I just setup a test copy of proxmox 4.1 and realized I only had one IP attached to the box. So I had to set up a bridge and forward ports to the internal IPs. So the basic idea is, we are going to set up a new virtual interface bridge in your networking file. This requires a working proxmox machine up and running. I am using a standard install, no changes made to the network prior to this.
Proxmox Desired Network Layout
External IP ————————- proxmox server as NAT ————————— Internal IP
188.8.131.52 ————————- 184.108.40.206 NAT 10.0.0.10 ————————-10.0.0.10
Current network Layout
when we check /etc/network/interfaces we see the following :
# The loopback network interface auto lo iface lo inet loopback # for Routing auto vmbr1 iface vmbr1 inet manual post-up /etc/pve/kvm-networking.sh bridge_ports dummy0 bridge_stp off bridge_fd 0 # vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you. auto vmbr0 iface vmbr0 inet static address 220.127.116.11 netmask 255.255.255.0 network 18.104.22.168 broadcast 22.214.171.124 gateway 126.96.36.199 bridge_ports eth0 bridge_stp off bridge_fd 0 iface vmbr0 inet6 static address 1:2:3:4::5 netmask 64 post-up /sbin/ip -f inet6 route add 1:2:3:4:ff:ff:ff:ff dev vmbr0 post-up /sbin/ip -f inet6 route add default via 1:2:3:4:ff:ff:ff:ff pre-down /sbin/ip -f inet6 route del default via 1:2:3:4:ff:ff:ff:ff pre-down /sbin/ip -f inet6 route del 1:2:3:4:ff:ff:ff:ff dev vmbr0
As you can see above we have a working interfaces file just with pseudo IPs instead of real ones. yours will of course have your own IP. Also, you may not have an inet6 section.
The actual Proxmox IP bridge part
I added a new bridge interface to it like so :
auto vmbr10 iface vmbr10 inet static address 10.0.0.254 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 12022 -j DNAT --to 10.0.0.2:22 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 12022 -j DNAT --to 10.0.0.2:22 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 12080 -j DNAT --to 10.0.0.2:80 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 12080 -j DNAT --to 10.0.0.2:80
Ok so lets break it down, line by line :
automatically start vmbr10
interface vmbr10 is a network interface with static IP
the address for the proxmox main server on this interface is 10.0.0.254
netmast is 255.255.255.0
Dont bind any ports
disable the spanning tree protocol **
disable delayed forwarding or no delay on forwarding
Allow IP traffic forwarding once networking i up and running after a boot
Add IP masquerading on networking online ***
disable masquerading on networking offline
Enable routing all packets on port 12022 from public to port 22 on private subnet to machine 10.0.0.2 on networking up
Disable routing all packets on port 12022 from public to port 22 on private subnet to machine 10.0.0.2 on networking down
Enable routing all packets on port 12080 from public to port 80 on private subnet to machine 10.0.0.2 on networking up
Disable routing all packets on port 12080 from public to port 80 on private subnet to machine 10.0.0.2 on networking down
Now as you can see above you have a basic bridge and you are forwarding specific ports to internal ports on the VMs. you can forward more ports by copying the last two lines and changing the ports or to different VMs by changing the IPs. also vmbr10 is a random number and can be changed at will. after all is done simply reboot the machine and you are up and running. you can restart networking or ifup vmbr10 if you want but I prefer a clean boot to test the new networking. this should give you a working Proxmox IP bridge 🙂
let me know if I messed up anything or how you dealt with this situation.
** The Spanning Tree Protocol (STP) is an older network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. more info here.
*** IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other “internal” computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don’t have an officially assigned IP address. more info here