Preface

Running Proxmox is awesome. Spinning up virtual machines, containers, setting up storage, you name it. Last week, I got my hands on a dedicated server hosted at OVH. While I’m pretty comfortable with Proxmox, I faced a new challenge: how do I connect to all my VMs when I only have one public IP address?

The Challenge

Since my Proxmox setup only comes with a single public IP, I needed a way to connect to my VMs while ensuring they also have internet access for updates and package installations. After doing some research, I realized I could use the same approach I discussed in my earlier blog post: iptables and NAT rules.

Setting Up Networking and Internet Access

Creating a Private Network

The first step is setting up a private network for your VMs so they can interact with each other. You could extend this concept to create separate DMZ or segmented networks, but for simplicity, I stick to one bridge. Since all traffic is on the same server, having multiple virtual networks doesn't add much value.

Network Configuration via CLI

Edit the /etc/network/interfaces file and add the following:

auto vmbr1
iface vmbr1 inet static
        address  10.90.0.254
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

This sets up a new Linux bridge called vmbr1. It’s not bound to any physical interface (bridge_ports none), making it isolated. The address field defines the gateway for your VMs, which in this case is 10.90.0.254.

Adding Internet Support (NAT Routing)

Out of the box, VMs on the private bridge won’t have internet access. To fix this, we’ll configure NAT rules to route traffic through the server’s public IP.

Append the following to /etc/network/interfaces under the vmbr1 configuration:

# Allow internet access
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up   iptables -t nat -A POSTROUTING -s '10.90.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.90.0.0/24' -o vmbr0 -j MASQUERADE

What’s Happening Here?

  1. ip_forward enables Linux to route packets between interfaces (e.g., from vmbr1 to vmbr0).
  2. The iptables POSTROUTING rule applies NAT masquerading, allowing traffic from the 10.90.0.0/24 network to appear as if it’s coming from the public IP on vmbr0.

Accessing Services from the Internet

To expose services (e.g., SSH, HTTP) running on your VMs to the public, we’ll use port forwarding via iptables.

Example: SSH Access

Add the following rule to the /etc/network/interfaces file under the vmbr1 section:

# Route traffic to VMs
post-up iptables -t nat -A PREROUTING -p tcp -d YOUR_PUBLIC_IP --dport 2100 -i vmbr0 -j DNAT --to-destination 10.90.0.1:22
  • Replace YOUR_PUBLIC_IP with your server’s public IP address.
  • --dport 2100: The port on the public IP that listens for incoming SSH connections.
  • --to-destination 10.90.0.1:22: Forwards traffic to the VM’s internal IP and SSH port

Final Configuration Example

Here’s the final, complete configuration for /etc/network/interfaces:

auto vmbr1
iface vmbr1 inet static
        address  10.90.0.254
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        # Allow internet access
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.90.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.90.0.0/24' -o vmbr0 -j MASQUERADE

        # Route traffic to VMs
        post-up iptables -t nat -A PREROUTING -p tcp -d YOUR_PUBLIC_IP --dport 2100 -i vmbr0 -j DNAT --to-destination 10.90.0.1:22
        post-up iptables -t nat -A PREROUTING -p tcp -d YOUR_PUBLIC_IP --dport 80 -i vmbr0 -j DNAT --to-destination 10.90.0.137:80
        post-up iptables -t nat -A PREROUTING -p tcp -d YOUR_PUBLIC_IP --dport 443 -i vmbr0 -j DNAT --to-destination 10.90.0.137:443