PVE Cannot NAT LAN to WAN?

UPDATE: As a result of the research on this thread, it looks like like you cannot use private IPs behind your Proxmox host's true IP, and masquerade the traffic using NAT, as stated here


Using Proxmox 3.4, I've given my (Linux) guest both public and private network addresses.

How can I get the private addresses NAT-ed so that they can ping the public internet (they can ping each other, BTW)?

Here's my PVE config:

Screenshot from 2015-02-23 21:53:33.png

And on the host, I have:

Code:
auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  62.x.x.102
        netmask  255.255.255.0
        gateway  62.x.x.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0


auto vmbr1
iface vmbr1 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0


        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

on the guests:

Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 89.x.x.5
        netmask 255.255.255.0
        network 89.x.x.0
        broadcast 89.x.x.255
        gateway 89.x.x.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8
        dns-search xxxxx

auto eth1
iface eth1 inet static
        address  10.10.10.101
        netmask  255.255.255.0
 
Last edited:
Re: How to NAT LAN to WAN?

Code:
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o [B]vmbr0[/B] -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o [B]vmbr0[/B] -j MASQUERADE

Code:
auto eth0
iface eth0 inet static
        address 89.x.x.5
        netmask 255.255.255.0
        network 89.x.x.0
        broadcast 89.x.x.255
        gateway 89.x.x.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8
        dns-search xxxxx
Can you show me yout bridge details (brctl show) ?
 
Re: How to NAT LAN to WAN?

You want to share Internet through vmbr1 for your VPS in lan and give others direct access through vmbr0 ?
 
Re: How to NAT LAN to WAN?

Yes, so essentially have a private network available for things like rsync-ing between VMs, but to also allow those VMs to have separate public IP addresses.

This is in fact working like that right now (the VMs can all ping each other on their LAN interfaces), but I'd like the LAN to be able to have a gateway to the internet as well. That would mean I could spin up a VM that only had a LAN address and for it still to have access the public internet.
 
Re: How to NAT LAN to WAN?

Hi all,

i've installed & configured PVE 3.3 on a fresh Host and try to find the "best" networking/routing setup to a scenario like JBB descripes here.

I like the "proxmox integrated firewall" feature but can't really unterstand why the Proxmox webgui doesn't let me configure a private bridge that is natted to the outside world for outbound traffic (SNAT). I've been searching in the proxmox wiki and here but couldn't find a "built in" solution for this.

I am planning to set up a cluster with another host node and have read, that in this case proxmox is able to manage firewall rules cluster-wide.

If i simply add a masquerading rule on my host node now, providing NAT for VMs that don't have any external official IP, how will proxmox handle this if my cluster is up & running and one node dies?
Or - generally: Does the cluster-firewall feature still work, if i extend iptables with own rules (like natting)?
What is the easiest/best way to provide NAT for "local" VMs? I am one step before creating a firewall-VM running pfsense (or similar) just for natting...


Hope this doesn't sound too confusing and somebody can help me here!

BR,
Heiner
 
Re: How to NAT LAN to WAN?

I like the "proxmox integrated firewall" feature but can't really unterstand why the Proxmox webgui doesn't let me configure a private bridge that is natted to the outside world for outbound traffic (SNAT). I've been searching in the proxmox wiki and here but couldn't find a "built in" solution for this.

see section masquerading in:

https://pve.proxmox.com/wiki/Network_Model

firewall should work.
 
Re: How to NAT LAN to WAN?

see section masquerading in:

https://pve.proxmox.com/wiki/Network_Model

firewall should work.
Many thanks for the fast answer, Dietmar!

I have seen that part in wiki. If configured like that and s.th. in /etc/network/interfaces is changed via web-gui, it deletes those 3 lines as the diff shows in gui:

Code:
[COLOR=#000000]-        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
[/COLOR]-        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE 
[COLOR=#000000]-        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE[/COLOR]

Because of that i thought: "Proxmox GUI doesn't support NAT in network config, so it won't work in the firewall, too!"

