Use the same interface for all VMs / Masquerading

[poisonborz]

I'm trying to set up Proxmox in a way that all VMs would use the same interface with manual port forwarding.
I found this post that pretty much describes what I want to achieve: https://forum.proxmox.com/threads/how-to-config-same-ip-for-all-vm.34748/post-170333

But sadly it's rather superficial and bare - I also tried to look up proxmox "masquerading" but all resources are pretty dry and short.
Is there a beginner-friendly post or tutorial that describes how to set this up?

 

[maverickws]

Hi man I don't know what you're trying to achieve here,
But an accepted solution (which involves always 2 public IP's as you should keep one assigned to the hypervisor for management)
Create two bridge interfaces, one bridged to the WAN port and other bridged to nothing, just a plain bridge interface.
Create a VM with firewall/router software (for example, pfsense)

Route the 2nd IP to the WAN on the RouterVM, and configure the bridge interface to the LAN interface on the routerVM.

To all the other VM's you select as interface the bridge interface that is assigned to LAN.
the RouterVM will handle all traffic and connections and you'll get a higher flexibility for configurations and forwardings etc.

You can also create a temporary VM with whatever linux you want and a browser, so if you want you can access the browser via console on a VM directly connected.

 

[poisonborz]

Thanks for this! It took a few readings until I got what's going on there - but will try this.
What I wanted to achieve / my reasoning:

- a single ip for the whole server: this would be easier for me to manage both inside and outside of my network, compared to ad-hoc amount of vm-s/ip-s
- better control over what VMs have access to (in and out) compared to just spawning machines with full access to my local network - putting them behind internal routing would reduce attack vectors in both directions.

 

[maverickws]

Hi man sorry if I didn't make myself easy to understand.

The issue with one single IP for the whole server is that both VM traffic and management traffic will go through the same interface and route, and also access to proxmox and services will be dependent of the VM launching. If you have some issue with the VM or whatever, your system doesn't but and the host is unreachable. So that's why preferably there should be 2 ip's, being one for management and access to the hypervisor.

 

[sadasdad]

Hi man sorry if I didn't make myself easy to understand.

The issue with one single IP for the whole server is that both VM traffic and management traffic will go through the same interface and route, and also access to proxmox and services will be dependent of the VM launching. If you have some issue with the VM or whatever, your system doesn't but and the host is unreachable. So that's why preferably there should be 2 ip's, being one for management and access to the hypervisor.

Hello! Though I am not the original poster, but this is exactly what I am trying to achieve - the same interface(and IP) for both management/access to the hypervisor and for VMs, which is handled by RouterVM. I would appreciate any hints on where I should be digging.

Thanks.

 

[poisonborz]

OP here, as a sidenote, I've given up on this, and realised that - if you don't have some very good reason to do this, like having some serious constraints within your network - it is a plain bad idea. The separate IP-s/MAC addresses are actually a godsend from management perspective.

For whatever the reason is why someone wants to do this, there is almost always a better way. Eg. for the most common one, you can obviously still have a single domain and then redirect the traffic appropriately based on subdomain, port or url.