Proxmox question

Hi gents

If I'm running proxmox on a VPS with one external IP, should I be going for a Routed or Masquerading NAT config?

https://pve.proxmox.com/wiki/Network_Configuration#_routed_configuration

https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt

Bit confused as to what routed config means by the additional IP block

you have a public IP (assume 198.51.100.5 for this example), and an additional IP block for your VMs (203.0.113.16/29)

I need some sort of port forwarding mechanism, so can't just be outgoing

Thanks

Comments

  • In this circumstance you would go for a masquerading setup since you need to follow proper IANA rules and use a internal IPv4 range behind your NAT (similar to your network at home) running on the Proxmox server itself. The example they give is perfectly fine to copy and paste into your config. You can then statically assign IPs to your VMs, or if you wanted to take it a step further, install dnsmasq and have it only hand out addresses to your VMs, changing the binding appropriately.

    Masquerading also allows for port forwarding in this scenario. I got this just by doing a bit of searching around:

    https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables

    Here's an example that forwards port 80:

    sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

    Hopefully this is enough to get you started. iptables syntax can be very verbose and overwhelming but thankfully once you see what each flag does, it is quite human readable.

    Best of luck!

    Thanked by (1)havoc

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • @CamoYoshi said:
    In this circumstance you would go for a masquerading setup since you need to follow proper IANA rules and use a internal IPv4 range behind your NAT (similar to your network at home) running on the Proxmox server itself. The example they give is perfectly fine to copy and paste into your config. You can then statically assign IPs to your VMs, or if you wanted to take it a step further, install dnsmasq and have it only hand out addresses to your VMs, changing the binding appropriately.

    Masquerading also allows for port forwarding in this scenario. I got this just by doing a bit of searching around:

    https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables

    Here's an example that forwards port 80:

    sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

    Hopefully this is enough to get you started. iptables syntax can be very verbose and overwhelming but thankfully once you see what each flag does, it is quite human readable.

    Best of luck!

    Thanks Camo. I shall give that a shot tonight after work.

    Must admit iptables is still a mystery to me

    Thanked by (1)CamoYoshi
  • edited February 2021

    @havoc said: Bit confused as to what routed config means by the additional IP block

    this is actually the answer to your question. literally.

    If I'm running proxmox on a VPS with one external IP

    no additional (external) IPs, no routed config.

  • @havoc said:
    Must admit iptables is still a mystery to me

    Join the club :)

    Thanked by (1)mikewazar

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • AsimAsim OGServices Provider

    I always add a RouterOS VM and configure everything via that. Serves perfectly on 1GB disk and 512MB ram

    Thanked by (1)Not_Oles
  • havochavoc OG
    edited February 2021

    OK finally got port forwarding to work...took a bit of trial & error

    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
            address 148.XXX.XXX.XX2/24
    
    gateway 148.XXX.XXX.XX2
    
    #Till here is defaults per proxmox
    
    auto vmbr0
    iface vmbr0 inet static
            address 10.10.10.1/24
            bridge-ports none
            bridge-stp off
            bridge-fd 0
    
            post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
            post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
    
    #Portforward port 2222 external to 22 on the VM
            post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.10.10.57:22
            post-up iptables -A FORWARD -i eth0 -p tcp --dport 22 -d 10.10.10.57 -j ACCEPT
    
    #The VM here has static IP 10.10.10.57 and needs to have it's gateway set as 10.10.10.1 which is the bridge
    
    Thanked by (2)Not_Oles CamoYoshi
  • @havoc said:
    OK finally got port forwarding to work...took a bit of trial & error

    Nice work man! Glad you got it working. :)

    Cheap dedis are my drug, and I'm too far gone to turn back.

Sign In or Register to comment.