[TUTORIAL] PVE 6.2 Private VM (NAT) network configuration setup

tuathan

Member
May 23, 2020
52
6
8
I had been trying to create a private IP (NAT) setup for my VMs and managed to do it as follows, heavily relying on infomation in reference [1]. I have re-titled this as a Tutorial now:

1. In the Proxmox web interface for the host network configuration create a second bridge: vmbr1 with IP address only e.g. 192.168.1.1/24
(Assumes vmbr0 is configured and in use by PVE host already for network access in this example on the 10.140.79.X)

2. On the PVE host node edit using nano /etc/network/interfaces to look like below:

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.140.79.120/24
gateway 10.140.79.1
bridge-ports eth0
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

post-up echo > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

3.
Bring up the second (NAT) bridge:

ifup vmbr1

4.
On the VM guest edit using nano /etc/network/interfaces to look like below:

auto lo
iface lo inet manual

iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
bridge-ports ens18
bridge-stp off
bridge-fd 0



For further virtual machines you can use these ips:
  • 192.168.1.3
  • 192.168.1.4
  • ...
5. run iptables command on the PVE host:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to 192.168.1.2:22

6. SSH onto the VM (via NAT) :

ssh -p 3033 root@ip_of_proxmox_host

7. Make iptables rule perminant (optional)

install iptables-persistent on the PVE host:

sudo apt-get iptables-persistent


Reference: [1] https://cyberpersons.com/2016/07/27/setup-nat-proxmox/
 
Last edited:
  • Like
Reactions: zmodem
For my VPS Proxmox 6.2 hosted in the cloud i did the following, that is similar to your tutorial but shorter.

  1. enable paket forwarding in /etc/sysctl.conf on the Proxmox host

  2. edit /etc/network/interfaces on the ProxMox host, to get 10.10.10.0/24 for your containers, that route through eth0 of the ProxMox host

    Code:
    # network interface settings; autogenerated# Please do NOT modify this file directly, unless you know what
    # you're doing.
    #
    # If you want to manage parts of the network configuration manually,
    # please utilize the 'source' or 'source-directory' directives to do
    # so.
    # PVE will preserve these directives, but will NOT read its network
    # configuration from sourced files, so do not attempt to move any of
    # the PVE managed interfaces into external files!
    
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
    address YOUR-PUBLIC-STATIC-IP/YOUR-PUBLIC-MASK
    gateway YOUR-STATIC-GATEWAY
    
    auto vmbr1
    iface vmbr1 inet static
    address 10.10.10.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    
    post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

  3. configure a container inside 10.10.10.0/24 - as an example using 10.10.10.2

    Bildschirmfoto 2020-09-08 um 11.39.39.png
 
@tuathan
Can I ask you why you're using a bridge interface inside the virtual machine and not simply the interface directly (ens18)?
Secondly, I'm having a little trouble understanding how this works without the auto directive for the interface itself which faces the network. Does vmbr0 implying raising the interface (eth0 on the host and ens18 in the vm)?
 
For my VPS Proxmox 6.2 hosted in the cloud i did the following, that is similar to your tutorial but shorter....


It Worked. Just make sure in IPTABLES RULES your INTERFACE NAME is correct.

How can I make port forwarding work ?
 
Last edited:
You can use standard iptables features on the ProxMox host:

Code:
iptables -t nat -A PREROUTING -d YOUR-PUBLIC-STATIC-IP/32 -p tcp -m tcp --dport YOUR-EXTERNAL-PORT -j DNAT --to-destination YOUR-CONTAINER-IP:YOUR-CONTAINER-PORT
 
  • Like
Reactions: srana2000
You can use standard iptables features on the ProxMox host:

Code:
iptables -t nat -A PREROUTING -d YOUR-PUBLIC-STATIC-IP/32 -p tcp -m tcp --dport YOUR-EXTERNAL-PORT -j DNAT --to-destination YOUR-CONTAINER-IP:YOUR-CONTAINER-PORT
Thank you .
 
Is this a typo?

Code:
post-up echo > /proc/sys/net/ipv4/ip_forward

Shouldn't it be:

Code:
post-up echo "1" > /proc/sys/net/ipv4/ip_forward

Or am I missing something?
 
@tuathan
Can I ask you why you're using a bridge interface inside the virtual machine and not simply the interface directly (ens18)?
Secondly, I'm having a little trouble understanding how this works without the auto directive for the interface itself which faces the network. Does vmbr0 implying raising the interface (eth0 on the host and ens18 in the vm)?
Hi.

In my case i would answer, because it is a good practice to keep an standard and normalization in your configurations and installation, in that way you are following an standard configuration and is easy to manage, teach, learn and pass to others.

A single network card will not add any functionality, if by any chance in the future you require vlans, or use the same network card for your VM'S.

Even if you are so crazy to unset the public ip to proxmox Host and create a secondary internal bridge and a phantom nic, set a vm as a firewall IPS and IDS and then plug it to the secondary BRIDGE to the internal nic, in this way even PROXMOX has its own firewall you can make it pass by an aditional firewall (SOPHOS,PFSENSE, etc) you have virtually set up in order to add more functionalities. Something as follow:

[ PROXMOX VE ] CLOUD --- [NIC1 - BRIDGE0 - nic1 of VMFIREWALL - TRANSPARENT FILTERS AND RULES - nic2 of VMFIREWALL - BRIDGE1 - FAKE NIC2] -- [internal nic with public IP]


Then in the firewall for security access you could reach it via VPN setting an internal network an internal nic and an internal VM for internal access and admon via VPN or any other crazy way you could come up with.

Remember that if you are in a cloud server you could wand to add another firewall you like the most than using the simple firewall of proxmox that is ok and works but if you want to add something more than a NATING and add IDS, IPS and more crazy things, a single NIC would not be enough.

I woud ask, why you would leave a network card alone directly and not into a bridge?

leaving a nic into a bridge you set a core and a base for any future crazy and good ideas that would come to your mind.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!