Setup VM network (NAT)

Proxmox VMs are configured by default to use bridge networking with your LAN. While great for application servers, this is undesirable when creating a router.

Tip

Bridging connects VMs directly to the host’s network, giving each one a separate IP address on the same network as the host. VMs behave just like any other device on the local network, allowing full, direct communication with other devices on the LAN.

NAT (Network Address Translation) is an alternative that creates a private network for the VMs, routing their traffic through the host’s IP as a gateway. The VMs shares the host’s IP externally, and so outgoing traffic appears to come from the host.

Download and run the proxmox_nat.sh script:

Run this on the Proxmox PVE host

wget https://raw.githubusercontent.com/EnigmaCurry/blog.rymcg.tech/master/src/proxmox/proxmox_nat.sh

chmod +x proxmox_nat.sh

Run this on the Proxmox PVE host

./proxmox_nat.sh

(stdout)

BRIDGE  NETWORK          COMMENT
vmbr0   192.168.1.10/24  LAN bridge

NAT bridge tool:

- Type `i` or `interfaces` to list the bridge interfaces.
- Type `c` or `create` to create a new NAT bridge.
- Type `l` or `list` to list the NAT rules.
- Type `n` or `new` to create some new NAT rules.
- Type `d` or `delete` to delete some existing NAT rules.
- Type `e` or `enable` to enable or disable adding the rules on boot.
- Type `?` or `help` to see this help message again.
- Type `q` or `quit` to quit.

The script outputs the current list of bridges (just vmbr0 by default) and the menu of options.

Tip

The vmbr0 interface is for direct bridge networking to the LAN, and it is created by default when Proxmox is installed. You now have to create a separate interface for NAT: vmbr1.

Create the NAT interface

Enter the c command to create a new bridge interface:

(stdout)

Enter command (for help, enter `?`)

: c

Enter the existing upstream bridge interface (vmbr0):

(stdout)

Enter the existing bridge to NAT from

: vmbr0

Enter the number 1 to create the new NAT interface (vmbr1):

(stdout)

Enter a unique number for the new bridge (don't write the vmbr prefix)

: 1

Configure the PVE host IP address for the new interface:

(stdout)

Configuring new interface: vmbr1
Enter the static IP address and network prefix in CIDR notation for vmbr1:

: 10.10.1.1/24

Enter the description/comment for this interface

: NAT 10.10.1.1/24 bridged to vmbr0

Create NAT rules

(stdout)

Enter command (for help, enter `?`)

: n

Defining new port forward rule:
Enter the inbound interface

: vmbr0

Enter the protocol (tcp, udp)

: tcp

Enter the inbound Port number

: 2222

Enter the destination IP address

: 10.10.1.2

Enter the destination Port number

: 22

INTERFACE  PROTOCOL  IN_PORT  DEST_IP    DEST_PORT
vmbr0      tcp       2222     10.10.1.2  22
? Is this rule correct? (Y/n): y

? Would you like to define more port forwarding rules now? (y/N): N

? Would you like to enable the systemd unit on boot? (Y/n): Y

## Existing inbound port forwarding (DNAT) rules:
INTERFACE  PROTOCOL  IN_PORT  DEST_IP    DEST_PORT
vmbr0      tcp       2222     10.10.1.2  22

Enable the NAT script to run on boot

Run this on the Proxmox PVE host

Enter command (for help, enter `?`)

: e

The systemd unit is named: my-iptables-rules
The systemd unit is currently: enabled
? Would you like to enable the systemd unit on boot? (Y/n): y
Systemd unit enabled: my-iptables-rules
NAT rules applied: /etc/network/my-iptables-rules.sh

Now quit the script by entering q.

Run this on the Proxmox PVE host

Enter command (for help, enter `?`)

: q