Proxmox question

havochavoc OG
in Technical

Hi gents

If I'm running proxmox on a VPS with one external IP, should I be going for a Routed or Masquerading NAT config?

https://pve.proxmox.com/wiki/Network_Configuration#_routed_configuration

https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt

Bit confused as to what routed config means by the additional IP block

you have a public IP (assume 198.51.100.5 for this example), and an additional IP block for your VMs (203.0.113.16/29)

I need some sort of port forwarding mechanism, so can't just be outgoing

Thanks

Comments

  • CamoYoshiCamoYoshi

    In this circumstance you would go for a masquerading setup since you need to follow proper IANA rules and use a internal IPv4 range behind your NAT (similar to your network at home) running on the Proxmox server itself. The example they give is perfectly fine to copy and paste into your config. You can then statically assign IPs to your VMs, or if you wanted to take it a step further, install dnsmasq and have it only hand out addresses to your VMs, changing the binding appropriately.

    Masquerading also allows for port forwarding in this scenario. I got this just by doing a bit of searching around:

    https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables

    Here's an example that forwards port 80:

    sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

    Hopefully this is enough to get you started. iptables syntax can be very verbose and overwhelming but thankfully once you see what each flag does, it is quite human readable.

    Best of luck!

    Thanked by (1)havoc

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • havochavoc OG

    @CamoYoshi said:
    In this circumstance you would go for a masquerading setup since you need to follow proper IANA rules and use a internal IPv4 range behind your NAT (similar to your network at home) running on the Proxmox server itself. The example they give is perfectly fine to copy and paste into your config. You can then statically assign IPs to your VMs, or if you wanted to take it a step further, install dnsmasq and have it only hand out addresses to your VMs, changing the binding appropriately.

    Masquerading also allows for port forwarding in this scenario. I got this just by doing a bit of searching around:

    https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables

    Here's an example that forwards port 80:

    sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

    Hopefully this is enough to get you started. iptables syntax can be very verbose and overwhelming but thankfully once you see what each flag does, it is quite human readable.

    Best of luck!

    Thanks Camo. I shall give that a shot tonight after work.

    Must admit iptables is still a mystery to me

    Thanked by (1)CamoYoshi
  • FalzoFalzo
    edited February 2021

    @havoc said: Bit confused as to what routed config means by the additional IP block

    this is actually the answer to your question. literally.

    If I'm running proxmox on a VPS with one external IP

    no additional (external) IPs, no routed config.

  • CamoYoshiCamoYoshi

    @havoc said:
    Must admit iptables is still a mystery to me

    Join the club :)

    Thanked by (1)mikewazar

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • AsimAsim OGServices Provider

    I always add a RouterOS VM and configure everything via that. Serves perfectly on 1GB disk and 512MB ram

    Thanked by (1)Not_Oles
  • havochavoc OG
    edited February 2021

    OK finally got port forwarding to work...took a bit of trial & error

    auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 148.XXX.XXX.XX2/24

gateway 148.XXX.XXX.XX2

#Till here is defaults per proxmox

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

#Portforward port 2222 external to 22 on the VM
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.10.10.57:22
        post-up iptables -A FORWARD -i eth0 -p tcp --dport 22 -d 10.10.10.57 -j ACCEPT

#The VM here has static IP 10.10.10.57 and needs to have it's gateway set as 10.10.10.1 which is the bridge
    Thanked by (2)Not_Oles CamoYoshi
  • CamoYoshiCamoYoshi

    @havoc said:
    OK finally got port forwarding to work...took a bit of trial & error

    Nice work man! Glad you got it working. :)

    Cheap dedis are my drug, and I'm too far gone to turn back.

Sign In or Register to comment.

© LowEndSpirit 2025

ipv6 ready

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings