Understanding masquerading setups: Can I push traffic only through one NIC?

[oguruma]

Here's what I want: create a VM used for a VOIP server. Give that VM its own NIC and push all of its traffic exclusively through that NIC.

I have a single (dynamic) IP from my ISP, so I will have to use NAT. On the router, I have a NIC set up as a DMZ that I want to use for the VOIP traffic.



From what I have seen, all of the masquerading setups push traffic out the vmbr0 bridge. I don't want any of the VMs traffic to pass through the vmbr0 interface.

I want to keep a single interface in my LAN (for accessing the ProxMox host via GUI and SSH) and then port forward from my router to the specific VMs.

 

[Stefan_R]

Are you talking about two physical NICs on your PVE machine?

If yes: You can either pass the NIC directly to the VM (i.e. PCIe passthrough), or create a second vmbr on PVE (doesn't need an IP) and only assign your VOIP VM to it, effectively assigning the NIC to the VM as well.

If no, i.e. all traffic physically passes through the core switch, you're just after logical separation: Just give the VM an IP in your internal range and then port forward (or DMZ-forward) all traffic to that IP address.

Edit: Forgot to mention: I don't think you need masquerading at all here, which is why I only mentioned the above two. You already have a router (pfSense in your image) which can NAT your internal IPs to your external one)