[SOLVED] Proxmox with Ionos. Multiple public IPs and private as well.

Hello,

In my case, public networking working in the VM, i can make updates/ping out.
But i can't ping the VM or going in his webserver. Communcation with public IP behind TO the VM was not working...

I cannot connect to ssh or ping the public ip with my laptop for example... do you have an idea please?

Thanks!
 
Ok.... is the firewall issue. Will be fixed now !

Is my working configuration :
1738107237578.png

And the VM was connected on vmbr2 (public network) and inside debian configuration :

auto ens18
iface ens18 inet static
address 87.xx.xx.37/32
gateway 10.255.255.1
pointopoint 10.255.255.1

Working fine in my side :)
 
Hello everyone,

I am currently working with a dedicated server from IONOS (which includes a public IPv4) and running Proxmox 8.2.2.

My Goal

I aim to configure the following network setup:
A private network (for internal communication between multiple VMs) – Successfully using vmbr0 for this.
A public network (for 2 VMs that should be accessible from the internet via their dedicated public IPv4 addresses) – Currently struggling to set up vmbr1.

Over the past few days, I have tested several configurations:

  • Tried my own configurations.
  • Followed the guidance from this forum thread.
  • Even consulted ChatGPT (it did its best… ).
  • Studied some basic networking courses.
Unfortunately, I am still facing issues and cannot get the public network (vmbr1) to work correctly.

  • Default configuration works:
    • I can create 2 VMs on vmbr0, and they communicate internally without issues.
    • They have internet access but share the same public IP.
  • When modifying /etc/network/interfaces (e.g., using the VLAN ID provided by IONOS), I encounter issues:
    • Either I lose all access to the server (SSH & Web GUI).
    • Or vmbr1 doesn’t provide internet access, and the public IP is not correctly assigned to the VM.

Latest Attempt

Here is my most recent configuration attempt:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.10.10.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
bridge-ports eth0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094 # Tagged VLAN

auto vmbr1.1001
iface vmbr1.1001 inet static
address ip.ip.ip.17/32
gateway 10.255.255.1

# Enable forwarding & NAT
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr1.1001 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr1.1001 -j MASQUERADE


Whenever I set bridge-ports eth0 on vmbr1, I lose access to the server completely (SSH & Web GUI).
I followed the VLAN approach discussed in this thread, but it does not work as expected.
Inside my Windows VM, when configuring the second network interface with the public IP, curl ifconfig.me always shows the public IP of vmbr0 instead of the assigned public IP (vmbr1.1001).

I am running out of ideas to troubleshoot this issue and would greatly appreciate any guidance on how to correctly configure vmbr1

Any insights, suggestions, or example configurations would be very helpful

Thank you in advance for your time and help..
 
boushinouki said:
Hello everyone,

I am currently working with a dedicated server from IONOS (which includes a public IPv4) and running Proxmox 8.2.2.

My Goal

I aim to configure the following network setup:
A private network (for internal communication between multiple VMs) – Successfully using vmbr0 for this.
A public network (for 2 VMs that should be accessible from the internet via their dedicated public IPv4 addresses) – Currently struggling to set up vmbr1.

Over the past few days, I have tested several configurations:

  • Tried my own configurations.
  • Followed the guidance from this forum thread.
  • Even consulted ChatGPT (it did its best… ).
  • Studied some basic networking courses.
Unfortunately, I am still facing issues and cannot get the public network (vmbr1) to work correctly.

  • Default configuration works:
    • I can create 2 VMs on vmbr0, and they communicate internally without issues.
    • They have internet access but share the same public IP.
  • When modifying /etc/network/interfaces (e.g., using the VLAN ID provided by IONOS), I encounter issues:
    • Either I lose all access to the server (SSH & Web GUI).
    • Or vmbr1 doesn’t provide internet access, and the public IP is not correctly assigned to the VM.

