Proxmox VE 9.1.1 with only a single ipv4, trying to make a NAT v4 for my VM/LXC containers

P

pink

Member
Jun 16, 2023
4
0
6
Hi everyone,

I brought a dedi server in the US and i have Proxmox VE 9.1.1 installed (Debain 13) so far and the issue i am trying to do is make a NAT v4 for my VM/LXC since i do have a windows VM but it's unable to access the internet and the same goes to the Debian 13 VM too since i tried following https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP (that my friend sent) and... it did not work since the VM has no networking. a few days ago after i installed VE 9.1.1 i did ssh into my rented dedi server and setup ufw to only allow my home ip address in since i only have a /32 ip address set on vmbr0 when i had the server installed. the host OS (Debian 13) has networking and it works fine. Just the VM has zero network access and i did try to make a 10.0.0.0/24 NAT but that didn't work... anyways here is my `/etc/network/interfaces `

Code: 
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface nic0 inet manual

iface nic1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 172.9X.XXX.128/32
        gateway 172.9X.XXX.1
        bridge-ports nic0
        bridge-stp off
        bridge-fd 0

source /etc/network/interfaces.d/*

vmbr0 is connected to nic1 while nic1 has no network since nic1 is where how i get my net. (redacted my server and gateway IP address)

also here is my `/etc/sysctl.conf` config

Code: 
# Generated sysctl.conf for server with:
# - 8 CPU cores
# - 32768MB RAM
# - 1Gbps Network
# - Server role: General Purpose Server
# - Kernel type: pf-kernel (Debian/Ubuntu)
#
# This file was generated at https://incognet.io/sysctl-conf
# Apply this configuration with: sudo sysctl -p /etc/sysctl.conf

# ==================== NETWORK SETTINGS ====================
# Core network parameters
net.core.somaxconn = 1024
net.core.netdev_max_backlog = 8000
net.core.rmem_default = 212992
net.core.rmem_max = 4194304
net.core.wmem_default = 212992
net.core.wmem_max = 4194304

# TCP buffer settings
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv4.tcp_mem = 262144 1048576 4194304
net.ipv4.udp_mem = 131072 524288 2097152

# TCP connection settings
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 1800000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_congestion_control = cubic

# ==================== SECURITY SETTINGS ====================
# Basic network security
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.tcp_rfc1337 = 1

# Kernel hardening
kernel.randomize_va_space = 2
kernel.kptr_restrict = 1
fs.suid_dumpable = 0
kernel.core_uses_pid = 1

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Protect against ptrace-based attacks
kernel.yama.ptrace_scope = 1

# Disable unprivileged BPF
kernel.unprivileged_bpf_disabled = 1

# Filesystem protection
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2

# ==================== MEMORY MANAGEMENT ====================
# Virtual memory settings
vm.swappiness = 30
vm.vfs_cache_pressure = 100
vm.min_free_kbytes = 2048
vm.dirty_ratio = 20
vm.dirty_background_ratio = 10
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500

# ==================== FILE SYSTEM AND LIMITS ====================
# File handle limits
fs.file-max = 196608
fs.nr_open = 65536
fs.inotify.max_user_watches = 32768
fs.aio-max-nr = 65536

# ==================== KERNEL SETTINGS ====================
# Basic kernel parameters
kernel.panic = 10
kernel.panic_on_oops = 1
kernel.pid_max = 65536
kernel.threads-max = 32768

# CPU scheduler settings
kernel.sched_migration_cost_ns = 5000

# Low-latency kernel optimizations

net.ipv4.ip_forward=1

i manually added `net.ipv4.ip_forward=1` to see if that did anything but it didn't do anything...

atm im not sure if it's ufw or sysctl is blocking NAT? Is there any guides or help onto making a NATv4 bridge to share my host only IPv4 address? Thanks
 
Last edited:
it's very likely that ufw could be interfering here, so I'd recommend turning it off completely - it's generally not advised to use ufw alongside PVE on the host since it can lead to issues like this.
 
  • Like
Reactions: pink
shanreich said:
it's very likely that ufw could be interfering here, so I'd recommend turning it off completely - it's generally not advised to use ufw alongside PVE on the host since it can lead to issues like this.
Click to expand...
Alright, thanks. I will turn off ufw and disable it but now ill have to figure out how to whitelist my ip on proxmox web UI. i checked https://pve.proxmox.com/wiki/Firewall and im guessing i will have to configure it through the terminal
 
I was supposed to post this yesterday but i got it working again since my friend gave me a config and that worked.

Code: 
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface nic0 inet manual

#iface nic1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 172.93.XXX.XXX/32
        gateway 172.93.XXX.1
        bridge-ports nic0
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

source /etc/network/interfaces.d/*

i only had to add

Code: 
auto vmbr1
iface vmbr1 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
and only changed a bit with 10.0.0.0/24 but it worked. Can someone mark this as resolved. Thanks
 
You must log in or register to reply here.
Top Bottom