Proxmox Networking with NAT
Last Update: 2023-04-16
Normally containers and virtual machines use the DHCP server of your router to get their IP address. If that's not possible in your network you might want to use NAT for creating a sub-network.
This tutorial assumes your PROXMOX machine has the IP-address 192.168.178.10 and gateway 192.168.178.1, you can change it to whatever your current setup has (inspect with ip addr and ip route with the command line).
This is basically Debian networking.
Connect to your PROXMOX machine via shell/ssh.
Configure network interfaces
Edit /etc/network/interfaces with:
nano /etc/network/interfaces
First use either static or dhcp for determining the IP-address of your PROXMOX machine, also assign vmbr0 (the virtual network) an IP-Address range, here 10.10.4.1/24:
auto enp34s0
iface enp34s0 inet static
address 192.168.178.10/24
gateway 192.168.178.1
auto vmbr0
iface vmbr0 inet static
address 10.10.4.1/24
bridge-ports enp34s0
bridge-stp off
bridge-fd 0
Then disable the bridge-ports option and use IP-forwarding to transfer packets between enp34s0 and vmbr0:
auto vmbr0
iface vmbr0 inet static
address 10.10.4.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.4.0/24' -o enp34s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.4.0/24' -o enp34s0 -j MASQUERADE
Configure DHCP-server
Next, you have to create an DHCP-server for the vmbr0 interface.
Type the following in the command line:
apt install dnsmasq
nano /etc/dnsmasq.conf
Make sure to set the following in your this file:
# Adds the proxmox as a domain
address=/proxmox/192.168.178.10
# Hosts dnsmasq on vmbr0
interface=vmbr0
# The IP-adress range that should be used for the clients (virtual machines/containers):
dhcp-range=10.10.4.50,10.10.4.150,12h
# Just making sure dnsmasq knows the routers IP-Address
dhcp-option=3,10.10.4.1
Static IPs for certain MAC-addresses:
You can also instruct dnsmasq to assign static IP-address for certain MAC addresses:
nano /etc/dnsmasq.d/static-ips.conf
In this file you could write the following:
dhcp-host=B0:1A:38:B1:1B:D8,gitlab,10.10.4.10
This is useful for making sure that a container has always the same IP-address.
Reboot your machine with:
reboot
and you should be good to go.
Port-forwarding
If you want to forward a port from your virtual network to your machine's IP-address, use iptables (here port 8080 from virtual is forwarded to the enp34s0 interface's port 8007):
auto vmbr0
iface vmbr0 inet static
address 10.10.4.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.4.0/24' -o enp34s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.4.0/24' -o enp34s0 -j MASQUERADE
post-up echo 1 > /proc/sys/net/ipv4/conf/enp34s0/forwarding
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/forwarding
post-up iptables -t nat -A PREROUTING -p tcp -i enp34s0 --dport 8007 -j DNAT --to-destination 10.10.4.11:8080
post-up iptables -t nat -A FORWARD -p tcp -d 10.10.4.11 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
post-down iptables -t nat -D PREROUTING -p tcp -i enp34s0 --dport 8007 -j DNAT --to-destination 10.10.4.11:8080
post-down iptables -t nat -D FORWARD -p tcp -d 10.10.4.11 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
That's about it.