[SOLVED] How to setup NAT with one of my 4 public IP's?

M

MrGeezer

Member
Apr 11, 2022
29
3
8
Hi,

I'm sorry I am aware this is probably the most basic of questions but can't seem to figure it out after several articles and youtube videos!

I have a new dedicated server with PVE installed. I have 4 public IP addresses.

I plan to use xx.xx.135.199 for the management of PVE and two of the other public IP's (xx.xx.135.200 and xx.xx.135.201) directly on VM's that will host web servers.

However I would like to create a private network for several other guest VM's (test web server, test client desktop and some other testing/evaluation stuff), and setup NAT for my last IP xx.xx.135.202. My understanding from reading up on PVE before I started was that PVE could act as the router in this instance, forwarding incoming traffic to the private network just like my home router does.

At the moment I have an /etc/network/interfaces file that looks thusly:

Code: 
auto primary
iface primary inet static
        address xx.xx.135.199/32
        gateway xx.xx.135.193
        pointopoint xx.xx.135.193
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/primary/proxy_arp
      
iface enpls0f0 inet manual

auto vmbr0
iface vmbr0 inet static
        address xx.xx.135.199/32
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add xx.xx.135.200/32 dev vmbr0
        up ip route add xx.xx.135.201/32 dev vmbr0
        
auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1/16
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 213.170.135.202/32 dev vmbr1


When I create a VM, connect it's network card to vmbr0 and set the guest OS to IP xx.xx.135.200 with gateway xx.xx.135.199 it works great. VM gets the public IP allocated straight to it.

When I create a VM, connect its network card to vmbr1 and the guest OS to IP 10.0.0.2 with mask 255.255.0.0 and gateway of 10.0.0.1, the guest cannot access the wider internet. It can ping 10.0.0.1 (or indeed 10.0.0.3 if I create another VM and connect it to vmbr1). But it cannot ping 8.8.8.8 and is unable to resolve hostnames if I try to ping bbc.co.uk

Is this possible? Can someone explain to a n00b out of his depth how to achieve this?

Thanks in advance for any insight :)
 
Last edited:
Hi, you should have a look at section "3.3.6. Masquerading (NAT) with iptables" of the Proxmox VE administration guide, which discusses this kind of NAT setup. Basically, your vmbr1 config would look something like:
Code: 
auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1/16
        bridge-ports none
        bridge-stp off
        bridge-fd 0
      
        # enable routing
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward       
        # Add rule to rewrite(masquerade) outgoing packets from vmbr1
        # to appear as coming from the IP address of <out-interface>, e.g. vmbr0
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o <out-interface> -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/16' -o <out-interface> -j MASQUERADE

        # in case you have a firewall enabled, the following lines may also be required (see docs)
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
      
        # finally, in case you want the VMs on vmbr1 to be accessible, from the
        # internet, you will need to forward ports.
        # you can duplicate these entries as much as necessary
        # note: '<in-interface>' will be public facing interface which packets are routed through, e.g., vmbr0
        post-up   iptables -t nat -A PREROUTING -i <in-interface> -p <PROTOCOL> --dport <HOST-PORT> -j DNAT --to-destination <VM-IP-ADDR>:<VM-PORT>
        post-down iptables -t nat -D PREROUTING -i <in-interface> -p <PROTOCOL> --dport <HOST-PORT> -j DNAT --to-destination <VM-IP-ADDR>:<VM-PORT>

In case you don't want traffic routed through vmbr0, you could also add the remaining public IP to an unused interface.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration
 
  • Like
Reactions: RTV4 and MrGeezer
Ahh that's great thank you. Yes I think that's exactly what I was looking for - just didn't know what to search for!

Thank you :)
 
No problem. Would you mind marking the thread as solved so that others can find it easier? :)
 

Anyway can I setup NAT to map ONE private IP to ONE public IP? Just like EIP associating to private IP in AWS or GCP?​

 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back