Create the VM

Create the router VM with the IP address 10.10.1.2 and the mnemonic ID 102:

Run this on the Proxmox PVE host
export VM_ID=102 \
       VM_NET=10.10.1.2/24 \
       VM_GATEWAY=10.10.1.1 \
       VM_HOSTNAME=router \
       TEMPLATE_ID=9003 \
       CPU=2 \
       RAM_MB=2048 \
       EXTRA_DISK_SPACE_GB=30 && \
    ./proxmox_kvm.sh clone && \
    qm set "${VM_ID}" \
       --machine q35 \
       --net0 "virtio,bridge=vmbr1" \
       --ipconfig0 "ip=${VM_NET},gw=${VM_GATEWAY}" \
       --cores ${CPU} \
       --memory ${RAM_MB} && \
    test -n "${EXTRA_DISK_SPACE_GB}" && \
    test "${EXTRA_DISK_SPACE_GB}" != 0 && \
    qm resize "${VM_ID}" scsi0 +${EXTRA_DISK_SPACE_GB}G
Tip

The base fedora image is about 5GB, and the base template reserved 20GB of free space. This VM reserves an extra 30GB, for a total of 55GB storage space reserved.

Configure PCI passthrough of the Ethernet device

You need to find the device ID of the Ethernet controller that you are going to passthrough to the router VM:

Run this on the Proxmox PVE host
lspci | grep Ethernet
(stdout)
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller 10-Gigabit X540-AT2 (rev 01)
01:00.1 Ethernet controller: Intel Corporation Ethernet Controller 10-Gigabit X540-AT2 (rev 01)
...
Tip

In the example above, lspci identifies the device model (X540-AT2). The fully qualified PCI bus and device ID is listed at the very beginning of each line Bus:Device:Function. Because the device has two Ethernet ports (functions), it is listed twice with the same bus and device id, but with a unique function suffix appended to it:

Bus   Device  Function
 |       |       |
01     :00      .0
01     :00      .1

To pass the device to the VM, you only need to pass the Bus and Device ID: 01:00. The function suffixes .0 and .1 can be ignored, because the entire device will be passed through to the VM, including all of these PCI functions.

Once you found the device ID (e.g., 01:00), passthrough the device to the router VM:

Run this on the Proxmox PVE host
VM_ID=102 \
PCI_DEVICE=01:00; \
  qm set ${VM_ID} \
  -hostpci0 ${PCI_DEVICE},pcie=on

Create the initial snapshot

Before starting the VM for the first time, take an initial snapshot:

Run this on the Proxmox PVE host
VM_ID=102 && \
qm snapshot ${VM_ID} init --description "Initial"

Start the router VM

Run this on the Proxmox PVE host
VM_ID=102 \
qm start ${VM_ID}

Create SSH config to access the router VM

Create a new entry for the router VM in ~/.ssh/config :

Run this on the Proxmox PVE host
cat <<EOF >> ~/.ssh/config

Host router
     Hostname 10.10.1.2
     User root
     ControlMaster auto
     ControlPersist yes
     ControlPath /tmp/ssh-%u-%r@%h:%p
EOF

You can access the VM directly from your workstation by setting a proxy jump in your ssh config:

[bash]: Run this on your workstation:
cat <<EOF >> ~/.ssh/config

Host router
     Hostname 10.10.1.2
     User root
     ControlMaster auto
     ControlPersist yes
     ControlPath /tmp/ssh-%u-%r@%h:%p
     ProxyJump pve-router
EOF

Replace X.X.X.X with the management IP address of your proxmox host.

Copy your workstation key to the router VM:

[bash]: Run this on your workstation:
ssh -A pve-router ssh-copy-id router

Connect to the VM

Run this on the Proxmox PVE host
## You can run this from the PVE host or your workstation:
ssh router
(stdout)
The authenticity of host '[192.168.1.2]:2222 ([192.168.1.2]:2222)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxx.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

The first time you connect, you will need to accept the SSH fingerprint the first time, type yes and press Enter.