Latest Attempt

Here is my most recent configuration attempt:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.10.10.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
bridge-ports eth0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094 # Tagged VLAN

auto vmbr1.1001
iface vmbr1.1001 inet static
address ip.ip.ip.17/32
gateway 10.255.255.1

# Enable forwarding & NAT
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr1.1001 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr1.1001 -j MASQUERADE


Whenever I set bridge-ports eth0 on vmbr1, I lose access to the server completely (SSH & Web GUI).
I followed the VLAN approach discussed in this thread, but it does not work as expected.
Inside my Windows VM, when configuring the second network interface with the public IP, curl ifconfig.me always shows the public IP of vmbr0 instead of the assigned public IP (vmbr1.1001).

I am running out of ideas to troubleshoot this issue and would greatly appreciate any guidance on how to correctly configure vmbr1

Any insights, suggestions, or example configurations would be very helpful

Thank you in advance for your time and help..
Click to expand...
You can handle that using the main IP address for accessing Proxmox host, and another IP address(es) to access opnsense/pfsense/anygateway.

I crated a public network, with the server and additional IP addresses. It gave me VLAN ID 1XXXX.

Here's the configuration I used on the host :

Code: 
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

# The eth0 interface
allow-hotplug eth0
iface eth0 inet dhcp

iface eth1 inet manual

# VLAN interface alias
auto eth0.1XXX
iface eth0.1XXX inet manual
    vlan-raw-device eth0

# WAN bridge for OpnSense (no IP here, it's defined in gateway VM)
auto vmbr1
iface vmbr1 inet manual
    bridge-ports eth0.1010
    bridge-stp off
    bridge-fd 0

# Bridge LAN (Internal network)
auto vmbr0
iface vmbr0 inet static
    address 10.10.10.254/24  # Internal address of host in private LAN
    bridge-ports none
    bridge-stp off
    bridge-fd 0

#iface eth0 inet6 manual
#    pre-up sleep 5
#    up dhclient -6 -nw -v eth0
#    down dhclient -6 -r -v eth0

You could also use your gateway VM to redirect on the proxmox host on specific condition, but I prefer having a specific IP address.
I defined a VPN and restricted access on the PVE host only from the VPN with simple Firewall rules on host.

Then on the gateway VM, I simply define any of the IP addresses I have in my public network, with the `10.255.255.1` gateway, and redirect traffic to differents VMs.
 
Last edited:
Hi,
thanks for the topic. I am in the same situation right now.
Ionos dedicated server with Proxmox preinstalled image + 1 additional public IP.

My network config is the exact same as already discussed with:
- Linux VLAN eth0.<<public net vlan from ionos>>
- vmbr1 Linux bridge pointing to eth0.vlanid, no ip configured at host.
- VM using vmbr1 with public IP from Ionos.

I have outgoing traffic with the secondary IP, but incoming traffic is not routed. I verified that with tcpdump on eth0 on the proxmox host. Outgoing traffic is logged, but no incoming.

Is there something additional that needs to configured on the Ionos Cloud Panel? Right now it looks like it is blocked by a Firewall or not even routed to my server from Ionos. But since I am a first time Ionos user, I am not sure if it due to my Network config or on Ionos side / Cloud Panel.
 
Amari said:
Hi,
thanks for the topic. I am in the same situation right now.
Ionos dedicated server with Proxmox preinstalled image + 1 additional public IP.

My network config is the exact same as already discussed with:
- Linux VLAN eth0.<<public net vlan from ionos>>
- vmbr1 Linux bridge pointing to eth0.vlanid, no ip configured at host.
- VM using vmbr1 with public IP from Ionos.

I have outgoing traffic with the secondary IP, but incoming traffic is not routed. I verified that with tcpdump on eth0 on the proxmox host. Outgoing traffic is logged, but no incoming.

Is there something additional that needs to configured on the Ionos Cloud Panel? Right now it looks like it is blocked by a Firewall or not even routed to my server from Ionos. But since I am a first time Ionos user, I am not sure if it due to my Network config or on Ionos side / Cloud Panel.
Click to expand...

Hi Amari,

First, two things that made me loosing time...
Did you reboot the Proxmox server ? Unfortunately, this seems to be mandatory on Ionos when you assign a new IP address to a public network.
Did you configure a firewall on Ionos ? Again, surprisingly I got strange behavior without one...
Here's my working configuration.

