3, IP) will have the MAC address of your server (the one that routes), so you only see your main server MAC address on outgoing packages towards the provider and not the MAC address behind.

That is the great benefit of routed vs. bridged subnetting.
 
LnxBil said:
Hi Stéphane,

Sorry, I don't understand you MAC address problem. Routing solves this, because MAC routing ends at the router (layer 2), so your own machine. Routed packages (layer 3, IP) will have the MAC address of your server (the one that routes), so you only see your main server MAC address on outgoing packages towards the provider and not the MAC address behind.

That is the great benefit of routed vs. bridged subnetting.
Click to expand...
Maybee I didn't set it correcly then, can you provide a sample or page where I would understand how to set it up ?

because when I tried, I had to use the fai api to set a mac address for each public ip to use in my vms (so I was limited to 64)

I did manage a way out by adding each public ip in the /etc/network/interface like this :

auto vmbr0:X
iface vmbr0:X inet static
address public_ip
netmask 255.255.255.255


and by adding those 2 lines at the end of /etc/ufw/before.rules :

-A PREROUTING -d public_ip -j DNAT --to-destination private_ip
-A POSTROUTING -s private_ip -j SNAT --to-source public_ip

like that :

# NAT table rules
*nat
:pREROUTING ACCEPT [0:0]
:pOSTROUTING ACCEPT [0:0]

[here come the lines for prerouting and postrouting]


# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


with the vmbr1 map like this :
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.0.0
bridge_ports none
bridge_stp off
bridge_fd 0


this work ....
but it's a big pain compare to just adding : NEIGHBOUR_DEVS=eth0 in /etc/vz/vz.conf

Thanks for your help.
Stéphane
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back