How to setup Proxmox with Single Public IP and share with VMs | Proxmox Tutorial
HTML-код
- Опубликовано: 22 авг 2024
- In this video I will show you how to setup proxmox with one single public IP and then share certain ports to other local vms with local IP. What you are doing is just a simple routing rule you setup for route the traffic on this port to your local vm internal IP.
#proxmox #virtualmachine #ipaddress #networking
Example of the rules we will be using in this video:
iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 80 -i vmbr0 -j DNAT --to-destination 192.168.10.160:80
iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 443 -i vmbr0 -j DNAT --to-destination 192.168.10.160:443
iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 27015 -i vmbr0 -j DNAT --to-destination 192.168.10.150:27015
iptables -t nat -A PREROUTING -p udp -d 198.0.10.172 --dport 64100 -i vmbr0 -j DNAT --to-destination 192.168.10.150:64100
Add this NAT outbound Rule to your VM can get to the internet
iptables -A POSTROUTING -t nat -s 192.168.10.0/24 -j MASQUERADE
iptables -A POSTROUTING -t nat -s ‘192.168.10.0/24’ -o vmbr0 -j MASQUERADE
iptables -D POSTROUTING -t nat -s ‘192.168.10.0/24’ -o vmbr0 -j MASQUERADE
Remove NAT Rule
iptables -t nat -L --line-numbers
iptables -t nat -D PREROUTING 7
Save Rules
iptables-save
If you still can't get it then please see this example below
auto lo
iface lo inet loopback
iface eno1 inet manual
auto vmbr0
iface vmbr0 inet static
address 198.100.140.170/24
gateway 198.100.140.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.10.100/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 replacewithangleyoutubewontallowit /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
==Hardware/Parts that I recommend==
Computer/Electronics Repair Tool Kit - amzn.to/2HYs46Z
SUBSCRIBE TO GREYTECH - url.greytech.l...
FOLLOW US ON TWITTER - url.greytech.l...
DISCORD SERVER INVITE - url.greytech.l...
OUR WEBSITE - url.greytech.l...
DISCLAIMER: This video and description may contain affiliate links, which means that if you click on one of the product links, I’ll receive a commission. This helps support the channel and allows me to continue to make videos just like this and purchase products to review. I will never support or push a product I don't believe in and have used myself. GreyTech videos are for educational purpose only. Thank you for your support.
make sure if you want the vm to get out for internet do this
Add this NAT outbound Rule to your VM can get to the internet
iptables -A POSTROUTING -t nat -s ‘192.168.10.0/24’ -o vmbr0 -j MASQUERADE
iptables -D POSTROUTING -t nat -s ‘192.168.10.0/24’ -o vmbr0 -j MASQUERADE
or make sure your /etc/network/interfaces file has some like below
auto lo
iface lo inet loopback
iface eno1 inet manual
auto vmbr0
iface vmbr0 inet static
address 198.100.140.175/24
gateway 198.100.140.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.10.100/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
Thanks, you saved me :)
@@bardiasal3438 hey thanks for the comment!
Hi re iptables -D .... I thought that removes the rule so why have you entered it here ? Also what do post-up/post-down commands do ?
you hid your public ip address in the video, but revealed it in the comments. oops
@@RustamTolipov ya but that's a demo machine rented IP long gone joke is on you :)
Maybe somebody's made this comment already ,but it's kind of useless to demo going to localhost after you add a firewall rule to allow port 80 since anything you access via local host isn't gonna go through the firewall. You would want to test it from either another VM on the network or better yet from a public IP address and make sure it's actually making it to your server.
Having said that, I do appreciate your video because it's a very simplified explanation of exactly what I need to do to set this up on my first ever Proxmox installation
About six years ago, I virtualized an open source firewall called Smoothwall and it was fantastic for all six or seven years I had it. I'm now getting ready to rebuild my setup with a ProxMox hypervisor and a virtual pfSense. Can't wait to start!
Nice dude! Ya want to do a video installing pfsense on proxmox too
@@GreyTechLive Thanks!! It was a tremendous learning experience but it taught me so much about bridges and taps and some really nice folks on the Smoothwall forum kinda stepped me through it, because I didn't even know If what I wanted to do was possible or even sane. It has worked famously.I love having my own firewall/router appliance!!
@@GreyTechLive I think I just might!!!
Haha right me too nice man :)
This video saved me a red-eye night... :D
Thanks for the feedback 🙂 so glad it did!
lol. I know exactly what you mean.
Thanks for the comment 🙂
Just found your channel...Love your to the point style...I went looking for more tutorials on Proxmox but did not see any. Also liked several of your other subjects...subbed hoping more content suited to my skill and current interests.
Hey thanks for the feedback yes more content coming for proxmox and other tech related content. Appreciate your sub! :)
Add these two rules to your interfaces file and it will work correctly!
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
you sir, you just made my day
Great video, I'm not clear, Can my 1 IP address to the internet be DHCP?
