Proxmox: 1 NIC, 1 Public IP, unable to get WAN interface working in VMs

linux-networkingnetworkingpfsenseproxmoxvirtual-machines

I have a computer running Proxmox, and it has 1 single NIC that is directly connected to internet and has a single public IP. Then, I have different VMs (KVM) running and one of them is pfSense.

What I want to do is to have the host (Proxmox) and pfSense in the DMZ zone while the rest of VMs would be inside an internal LAN where all the traffic has to pass through pfSense. However I am not able to make it work.

What I have done is setting up a bridge br0 (containing the public address, gateway…) connected to eth0 (iface eth0 inet manual). This works from the host as I have full connectivity, not so with pfSense or any other VM.

The main problem here is that I am not sure what IP should I use in pfSense since the public IP is already defined in the bridge. Setting up the same IP in pfSense will not work (seems logical). How should I proceed?

Best Answer

You will need to

create a virtual adapter (ie, tap0) that belongs to the bridge and give it an IP (say 192.168.1.1)
then connect all the VMs to that bridge and have them use 192.168.1.1 as their gateway, and
setup the Proxmox host to do NAT by enabling ip forwarding:
1. add net.ipv4.ip_forward=1 to /etc/sysctl.conf
2. run sysctl -p
3. add in the NAT rule with iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The Proxmox docs cover this pretty well (and in more detail).

Related Solutions

Linux – Proxmox: VMs and different public IPs

You don't need to assign it a public IP address, but you do need to assign eth1 to a bridge port and give the other bridge options.

If you're new to proxmox, the webui supports managing ethernet interfaces and bridges for you. It also prevents you from naming your bridges poorly (proxmox enforces a vmbrNNNN, where the Ns are a number between 0 and 4095).

The interfaces file requires you provide an IP address for any defined interface, so to convince it otherwise you can add a local IP and just leave it, or as in this example, tear it down right away after the interface finishes coming up:

auto lo
iface lo inet loopback

iface eth0 inet manual
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  192.168.1.101
        netmask  255.255.255.0
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
       address  127.1.0.1
       netmask  255.255.255.255
       bridge_ports eth1
       bridge_stp off
       bridge_fd 0
       up ip addr del 127.1.0.1/32 dev vmbr1

Edit: Please edit your question if you are using any odd firewall rules that might block bridged traffic, and the value of sysctl net.ipv4.ip_forward.

You may want to tcpdump -n -i ethN (the external outgoing interface) to verify your packets are travelling off your host node.

Ubuntu – KVM Ubuntu Guest cannot connect to the internet on bridged networking

I think you are missing a iptable rule for the masquerade

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Best Answer

Related Solutions

Linux – Proxmox: VMs and different public IPs

Ubuntu – KVM Ubuntu Guest cannot connect to the internet on bridged networking

Related Topic