Proxmox NAT Question

G

glockmane

Member
Jul 12, 2023
78
5
13
I have a proxmox host with a single network interface. Now I want a second interface for my VMs with its own subnet.. Also I want to reach the main net from the VMs..

I tried a lot and this seems to work somewhat:

- can remote into a windows VM (10.0.10.11)
- can reach the 192.168.10.0/24 net from the same windows vm when I set gateway to 192.168.10.50
- can not reach the internet from the windows vm

These Lines seems not to be needed, but why?:

post-up iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.0.10.0/24 -o vmbr0 -j MASQUERADE

This is my config, please comment if this is not correct in any way..

Thank you very much!

# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp57s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.10.50/24
gateway 192.168.10.1
bridge-ports enp57s0
bridge-stp off
bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp

auto vmbr1
iface vmbr1 inet static
address 10.0.10.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

post-up iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.0.10.0/24 -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 13389 -j DNAT --to 10.0.10.11:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 13389 -j DNAT --to 10.0.10.11:3389

source /etc/network/interfaces.d/*
 
glockmane said:
post-up iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.0.10.0/24 -o vmbr0 -j MASQUERADE
Click to expand...
these lines configure the NAT, so they "translate" the 10.0.10.0/24 ips to the ip which is set on vmbr0.

How do you test the internet reachability? Could that also be a DNS issue?
Do you have any fireall enabled (datacenter,host,vm)?
Also the default gateway on the windows machine (attached to vmbr1 I presume) should be in the 10.0.10.0/24 subnet.
 
Komischerweise ging es dann, weiß jetzt gar nicht, wo es geklemmt hat.. Habe dann einen längeren Dialog mit Google KI geführt (bitte nicht gleich hauen) und habe nun eine nftables config nach meinen Vorstellungen (Internet Whitelist, Zugriff auf Routernetz für VMs, RDP vom Routernetz auf das VM-Netz, weitere Portfreigaben..).. Sieht für mich erstmal gut aus, musste aber hier und da korrigierend eingreifen bzw. kritisch nachfragen..

Code: 
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    set internet_allowed {
        type ipv4_addr
        elements = { 10.0.10.22, 10.0.10.6 }
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state established,related accept
        ip saddr 10.0.10.0/24 ip daddr 192.168.10.0/24 accept
        tcp dport 3389 accept
        ip daddr 10.0.10.3 tcp dport 7766 accept
        ip daddr 10.0.10.22 tcp dport { 5001, 2283, 8888 } accept
        ip daddr 10.0.10.6 tcp dport 631 accept
        ip saddr @internet_allowed oifname "vmbr0" accept
    }
}

table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100;
        iifname "vmbr0" tcp dport 23389 dnat to 10.0.10.5:3389
        iifname "vmbr0" tcp dport 33389 dnat to 10.0.10.7:3389
        iifname "vmbr0" tcp dport 43389 dnat to 10.0.10.8:3389
        iifname "vmbr0" tcp dport 53389 dnat to 10.0.10.3:3389
        iifname "vmbr0" tcp dport 63389 dnat to 10.0.10.4:3389
        iifname "vmbr0" tcp dport 7766  dnat to 10.0.10.3:7766
        iifname "vmbr0" tcp dport { 5001, 2283, 8888 } dnat to 10.0.10.22
        iifname "vmbr0" tcp dport 631 dnat to 10.0.10.6
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.0.10.0/24 oifname "vmbr0" masquerade
    }
}
 
You must log in or register to reply here.
Top Bottom
Back