Forums
VHT Forums
Proxmox help
Proxmox NAT configu...
 
Notifications
Clear all

Proxmox NAT configuration for virtual machines

 
Proxmox help
Last Post by Brandon Lee 10 months ago
4 Posts
2 Users
1 Reactions
603 Views
RSS
Posts: 2
 bsuphal
Topic starter
Jan 08, 2024 2:25 pm
(@bsuphal)
New Member
Joined: 10 months ago
Network Topology
My Requirements are- 

My 2 dedicated servers are connected via vRack. Both of that Servers have Private IP configured exactly mentioned OVH KB here -  https://help.ovhcloud.com/csm/en-dedicated-servers-configuring-vrack?id=kb_article_view&sysparm_article=KB0044066 , for Private NIC with correct MAC.

1 - All VM's in these 2 Servers should be able to talk with each other via the vRack Host Private network as internal communication. VM's Ethernet Interface will have only Private IP assigned from my Private IP block.

2 - All the VM's in these 2 servers should be able to connect to the Internet for external communication via the Public IP block attached to vRack . Please note I am not looking to attach a Public IP directly and individually to each VM's ethernet interface. VM will have only Private IP assigned to its NIC. But VM's External traffic should be routed Through HOST server in the same vRack , via the PUBLIC IP that are attached to vRack. In that way the HOST server will always act as a Router For all EXTERNAL TRAFFIC communication. for all the VM's.
In another way If it's not doable, I am open to route all VM's External traffic via the Public IP of each ProxMox Host. In any case, my requirements are that all VM's should be able to communicate with each other via vRack/vLan network and They should be able to talk with the internet via ProxMox Host Public IP or attached vRack Public IP. 
 
I believe the above network terminology could be doable and you could guide me towards the right direction to setup all Network and routing configuration properly to fulfill the goal.

Please let me know if you need to know any information and for the same I would be ok to pay for your time on this matter.

Thank you for looking into it.

3 Replies
Brandon Lee
Posts: 395
 Brandon Lee
Admin
Jan 08, 2024 3:12 pm
(@brandon-lee)
Member
Joined: 14 years ago

@bsuphal, welcome to the VHT forums. I'm glad you have joined the community! This sounds like you would like to configure the Proxmox hosts to NAT the virtual machine traffic. The virtual machines would have private IP addresses and you would have a "public" address for your Proxmox hosts.ย 

Take a look at the following network configuration that is documented here:ย 

Proxmox VE Administration Guide

3.4.6. Masquerading (NAT) with iptables
Masquerading allows guests having only a private IP address to access the network by using the host IP address for outgoing traffic. Each outgoing packet is rewritten by iptables to appear as originating from the host, and responses are rewritten accordingly to be routed to the original sender.

auto lo
iface lo inet loopback

auto eno1
#real IP address
iface eno1 inet static
        address  198.51.100.5/24
        gateway  198.51.100.1

auto vmbr0
#private sub network
iface vmbr0 inet static
        address  10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

Proxmox makes mention that in some cases the following is needed:

Note In some masquerade setups with firewall enabled, conntrack zones might be needed for outgoing connections. Otherwise the firewall could block outgoing connections since they will prefer the POSTROUTING of the VM bridge (and not MASQUERADE).
Adding these lines in the /etc/network/interfaces can fix this problem:

post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

I have not used OVS before. Do you know if you have the ability to tag VLANs underneath the hosts? Just thinking through this, to have both private virtual networks on both hosts to "talk" to one another, you would need for those to be on the same network for both Proxmox hosts. This should be possible technically if you can do that from the OVS side.

You would NAT VM traffic on both hosts, have a VLAN that is common between the two Proxmox servers for the VM traffic, so that VMs on each host could talk to each other if that is a requirement. Then each VM's traffic would assume the IP address of the Proxmox server host as it connects to the Internet.

Reply
Posts: 2
 bsuphal
Topic starter
Jan 09, 2024 10:51 am
(@bsuphal)
New Member
Joined: 10 months ago

@brandon-lee - Thank you for replying back.

ย 

Yes it has ability to enable vlan tag underneath the hosts. And as per present config both Hosts are in same private network and can talk with each other. The only solution I am looking for is, all VM's that are bridged on Private network interface and Private IP should be able to communicate with Internet via Hosts Public IP Or vRack Public IP whatever is possible.

I hope I was able to answer your above questions with this reply.

Reply
Brandon Lee reacted
1 Reply
Brandon Lee
 Brandon Lee
Admin
(@brandon-lee)
Joined: 14 years ago

Member
Posts: 395
Jan 09, 2024 3:29 pm
Reply tobsuphal

@bsuphal i believe the configuration for a NAT'ed Proxmox bridge would work fine for your use case and would be the configuration you would want to use for this type of network configuration. You also may not need VLANs for the bridge interface as well, but may require some testing. The VMs should get NAT'ed as the IP address of the host itself and should communicate with the other host as well. However, I would do some testing with this configuration before going into production to make sure the assumption here work as expected.

Reply
Forum Jump:
  Previous Topic
Next Topic  

Currently viewing this topic 1 guest.

© Copyright 2024, All Rights Reserved  | VirtualizationHowto.com