Any Promox VM NAT dummy guide?

cybertechcybertech OGBenchmark King

Haven't been able to get my NAT VMs to connect to internet.

Hoping to get pointed to a nice guide that you have.

Proxmox/Ubuntu/NAT dummy here :tongue:

I bench YABS 24/7/365 unless it's a leap year.

Comments

  • SagnikSSagnikS Hosting ProviderOG
    edited July 2020

    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    
  • cybertechcybertech OGBenchmark King

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    I bench YABS 24/7/365 unless it's a leap year.

  • I just get a second IPv4 address, and give it to pfSense, and let it do NAT.

    Thanked by (1)cybertech
  • SagnikSSagnikS Hosting ProviderOG

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    Thanked by (1)cybertech
  • SagnikSSagnikS Hosting ProviderOG

    @aaronstuder said:
    I just get a second IPv4 address, and give it to pfSense, and let it do NAT.

    That's what I do at home too (except the second IP).

  • cybertechcybertech OGBenchmark King

    @SagnikS said:

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    I kinda did that too, just gonna try again heh. Thanks.

    I bench YABS 24/7/365 unless it's a leap year.

  • SagnikSSagnikS Hosting ProviderOG

    @cybertech said:

    @SagnikS said:

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    I kinda did that too, just gonna try again heh. Thanks.

    If it didn't work, try pinging the IP that's assigned to the bridge.

  • cybertechcybertech OGBenchmark King

    @SagnikS said:

    @cybertech said:

    @SagnikS said:

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    I kinda did that too, just gonna try again heh. Thanks.

    If it didn't work, try pinging the IP that's assigned to the bridge.

    ping internal IP from the host?

    I bench YABS 24/7/365 unless it's a leap year.

  • SagnikSSagnikS Hosting ProviderOG

    @cybertech said:

    @SagnikS said:

    @cybertech said:

    @SagnikS said:

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    I kinda did that too, just gonna try again heh. Thanks.

    If it didn't work, try pinging the IP that's assigned to the bridge.

    ping internal IP from the host?

    Whoops, I mean, ping the IP from the VM. That same IP should also be the gateway for the network config inside the VM.

    Thanked by (1)cybertech
  • Who is the provider? What is the Server?

  • @cybertech's guide should cover it. That's all you need to do.

    Thanked by (1)cybertech
  • cybertechcybertech OGBenchmark King

    @SagnikS said:

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    Thanks everyone for the guides, read all of them and could get my NAT VM to access internet.

    Now for accessing SSH NAT VM via port 1234 from outside, I'm stuck. is this correct?

    auto vmbr1
    iface vmbr1 inet static
            address 192.168.1.1/24
            bridge-ports none
            bridge-stp off
            bridge-fd 0
            post-up echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j SNAT --to (my public IPv4)
            post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j SNAT --to  (my public IPv4)
            post-down echo 0 > /proc/sys/net/ipv4/ip_forward
            iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.2:22
            iptables -t nat -A POSTROUTING -p tcp --sport 22 -s 192.168.1.2 -j SNAT --to-source  (my public IPv4):1234
    

    I bench YABS 24/7/365 unless it's a leap year.

  • AbdullahAbdullah Hosting ProviderOG

    in second-last line
    iptables -t nat -A PREROUTING -i vmbr1 -p tcp --dport 1234 -j DNAT --to 192.168.1.2:22
    can u try this?, you need to specify the interface I think.

    Thanked by (2)cybertech Ouji
  • cybertechcybertech OGBenchmark King

    @Abdullah said:
    in second-last line
    iptables -t nat -A PREROUTING -i vmbr1 -p tcp --dport 1234 -j DNAT --to 192.168.1.2:22
    can u try this?, you need to specify the interface I think.

    Tried, does not seem to work.

    I bench YABS 24/7/365 unless it's a leap year.

  • @cybertech said:

    @Abdullah said:
    in second-last line
    iptables -t nat -A PREROUTING -i vmbr1 -p tcp --dport 1234 -j DNAT --to 192.168.1.2:22
    can u try this?, you need to specify the interface I think.

    Tried, does not seem to work.

    Main interface not the bridge.

    Thanked by (2)cybertech Abdullah
  • SagnikSSagnikS Hosting ProviderOG
    edited July 2020

    @cybertech said:

    @SagnikS said:

    @cybertech said:

    @SagnikS said:
    I just have a separate bridge for NAT VMs.

    auto vmbr1
    iface vmbr1 inet static
        address <first_usable_internal_ip>/<netmask>
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Set up NAT for this bridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down iptables -t nat -D POSTROUTING -s '<first_internal_ip>/<netmask>' -o <public_if> -j SNAT --to <pubic_ip>
        post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    
        #Port Forwarding Rules
        iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination <internal_vm_ip>:<port>
        iptables -t nat -A POSTROUTING -p tcp --sport <port> -s <internal_vm_ip>: -j SNAT --to-source <public_ip>:<port>
    

    Anything else needed to be done on the NAT VM?

