Proxmox IP bridge for single public IP
I just setup a test copy of proxmox 4.1 and realized I only had one IP attached to the box. So I had to set up a bridge and forward ports to the internal IPs. So the basic idea is, we are going to set up a new virtual interface bridge in your networking file. This requires a working proxmox machine up and running. I am using a standard install, no changes made to the network prior to this.
Proxmox Desired Network Layout
External IP ————————- proxmox server as NAT ————————— Internal IP
1.2.3.4 ————————- 1.2.3.4 NAT 10.0.0.10 ————————-10.0.0.10
Current network Layout
when we check /etc/network/interfaces we see the following :
# The loopback network interface
auto lo
iface lo inet loopback
# for Routing
auto vmbr1
iface vmbr1 inet manual
post-up /etc/pve/kvm-networking.sh
bridge_ports dummy0
bridge_stp off
bridge_fd 0
# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.
auto vmbr0
iface vmbr0 inet static
address 1.2.3.4
netmask 255.255.255.0
network 1.2.3.0
broadcast 1.2.3.255
gateway 1.2.3.254
bridge_ports eth0
bridge_stp off
bridge_fd 0
iface vmbr0 inet6 static
address 1:2:3:4::5
netmask 64
post-up /sbin/ip -f inet6 route add 1:2:3:4:ff:ff:ff:ff dev vmbr0
post-up /sbin/ip -f inet6 route add default via 1:2:3:4:ff:ff:ff:ff
pre-down /sbin/ip -f inet6 route del default via 1:2:3:4:ff:ff:ff:ff
pre-down /sbin/ip -f inet6 route del 1:2:3:4:ff:ff:ff:ff dev vmbr0
As you can see above we have a working interfaces file just with pseudo IPs instead of real ones. yours will of course have your own IP. Also, you may not have an inet6 section.
The actual Proxmox IP bridge part
I added a new bridge interface to it like so :
auto vmbr10
iface vmbr10 inet static
address 10.0.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 12022 -j DNAT --to 10.0.0.2:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 12022 -j DNAT --to 10.0.0.2:22
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 12080 -j DNAT --to 10.0.0.2:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 12080 -j DNAT --to 10.0.0.2:80
Ok so lets break it down, line by line :
automatically start vmbr10
interface vmbr10 is a network interface with static IP
the address for the proxmox main server on this interface is 10.0.0.254
netmast is 255.255.255.0
Dont bind any ports
disable the spanning tree protocol **
disable delayed forwarding or no delay on forwarding
Allow IP traffic forwarding once networking i up and running after a boot
Add IP masquerading on networking online ***
disable masquerading on networking offline
Enable routing all packets on port 12022 from public to port 22 on private subnet to machine 10.0.0.2 on networking up
Disable routing all packets on port 12022 from public to port 22 on private subnet to machine 10.0.0.2 on networking down
Enable routing all packets on port 12080 from public to port 80 on private subnet to machine 10.0.0.2 on networking up
Disable routing all packets on port 12080 from public to port 80 on private subnet to machine 10.0.0.2 on networking down
Now as you can see above you have a basic bridge and you are forwarding specific ports to internal ports on the VMs. you can forward more ports by copying the last two lines and changing the ports or to different VMs by changing the IPs. also vmbr10 is a random number and can be changed at will. after all is done simply reboot the machine and you are up and running. you can restart networking or ifup vmbr10 if you want but I prefer a clean boot to test the new networking. this should give you a working Proxmox IP bridge 🙂
let me know if I messed up anything or how you dealt with this situation.
** The Spanning Tree Protocol (STP) is an older network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. more info here.
*** IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other “internal” computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don’t have an officially assigned IP address. more info here
If anyone has any questions or comments or tips please do share 🙂
Hello sir, first of all thanks this guide.
I’ve followed everything but it looks like my /etc/network/interface gets reseted on reboot.
All my routes are deleted once my host get restarted. Do you have any idea how ?
Have a nice day.
Hello Mitgod, is there is a /etc/network/interfaces.new file present? the proxmox gui writes network changes to /etc/network/interfaces.new and on reboot applies the changes to /etc/network/interfaces , so if the file is present it will overwrite any changes you make to the /etc/network/interfaces file.
Hi SumGuy, i checked for a /etc/network/interfaces.new and there was none. Later i decided to try with a fresh install and everything worked like a charm.
I was trying for a week and you made it work. Thanks a lot.
it was possibly a bad install originally. Awesome, glad to hear it is working. I have been meaning to write more tutorials for proxmox lately, maybe will get to it soon.