On Ionos cloud panel, I configured :
- A server... let's name its default IP address <HOST_IP>
- A public network with the server inside, and got the VLAN ID (named <VLAN_ID> below)
- A secondary IPv4 address, and assigned it to the public network (named <SECOND_IP> below)
- A firewall for accessing Proxmox, with ports 22 and 8006, assigned to <HOST_IP>
- A firewall for accessing VMs, assigned to the public network, and with needed ports, assigned to public network
- A VPN, to secure Proxmox host access, with IP address <VPN_ADDRESS>

On Proxmox, here's the /etc/network/interfaces
Code: 
source /etc/network/interfaces.d/*
 
auto lo
iface lo inet loopback

# The eth0 interface
allow-hotplug eth0
iface eth0 inet dhcp

iface eth1 inet manual

auto eth0.<VLAN_ID>
iface eth0.<VLAN_ID> inet manual
vlan-raw-device eth0 

# Interface WAN for OpnSense
auto vmbr1
iface vmbr1 inet manual
bridge-ports eth0.<VLAN_ID>
bridge-stp off
bridge-fd 0

# Bridge LAN (internal VMs)
auto vmbr0
iface vmbr0 inet static
address 10.10.10.254/24  # Internal Proxmox host address
bridge-ports none
bridge-stp off
bridge-fd 0

And the firewall configuration for allowing only VPN (duplicate lines if multiple IP addresses) (/etc/pve/nodes/XXXXXX/host.fw)
Code: 
[OPTIONS]
enable: 1

[RULES]
IN ACCEPT -source <VPN_ADDRESS> -dport 8006 -proto tcp
IN ACCEPT -source <VPN_ADDRESS> -dport 22 -proto tcp
IN DROP -dport 8006 -proto tcp
IN DROP -dport 22 -proto tcp

There was a default DHCP server configured on Proxmox (in Dnsmasq configuration as far as I remember), I disabled it because I prefer it on OpnSense.

OpsSense VM has two network interfaces, one on vmbr0 and one on vmbr1. All other Proxmox VMs will only be on vmbr0.
On Proxmox interface, I created a VM with a very light distribution (PuppyLinux), only to have a browser to access OpnSense. This VM is using DHCP. I also install network debugging tools on this VM.
Then I created a VM for a first service, let's name it <SERVICE_VM>, with a static IPv4 address 10.10.10.10 and gateway 10.10.10.1.

On OpnSense, I configured
- A gateway 10.255.255.1 named "WAN_GW"
- LAN on vtnet1, with static IPv4 address 10.10.10.1/24
- WAN on vtnet0, with static IPv4 address (secondary on created on Cloud panel) and WAN_GW as gateway (If you need more IP addresses to reach directly other VMs, add them to "Virtual IP" on OpnSense)
- A DHCP server with range 10.10.10.100 => 200
- NAT (Port forward) to send incoming packets destinated to <SECOND_IP> on 10.10.10.10 (SERVICE_VM), for the ports I need
- NAT (outbound) to assign the <SECOND_IP> on packets incoming from 10.10.10.10 (not mandatory if you have only one secondary IP)

Now you should access Proxmox with the original <HOST_IP>, using VPN if you configured it.

On BROWSER_VM :
- Check the DHCP server is working well, you should have 10.10.10.100 and gateway 10.10.10.1
- You should access internet
- curl ifconfig.me should give you your secondary IP address

On SERVER_VM, quite the same but with a static IP. And you should reach SERVER_VM from the outside, using SECOND_IP, on ports allowed on Ionos firewall and forwarded in OpnSense.

If you still have problems, check with tcpdump on Proxmox host if you have packets incoming on the VLAN ID. You can also use packet capture on OpnSense, or NAT log files.
Tell me if you still have problems !
 
  • Like
Reactions: Amari
@grubshka Thank you for your detailed post.

I was able to spot a difference. You said you were able to assign a Firewall Ruleset on Ionos to the Host IP as well as to your public IP? I was able to do that only for the Host IP. Maybe that is my mistake, and it takes some default rule with everything blocked. I will check that again. :)

--- Edit
I found it :)
Ionos Cloudpanel > Network > Firewall Rules > Assign IPs.

Initially, I set the firewall rules from the Server view, but there was no option for the new public network. Directly under Firewall there is.

Thank you so much.
 
Last edited:
You must log in or register to reply here.
Top Bottom