[TUTORIAL] PVE 6.2 Private VM (NAT) network configuration setup

[tuathan]

I had been trying to create a private IP (NAT) setup for my VMs and managed to do it as follows, heavily relying on infomation in reference [1]. I have re-titled this as a Tutorial now:

1. In the Proxmox web interface for the host network configuration create a second bridge: vmbr1 with IP address only e.g. 192.168.1.1/24
(Assumes vmbr0 is configured and in use by PVE host already for network access in this example on the 10.140.79.X)

2. On the PVE host node edit using nano /etc/network/interfaces to look like below:

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.140.79.120/24
gateway 10.140.79.1
bridge-ports eth0
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

post-up echo > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

3. Bring up the second (NAT) bridge:

ifup vmbr1

4. On the VM guest edit using nano /etc/network/interfaces to look like below:

auto lo
iface lo inet manual

iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
bridge-ports ens18
bridge-stp off
bridge-fd 0


For further virtual machines you can use these ips:

• 192.168.1.3
• 192.168.1.4
• ...

5. run iptables command on the PVE host:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to 192.168.1.2:22

6. SSH onto the VM (via NAT) :

ssh -p 3033 root@ip_of_proxmox_host

7. Make iptables rule perminant (optional)

install iptables-persistent on the PVE host:

sudo apt-get iptables-persistent


Reference: [1] https://cyberpersons.com/2016/07/27/setup-nat-proxmox/

 

[idoc]

For my VPS Proxmox 6.2 hosted in the cloud i did the following, that is similar to your tutorial but shorter.

1. enable paket forwarding in /etc/sysctl.conf on the Proxmox host
   
   
2. edit /etc/network/interfaces on the ProxMox host, to get 10.10.10.0/24 for your containers, that route through eth0 of the ProxMox host
   
   

   # network interface settings; autogenerated# Please do NOT modify this file directly, unless you know what
   # you're doing.
   #
   # If you want to manage parts of the network configuration manually,
   # please utilize the 'source' or 'source-directory' directives to do
   # so.
   # PVE will preserve these directives, but will NOT read its network
   # configuration from sourced files, so do not attempt to move any of
   # the PVE managed interfaces into external files!
   
   auto lo
   iface lo inet loopback
   
   auto eth0
   iface eth0 inet static
   address YOUR-PUBLIC-STATIC-IP/YOUR-PUBLIC-MASK
   gateway YOUR-STATIC-GATEWAY
   
   auto vmbr1
   iface vmbr1 inet static
   address 10.10.10.1
   netmask 255.255.255.0
   bridge_ports none
   bridge_stp off
   bridge_fd 0
   
   post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
   post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

   
   
3. configure a container inside 10.10.10.0/24 - as an example using 10.10.10.2
   
   

 

[lethargos]

@tuathan
Can I ask you why you're using a bridge interface inside the virtual machine and not simply the interface directly (ens18)?
Secondly, I'm having a little trouble understanding how this works without the auto directive for the interface itself which faces the network. Does vmbr0 implying raising the interface (eth0 on the host and ens18 in the vm)?

 

[srana2000]

For my VPS Proxmox 6.2 hosted in the cloud i did the following, that is similar to your tutorial but shorter....


It Worked. Just make sure in IPTABLES RULES your INTERFACE NAME is correct.

How can I make port forwarding work ?

 

[idoc]

You can use standard iptables features on the ProxMox host:

iptables -t nat -A PREROUTING -d YOUR-PUBLIC-STATIC-IP/32 -p tcp -m tcp --dport YOUR-EXTERNAL-PORT -j DNAT --to-destination YOUR-CONTAINER-IP:YOUR-CONTAINER-PORT

 

[srana2000]

You can use standard iptables features on the ProxMox host:

iptables -t nat -A PREROUTING -d YOUR-PUBLIC-STATIC-IP/32 -p tcp -m tcp --dport YOUR-EXTERNAL-PORT -j DNAT --to-destination YOUR-CONTAINER-IP:YOUR-CONTAINER-PORT

Thank you .

 

[allocacoc]

Is this a typo?

post-up echo > /proc/sys/net/ipv4/ip_forward

Shouldn't it be:

post-up echo "1" > /proc/sys/net/ipv4/ip_forward

Or am I missing something?

 

[Roberto Blandino IBW]

@tuathan
Can I ask you why you're using a bridge interface inside the virtual machine and not simply the interface directly (ens18)?
Secondly, I'm having a little trouble understanding how this works without the auto directive for the interface itself which faces the network. Does vmbr0 implying raising the interface (eth0 on the host and ens18 in the vm)?

Hi.

In my case i would answer, because it is a good practice to keep an standard and normalization in your configurations and installation, in that way you are following an standard configuration and is easy to manage, teach, learn and pass to others.

A single network card will not add any functionality, if by any chance in the future you require vlans, or use the same network card for your VM'S.

Even if you are so crazy to unset the public ip to proxmox Host and create a secondary internal bridge and a phantom nic, set a vm as a firewall IPS and IDS and then plug it to the secondary BRIDGE to the internal nic, in this way even PROXMOX has its own firewall you can make it pass by an aditional firewall (SOPHOS,PFSENSE, etc) you have virtually set up in order to add more functionalities. Something as follow:

[ PROXMOX VE ] CLOUD --- [NIC1 - BRIDGE0 - nic1 of VMFIREWALL - TRANSPARENT FILTERS AND RULES - nic2 of VMFIREWALL - BRIDGE1 - FAKE NIC2] -- [internal nic with public IP]


Then in the firewall for security access you could reach it via VPN setting an internal network an internal nic and an internal VM for internal access and admon via VPN or any other crazy way you could come up with.

Remember that if you are in a cloud server you could wand to add another firewall you like the most than using the simple firewall of proxmox that is ok and works but if you want to add something more than a NATING and add IDS, IPS and more crazy things, a single NIC would not be enough.

I woud ask, why you would leave a network card alone directly and not into a bridge?

leaving a nic into a bridge you set a core and a base for any future crazy and good ideas that would come to your mind.