Static IP to DHCP
- Thread starter OD3UNICRON
- Start date
You can use a DHCP for hosts/cluster nodes, just make static reservations and make sure the names are resolvable and tweak your nsswitch.conf accordingly, see:
https://forum.proxmox.com/threads/dhcp-pve-install-on-top-of-debian-not-well-documented.154467/
Also, you would need to use the hostnames in corosync.conf (perfectly supported) to have it future-proof.
https://forum.proxmox.com/threads/dhcp-pve-install-on-top-of-debian-not-well-documented.154467/
Also, you would need to use the hostnames in corosync.conf (perfectly supported) to have it future-proof.
Last edited:
I have a static IP but it's public from ISP( no router, no local IP) That is why my new VM will not get an IP
I don't think I understand what you are trying to do from the description so far.
If you are saying that you have one public static IP from ISP (and that one so far was assigned to Proxmox VE, single node deployment) and you are wondering how to share it with the VMs for the outside access, I don't think it's the way to go. The first issue is that PVE has public IP (without a firewall, etc.), you are basically asking how to make Debian into a gateway, while it has hypervisor features.
That's out of scope for Proxmox VE to do for you, but you can, as for any Debian, you would neeed to, e.g.:
1. Set up e.g. dnsmasq to give out IPs to the clients;
2. Enable IP forwarding;
3. Set iptables POSTROUTING table to do a MASQUERADE (NAT);
4. While at that put up some firewall rules for the host itself and hope it is enough.
Unless you already have some firewall upstream, I don't think I would want to share it here to encourage anyone to run such setup, but it's easily found with a single web search knowing the above.
Just yesterday I discovered there was at minimum 25,000 PVEs publicly facing their port 8006, those are all machines waiting to be compromised:
https://forum.proxmox.com/threads/how-to-limitate-8006-port-on-the-web.154960/#post-706072
I hope you did not take it badly. I really think you should have some separate firewall in front of PVE, not just depend on the default one, after all, it is not even actively protecting you from the internet.
One thing that crossed my mind I am aware people do here, but I am not a fan either, it is however "less bad" approach:
1. Create VM with a virtual router on PVE, that could be anything with good firewall features, I like VyOS, most people seem to like OPNSense/pfSense;
2. In PVE, you ideally passthrough the whole network card to that VM, so basically PVE itself is without internet access (hope this is not remote site to you);
3. Then inside the virtual router you set up firewall and the features you need, i.e. DHCP and NAT at minimum;
4. That virtual router is then your gateway to the world, not only for the other VMs, but also for the host itself.
It's not something I would endorse, but it is - in my view - less bad than having public IP on PVE's interface.
NB I think you were after this setup, strangely I even found it on the official wiki:
https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP
But I would just emphasize I would not want public IP relying only on PVE firewall on my hypervisor.
