https://mrkmg.com/posts/2016/01/proxmox-4-with-single-public-ip-private-...
Written by Kevin on January 10, 2016
SHARE
Proxmox 4 can easily be configured to put all or some of your VM/Containers in a NATed private network. You can even forward ports from your public IP address to your containers. Unfortunately, it is not possible to configure this setup from the Web GUI, but the changes to the configuration file are very simple. All changes and additions are outlined in this post.
The Setup
We are going to assume we have 3 VMs/Containers on our Proxmox server.
- VM-WEB (Web server, needs ports 80 and 443)
- VM-SMTP (Mail Server, needs ports 25 and 465)
- VM-CAPP (Custom App, run on port 5000, but needs outside port 1025)
- Public IP: 1.2.3.4
- Private Network: 192.168.0.0/24 (192.168.0.1 - 192.168.0.254)
- Private IP of Host: 192.168.0.254
- Private IP of VM-WEB: 192.168.0.1
- Private IP of VM-MAIL: 192.168.0.2
- Private IP of VM-CAPP: 192.168.0.3
Configuring the Hosts Network
The first task is to create a network bridge. We are going to call this bridge vmbr2.
SSH into your host and add the following to /etc/network/interfaces
auto vmbr2 iface vmbr2 inet static address 192.168.0.254 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE # VM-WEB HTTP 80:192.168.0.1:80 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80 # VM-WEB HTTPS 443:192.168.0.1:443 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.1:443 # VM-SMTP SMTP 25:192.168.0.2:25 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 25 -j DNAT --to 192.168.0.2:25 # VM-SMTP SMTPtls 465:192.168.0.2:465 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 465 -j DNAT --to 192.168.0.2:465 # VM-CAPP CustomApp 1025:192.168.0.3:5000 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1025 -j DNAT --to 192.168.0.3:5000
Lets explain what is going on here.
The first whole block, from auto vmbr2 to the first post-down sets up the bridge, assigns an the ip 192.168.0.254 to the host, and enables NAT from vmbr0 to vmbr2.
The next sets of blocks setup the individual port forwards. Each port forward requires a post-up and post-down. To create your own port forwards, follow the template below.
#Outside XXX -> LO.CA.AL.IP:YYY post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport XXX -j DNAT --to LO.CA.AL.IP:YYY
Making the Changes Active
Once all your port forwards are setup, either restart your host, or run systemctl restart networking from the CLI.
Setup of the VMs/Containers
The only thing that is left is to setup your VMs. Thankfully, this is very easy.
When you are setting up your VM, select the vmbr2 bridge.
Now configure your VM with the following network settings:
- IP Address: 192.168.0.X (where X is the private ip of the Machine)
- Network Mask: 255.255.255.0
- Gateway: 192.168.0.254
Try it Out
If all went to plan, you should have a web server, mail server, and custom app all running from your public IP. Tryhttp://1.2.3.4
Extra Credit
See if you can set up DHCP on the private network.