During initial install the IP Address has to be a static LAN address not a public internet one?
You saved me! Thank you!!!!!
Thanks, i finally understood it after reading so much.. !
Good thanks
This is awesome, thanks a lot for this video!
Thnaks you bro good video
Thank you so much you saved me a lot of time!
So glad that you You found it helpful and thank you for the positive feedback!
I like this video, best part is prerouting. But, when I have 3 virtual machines and on every have webserver (port 80 and 443), then what? How preroute? Domains?
o ya that could be an issues but you need to use a third party software like zenloadbalancer to help with that maybe.
This is incomplete and doesn't work. The guest VM cannot access the internet as shown in the video.
I would suggest setup proxmox out of the box and then add a guest vm that can access the internet then go from there. Its odd that doesn't work out of the box like it would on any other hypervisor.
this is because its not your standard setup you are trying to have a local network NAT to one single external IP its really all about routing local traffic through one IP
well the iptables forward wasnt working for me so
post-up iptables -t nat -A PREROUTING -i -p tcp --dport -j DNAT --to :port
post-down iptables -t nat -A PREROUTING -i -p tcp --dport -j DNAT --to :port
adding this to the network interface /etc/network/interfaces and rebooting or with ifupdown works for me
Great tutorial, thanks for that. If one follows your instructions, however, not in any case vmbr1 will be active. A hint about what to do to get it active might be helpful.
Did you try clicking "Apply Configuration"? It's to the right of Create, Revert, Edit, Remove. That's what fixed this for me
Question: I dont have static public ip but dynamic public ip. How can this be accomplished in iptables NAT?
When you say vmbr1 is bridged to vmbr0, how did you do that? I created the 2nd bridge but where do you ever 'link' the two bridges together?????
4:14 In the vmbr1 bridge you havent assigned any bridge ports like vmbr0 and still the VM with network interface vmbr1 still has net access. This seems like a paradox
this works if you add this in your ip tables rules Add this NAT outbound Rule to your VM can get to the internet
iptables -A POSTROUTING -t nat -s 192.168.10.0/24 -j MASQUERADE
how do you apply this with more than one vm?
can you use the same command but with difrent ip addresses
hi yes just change the IP address to the next VM IP
note: vmbr0 is initially the IP you use to reach your proxmox server, what should be done to keep communication with the server before committing this change
Thanks dude, You saved me.
Yay no problem man thanks for the feed back
Whenever I restart proxmox/server the iptables seem to reset, is there a way I can force them to save? I am saving the iptable with save-all.
Hi, tnks, i have one questios if i buy some rank ip and i put for all my vms i need do forward or same?
You'd have to have a public IP and then set all the other VMs with a local IP and set up the forwarding for what ports to what VM etc
thank you, but i have a question,, how if the mysql-server in other CT/VM, how to access the DB
How did you connect to your proxmox instance if its running from a public IP. Do you use the Public IP to access the dashboard?
If you had 3 VM's all running Ubuntu, how would you set up the forwarding as they would all be using the same port from the external address?
But how do i people connect to that container? Like i have a friend hoe wants one windows vps i have the resources but i cant let him connect with remote connect from windows.
I have a question. I need to Isolate one of my VM to just internet and not be able to access all of my network. Can how I do that in proxmox?
hi you can but would need another lan do you have a good firewall that can handle something like that? or you can setup something like pfsense first as a vm then create a new vm that has to pass the traffic from that. its like creating a virtual LAN network inside you main network, would be better to have a firewall device that can handle something like that thou.
if I add another lan connector that is still the same thing because it will be on the same network. I have never done a vlan before, I do have pfsense.
But still can't have multiple services hitting the same port am I right to assume?
tia
Hi yes correct You can only have one port to one IP
why you setting up nat in proxmox when you can put it behind firewall and setup nat here?
I cannot configure my sever to gain access to main interface please help
did you lose connection to he back end? is this a local server or cloud?
Hi i have install promox on my hosted dedicated machine, but why I try to access to other location not able to access the promox page. but In my home network I'm able to access.. How can i enable the promox page accessible any location or any country.
By default it should allow anywhere do you have any firewall or custom ACL setup?
@@GreyTechLive didnt yet configure the firewall and ACL
hey, i followed the tutorial 00:00 - 07:00 for some reason its not working for me. i have a dedicated server.
do you have discord where i can private message you ?
surething go here discord.gg/FmAhkJVFZQ
Cool video, but I'm clearly missing something. I created a Debian VM and although it can ping the address assigned on vmbr1 it can't ping any further. I setup vmbr1 as per the video, enabled ip_forward and added a nat rule as per the pinned notes from @GreyTech. Initially I had the proxmox firewall enabled, so I disabled that and still can't ping out. What should I be looking for, testing for, to problem solve this? Also any recommended firewall rules in Proxmox so I can enable the firewall again.
Solved the issue I was having with an additional iptables command.
iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
Although packets from the VM were reaching the host and going out, the host didn't know how to route the return traffic to the VM. The above seems to resolve that.