Is this behavior a bug or is it a feature that i didn't understand by now? I really don't have any problem with editing configs, but i know how easy it is to f*** up perfectly working config files with one wrong click in the GUI*. That's why i always check out GUI features of a software/product and see how manual entries in configs are handled. In a case like this, if there's no way to get NAT working within the GUI, i don't really want to have it configured within /etc/network/interfaces.

If you say, that NAT is no problem for pve-firewall (even if clustered), i'll try it out and look for another file for those config lines (maybe in rc.local or crontab?) so i can't accidentally delete them within the GUI.

Thx and BR,
Heiner


PS: (*) Please don't get me wrong: I don't think proxmox GUI is crap: As far as i can say by now it is brilliant. Especially if compared to v1.x's GUIs :) It's just my general experience with many GUIs i have seen in the 10 years of my linux history. You guys do a great job! :cool:
 
Last edited:
Re: How to NAT LAN to WAN?

@rootkid Maybe best to put those lines in files in /etc/network/if-up.d and if-post-down.d accordingly?

Meanwhile, I've just tried getting all this to work, but it's not happening :-(

I think I need to add the appropriate routes for each interface on the guest. At least, if I add "gateway 10.10.10.1" for eth1, it works, but then I can't ping the outside from eth0.

So - looking at how to hack the routing tables now.
 
Last edited:
Re: How to NAT LAN to WAN?

Is this behavior a bug or is it a feature that i didn't understand by now? I really don't have any problem with editing configs, but i know how easy it is to f*** up perfectly working config files with one wrong click in the GUI*.

We try hard to keep that information, but it gets deleted when you change the IP assignment of the interface.
 
Re: How to NAT LAN to WAN?

Caution: Long Post!

Short version for the lazy guys:
I tried everything i know about NAT to get it going on my proxmox node but had to give up.
As long as nobody has another clue what else to try, i'll keep using a KVM firewall system for managing VM traffic


That's all, so here comes the long version of what i tried to get it done:

I stopped pve-firewall to ensure iptables is clean:
Code:
root@proxmox2:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@proxmox2:~# 
root@proxmox2:~# 
root@proxmox2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@proxmox2:~#




NAT at private bridge doesn't work (odoo is host name of VM's private IP, vmbr0 is public net - official routed 195.71.x.x IP accessable from www, vmbr1 is private net 10.0.0.1/8):
Code:
root@proxmox2:~# cat /proc/sys/net/ipv4/ip_forward
1
root@proxmox2:~# iptables -t nat -A POSTROUTING -o vmbr1 -j MASQUERADE
root@proxmox2:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@proxmox2:~# 


root@proxmox2:~# tcpdump -i vmbr0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:46:27.824973 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 8, length 64
11:46:28.824960 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 9, length 64
11:46:29.824962 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 10, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
root@proxmox2:~#



NAT at public bridge doesn't work, too:
Code:
root@proxmox2:~# iptables -t nat -D POSTROUTING -o vmbr1 -j MASQUERADE
root@proxmox2:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@proxmox2:~# iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
root@proxmox2:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@proxmox2:~# tcpdump -i vmbr0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:01:03.834960 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 884, length 64
12:01:04.834981 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 885, length 64
12:01:05.834949 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 886, length 64
12:01:11.842103 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 1, length 64
12:01:12.842010 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 2, length 64
12:01:13.842008 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 3, length 64
12:01:14.841988 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 4, length 64
12:01:15.841950 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 5, length 64
12:01:16.841962 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 6, length 64
12:01:17.841998 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 7, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
root@proxmox2:~#



... and even if i NAT at the bond0 interface (which contains eth0 and eth1 in active/backup mode):
Code:
root@proxmox2:~# tcpdump -i eth0 icmp
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:16:34.262020 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 22, length 64
12:16:35.261975 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 23, length 64
12:16:36.262013 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 24, length 64
12:16:37.262023 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 25, length 64



just testing:
Code:
root@proxmox2:~# iptables -t nat -D POSTROUTING -o bond0 -j MASQUERADE
root@proxmox2:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@proxmox2:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
root@proxmox2:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@proxmox2:~#
root@proxmox2:~# tcpdump -i eth0 icmp
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:19:15.500957 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 9, length 64
12:19:16.501134 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 10, length 64
12:19:17.500958 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 11, length 64
12:19:18.500957 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 12, length 64
12:19:19.500955 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 13, length 64
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
root@proxmox2:~#

