Eugene Heriniaina - Tsiky dia ampy

Takelaka fifampizarana...

Proxmox 4 with a Single Public IP - Setup a Private Network

https://mrkmg.com/posts/2016/01/proxmox-4-with-single-public-ip-private-...

Written by Kevin on January 10, 2016

SHARE

Proxmox 4 can easily be configured to put all or some of your VM/Containers in a NATed private network. You can even forward ports from your public IP address to your containers. Unfortunately, it is not possible to configure this setup from the Web GUI, but the changes to the configuration file are very simple. All changes and additions are outlined in this post.


The Setup

We are going to assume we have 3 VMs/Containers on our Proxmox server.

  1. VM-WEB (Web server, needs ports 80 and 443)
  2. VM-SMTP (Mail Server, needs ports 25 and 465)
  3. VM-CAPP (Custom App, run on port 5000, but needs outside port 1025)
  • Public IP: 1.2.3.4
  • Private Network: 192.168.0.0/24 (192.168.0.1 - 192.168.0.254)
  • Private IP of Host: 192.168.0.254
  • Private IP of VM-WEB: 192.168.0.1
  • Private IP of VM-MAIL: 192.168.0.2
  • Private IP of VM-CAPP: 192.168.0.3

Configuring the Hosts Network

The first task is to create a network bridge. We are going to call this bridge vmbr2.

SSH into your host and add the following to /etc/network/interfaces

auto vmbr2
iface vmbr2 inet static
    address 192.168.0.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE

    # VM-WEB HTTP 80:192.168.0.1:80
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80

    # VM-WEB HTTPS 443:192.168.0.1:443
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443

    # VM-SMTP SMTP 25:192.168.0.2:25
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25

    # VM-SMTP SMTPtls 465:192.168.0.2:465
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465

    # VM-CAPP CustomApp 1025:192.168.0.3:5000
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000

Lets explain what is going on here.

The first whole block, from auto vmbr2 to the first post-down sets up the bridge, assigns an the ip 192.168.0.254 to the host, and enables NAT from vmbr0 to vmbr2.

The next sets of blocks setup the individual port forwards. Each port forward requires a post-up and post-down. To create your own port forwards, follow the template below.

#Outside XXX -> LO.CA.AL.IP:YYY
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY

Making the Changes Active

Once all your port forwards are setup, either restart your host, or run systemctl restart networking from the CLI.

Setup of the VMs/Containers

The only thing that is left is to setup your VMs. Thankfully, this is very easy.

When you are setting up your VM, select the vmbr2 bridge.

Now configure your VM with the following network settings:

  • IP Address: 192.168.0.X (where X is the private ip of the Machine)
  • Network Mask: 255.255.255.0
  • Gateway: 192.168.0.254

Try it Out

If all went to plan, you should have a web server, mail server, and custom app all running from your public IP. Tryhttp://1.2.3.4

Extra Credit

See if you can set up DHCP on the private network.