For more information please the section "Masquerading (NAT) with iptables" on the wiki -> pve.proxmox.com/wiki/Network_Configuration
sorry for late reply - thanks for posting this other info!
@@ichilvers Thank soo much for sharing
Thanks for the link @@ichilvers
Will that work with multiple Virtual machines serving at port 80 and 443 ? Like web1 web2 web3 ?
Only if you have more than one public IP
Great tutorial (Y)
Thank you so much for the feedback!!
That will work with multiple Virtual machines serving at port 80 nad 443 ? Like web1 web2 web3 ?
it wont would have to use a load balance to tell what domains go to what webserver
Does this create an additional MAC address for the Public IP? I attempted it and got a stern time limited warning.
It only creates a new Mac for the vm but since it tunnels through the physical nic it will be that Mac address
Hello. Is there a way to setup Proxmox fully with a private LAN ip, and then use Tailscale in a container or something like that to give it public access? I want to set up Proxmox in a remote Datacenter. I have a bunch of public IPs available, but ideally I will use them for ingress to my VMs providing some services. For SSH, WEB UI, etc I would like to use tailscale or similar, avoiding public IPs and opening ports. Cheers!
Ok so I got one VM working using this method, I made it .160 ip address, the second VM i have done the exact same thing, but using .170 for ip, but this second VM can't access the internet, although I can ping the .100 bridge ip and I can also ping the .160 VM, any ideas?
This is all well and good, until you find out you can't access from outside your network because you don't have a static IP from your ISP.
O crap yeah that is a big problem sorry man
i think there's a work-around this using vpn
Not really You don't use a VPN for this kind of setup when you're trying to set up multiple VMs under one public static IP I don't think you know what we're talking here
@@GreyTechLive lol, wtf... you can use a vpn on your router to get a "static ip" to be able to access the network
@@xXxArnyxXx He's trying to get a public static IP not a local (internal lan) static IP
ok if you only have one node for proxmox... but if you have a stack of nodes and only one static IP then.... you gotta do something different
Hi ,if i have dinamic ip ,can i use DDNS from the provider for that ??
Yes I would use account.dyn.com/ if you have a dynamic IP and it changes a lot but most of the time ISPs don't change anymore unless you reboot your modem and even then sometimes it still holds the original IP until you do like a release and renewal at least that's what I found but some other ISPs do change a lot You're a public IP
When I do this it says on the vm it's on a metered network
that's odd just turn that off in settings
Just use a virtual firewall/router like pfsense to hand out dhcp to all your vm's and that will help you avoid all those headaches Lol
Right you can do that as well, You still have to do some kind of routing now because proxmox is still using that one IP
Perhaps you can help me. I just started out with Proxmox. So, the issue I have right now is that my proxmox is set up, granted it is setup correctly but I recently created a VM, but the VM does not seem to get ip from my DHCP server? which is of course runs on another hyper visor. What could be the issue? when I give the vm a static IP, it works, but I want it to get an IP from the DHCP server.
you forgot to setup the NAT on PVE host
Can you have several VM on port 80? We servers.
No you can't you can only port forward to one IP unless you have more than one public IP
I am now running hestiacp and running all my websites off that one server, would have been nice to get another Hestiacp running through the same IP, I suppose I would have to setup a reverse proxy and vhost for every site hosted to go that route
@@GreyTechLive so it is the same if i want to have multiple WIndows VM with RDP enabled? i just can't
Correct unless you change the rdp port which can be done via the registry I have a video on how to do that on how to secure windows rdp
@Ilham Ramadan You could do that to you but kind of a pain in the butt I would just change the RDP port 3389 on one server to 3390 then 3391 etc port forward that in the firewall so you don't have to keep switching
You should be able to do the same thing with Proxmox's own firewall
Can you share some examples for everyone, thanks
@@GreyTechLive I'm by no means an expert but watching another video on Proxmox's firewall it would appear possible ruclips.net/video/DNsLLrCgK0U/видео.html
what about Ubuntu vms? i tried this but unf no luck
I just tested it, it works. Make sure to add the iptables info in the vmbr1 on the server as mentioned in the pinned comment above :)
should work but review the updated commands
thanks for the help!
but the ipv6?
Bro you just saved my life, i feel like kissing you fr can i kiss you? bro i lvoe you
Dude thanks for the feedback back!
Hai Bro, thank you for amazing video, i want to ask about "iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 80 -i vmbr0 -j DNAT --to-destination 192.168.10.160:80" does i can add "iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 80 -i vmbr0 -j DNAT --to-destination 192.168.10.161:80" too? so i can add much guest and asign the script?
hi no you cant because they run on the port cant have two devices on same port you can maybe set it up where serv1.mydomain.com goes to server .160 and serv2.mydomain.com goes to server .161?
HelloGreyTech. It doesn't work for me. I have my ProxMox in Hetzner. Is that matters;
Hey sure it matter as long as you do the access control rules correctly