... and ...
Code:
root@proxmox2:~# iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT --to-source 195.71.90.123
root@proxmox2:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere             to:195.71.90.123


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@proxmox2:~# tcpdump -i eth0 icmp
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:24:51.652974 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2795, seq 7, length 64
12:24:52.652946 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2795, seq 8, length 64
12:24:53.652968 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2795, seq 9, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
root@proxmox2:~#


I set up a brand new debian KVM, eth0 -> vmbr0 (public IP/Net), eth1 -> vmbr1 (private IP/Net):
Code:
root@brabebo-gw:~# cat /proc/sys/net/ipv4/ip_forward
1
root@brabebo-gw:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@brabebo-gw:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         


Chain INPUT (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
root@brabebo-gw:~#




setting up the nat rule:
Code:
root@brabebo-gw:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@brabebo-gw:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         


Chain INPUT (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
root@brabebo-gw:~#



and it works!
Code:
root@brabebo-gw:~# tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:13:27.422129 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 8, length 64
12:13:27.428679 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 8, length 64
12:13:28.422944 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 9, length 64
12:13:28.429469 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 9, length 64
12:13:29.423731 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 10, length 64
12:13:29.430151 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 10, length 64
12:13:30.424390 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 11, length 64
12:13:30.430830 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 11, length 64
12:13:31.425061 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 12, length 64
12:13:31.431484 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 12, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
root@brabebo-gw:~#





So all i can say now, is that somewhere/somehow on my proxmox node natting doesn't work like it works on "normal" and clean debian:
root@brabebo-gw:~# cat /etc/debian_version
7.8
root@brabebo-gw:~#


I think i'll keep my new firewall KVM (because this way i have the option for DNAT, too).
But if someone knows the reason why my proxmox doesn't NAT, or has some idea what else i could check to maybe find the reason, that would be really kind!

BR,
Heiner
 
Re: How to NAT LAN to WAN?

Thanks for working this through. I too have since tried various permutations, but without success.

I notice that the docs on this show eth0 being used as the output interface and not vrmb0 (https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29)

Code:
iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o [B]eth0 [/B]-j MASQUERADE

Is there a possibility that eth0 could be configured as the bridge in some way? The docs don't mention it, but is that implied?

Incidentally, it's a great pity that PVE doesn't appear to be able to do this, since simply NATed LAN would seem to be a very useful feature of a "bare metal" virtualization package.
 
Re: How to NAT LAN to WAN?

https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29

Code:
auto vmbr0
iface vmbr0 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        bridge_ports [B]none[/B]
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

As you can see this bridge have not attached any eth NIC by default. So they left eth as usually.


rootkid can you use tcpdump with -n option ? Your NIC configuration will be cool to see.
 
Re: How to NAT LAN to WAN?

My current network design:

proxmox node:
- eth0 connected to switch with internet access (world-reachable)
- eth1 connected to switch with internet access (world-reachable)
- bond0 includes both in active/backup mode
- vmbr0 includes bond0 and has public IP
- vmbr1 has private IP 10.0.0.1 (no direct access to the world, only to provide private net 10.0.0.0/8 for VMs)

Code:
iface eth0 inet manual


iface eth1 inet manual


auto bond0
iface bond0 inet manual
        slaves eth0 eth1
        bond_miimon 100
        bond_mode active-backup
        bond_downdelay 200
        bond_updelay 200


auto vmbr0
iface vmbr0 inet static
        address  195.71.xxx.xxx
        netmask  255.255.255.128
        gateway  195.71.xxx.xxx  # this is the GW IP of my provider 
        bridge_ports bond0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  10.0.0.1
        netmask  255.0.0.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

brabebo-gw (kvm with eth0 -> vmbr0 and eth1 -> vmbr1):
Code:
root@brabebo-gw:~# cat /etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).


# The loopback network interface
auto lo
iface lo inet loopback


# The public network interface
auto eth0
iface eth0 inet static
        hwaddress CA:52:B4:15:94:6B
        address 195.71.xxx.xxx
        netmask 255.255.xxx.xxx
        network 195.71.xxx.xxx
        broadcast 195.71.xxx.xxx
        gateway 195.71.xxx.xxx
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 195.71.xxx.xxx


# The private network interface
auto eth1
iface eth1 inet static
        hwaddress d2:ba:6b:50:08:1d
        address 10.1.0.1
        netmask 255.255.0.0
        network 10.1.0.0
        broadcast 10.1.254.254
root@brabebo-gw:~#


odoo has a veth network device as eth0 connected to bridge vmbr1:
Code:
auto eth0
iface eth0 inet static
        address  10.1.2.1
        netmask  255.0.0.0
(i am setting default gw manually as long as i'm testing.)

... and now i just found out:
Even if pve-firewall is stopped and no rules are left in iptables: somehow the proxmox firewall will still run:
If i disable the firewall checkbox in "edit: network device (veth)" for odoo in proxmox gui, then NAT will work inside my proxmox node (at vmbr0)!

So everyone else having this issue: make sure that "firewall" is unchecked:

click the container, then click "edit" (or simply double-click the container)
edit-nw-dev1.png


uncheck "firewall"
edit-nw-dev2.png

... then, please let me know if this works for you, too.

And @proxmox staff: Is this "wanted behavior"? I would assume if there are no iptables rules (only default policy "accept"), then nothing should be blocking any traffic...

EDIT: I tried this with venet address instead of veth device for my test container: there is no "edit" and it behaves as one would assume: if NAT rule in iptables it works, else not.


regarding tcpdump -n: I am too lazy to fire every command again, but i can translate hostnames for you:
- odoo = 10.1.2.1 (openvz)
- brabebo-gw = 10.1.0.1 (kvm)
- google-public-dns-a.google.com = 8.8.8.8 # any external IP that responds to ping would do the job, but i was to lazy to type in the IP of my provider's GW ;)
 

Attachments

  • edit-nw-dev.png
    edit-nw-dev.png
    15.2 KB · Views: 27
Last edited:
Re: How to NAT LAN to WAN?

BTW: because proxmox webgui will overwrite post-up/post-down lines in /etc/network/interfaces when you change networking in webgui (see "Pending changes" area after editing in GUI) i wrote this little buddys:

Code:
root@proxmox2:~# cat /etc/network/if-up.d/enable-nat
#!/bin/bash
#
# enables NAT for private VMs
# see also: http://forum.proxmox.com/threads/21122-How-to-NAT-LAN-to-WAN?p=107853#post107853


nat_if="vmbr0"
# $IFACE is provided by system
[[ "$IFACE " == "$nat_if " ]] &&
  (
    echo -n "$0: ";
    echo -n "activating NAT @ $nat_if: ";
    echo 1 > /proc/sys/net/ipv4/ip_forward &&
    /sbin/iptables -t nat -A POSTROUTING -s '10.0.0.0/8' -o $nat_if -j MASQUERADE &&
    echo "done"  || echo "$0: Error starting NAT for $nat_if"
  ) || true # we don't care for any other IFACE...
root@proxmox2:~#

Code:
root@proxmox2:~# cat /etc/network/if-down.d/disable-nat
#!/bin/bash
#
# disables NAT for private VMs
# see also: http://forum.proxmox.com/threads/21122-How-to-NAT-LAN-to-WAN?p=107853#post107853


nat_if="vmbr0"
# $IFACE is provided by system
[[ "$IFACE " == "$nat_if " ]] &&
  (
    echo; echo -n "$0: ";
    echo -n "deactivating NAT @ $nat_if: ";
    /sbin/iptables -t nat -D POSTROUTING -s '10.0.0.0/8' -o $nat_if -j MASQUERADE &&
    echo "done"  || echo "$0: Error stopping NAT for $nat_if"
  ) || true # we don't care for any other IFACE...
root@proxmox2:~#
Use at your own risk! Any feedback appreciated! :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!