    Just set the netmask and put in an IP from the internal subnet in the network config, and you should be golden.

    Thanks everyone for the guides, read all of them and could get my NAT VM to access internet.

    Now for accessing SSH NAT VM via port 1234 from outside, I'm stuck. is this correct?

    auto vmbr1
    iface vmbr1 inet static
            address 192.168.1.1/24
            bridge-ports none
            bridge-stp off
            bridge-fd 0
            post-up echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j SNAT --to (my public IPv4)
            post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j SNAT --to  (my public IPv4)
            post-down echo 0 > /proc/sys/net/ipv4/ip_forward
            iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.2:22
            iptables -t nat -A POSTROUTING -p tcp --sport 22 -s 192.168.1.2 -j SNAT --to-source  (my public IPv4):1234
    

    Try this:

     #Port Forwarding Rules
     iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.2:22
     iptables -t nat -A POSTROUTING -p tcp --sport 22 -s 192.168.1.2 -j SNAT --to-source <public_ip>:1234
    

    Whups, looks like you have the exact same config. It should just work, make sure that there's nothing blocking 1234 on the host.

    Thanked by (1)cybertech
  • cybertechcybertech OGBenchmark King

    After couple of tries finally got in! woohoo

    thanks all!

    Thanked by (2)Abdullah Ouji

    I bench YABS 24/7/365 unless it's a leap year.

  • @cybertech you can also use this guide as reference: https://mrpsycho.pl/cheatsheets/Proxmox-on-OVH-Kimsufi-behind-single-IP-NAT/

    It's pretty well written and that's how I did when I was running my Hetzner dedi.

    Thanked by (2)cybertech AlwaysSkint
  • cybertechcybertech OGBenchmark King

    @SagnikS said:
    Try this:

     #Port Forwarding Rules
     iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.2:22
     iptables -t nat -A POSTROUTING -p tcp --sport 22 -s 192.168.1.2 -j SNAT --to-source <public_ip>:1234
    

    Whups, looks like you have the exact same config. It should just work, make sure that there's nothing blocking 1234 on the host.

    This worked for me, does it do the same thing?

    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 9584 -j DNAT --to 192.168.1.2:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 9584 -j DNAT --to 192.168.1.2:22
    

    I bench YABS 24/7/365 unless it's a leap year.

  • cybertechcybertech OGBenchmark King

    @Ouji said:
    @cybertech you can also use this guide as reference: https://mrpsycho.pl/cheatsheets/Proxmox-on-OVH-Kimsufi-behind-single-IP-NAT/

    It's pretty well written and that's how I did when I was running my Hetzner dedi.

    it does look complete, gonna boobmark it

    I bench YABS 24/7/365 unless it's a leap year.

  • edited July 2020

    Oh, hi

    @cybertech said: it does look complete, gonna boobmark it

    Thank you.

    @cybertech said: This worked for me, does it do the same thing?

    Lines starting with post-up/down should be placed inside /etc/network/interfaces. They indicate what command is going to be executed when interface is brought up/down; -A means add, -D means delete. As for the POSTROUTING - I'm not sure how would it be useful.

    E: You will want to execute what's past post-up to apply the rule immediately (as described in the tutorial).

    Thanked by (1)cybertech
  • @MrPsycho said: Oh, hi

    Hey hey. Thanks for the write-up, it really helped me a lot and I always link it when someone asks for NAT setup in Proxmox, I hope you don't mind.

    Thanked by (1)MrPsycho
  • AbdullahAbdullah Hosting ProviderOG

    Hey hi, anyone can point me to a guide on adding IPv6 to openvz containers. I tried many approaches but I suspect firewalld messes with ipv6. Anyone can share their experience?

  • bdlbdl OG
    edited July 2020

    Does anyone have any opinions on using ufw on the proxmox host vs using the built in firewall (for host protection)? I'm using ufw at the moment but it's a little clunky so considering switching to use the built in firewall. Either that or grabbing a second IP and using virtualised pfsense...

  • edited July 2020

    UFW - yuk! Thought that was only a Ubuntu thing (plus Linux Mint desktop.)
    CSF. ;)

    Thanked by (1)bdl

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • bdlbdl OG
    edited July 2020

    @AlwaysSkint said:
    UFW - yuk! Thought that was only a Ubuntu thing (plus Linux Mint desktop.)
    CSF. ;)

    force of habit with Ubuntu boxen I was stuck using. Ended up just rebuilding and using the Proxmox built in fw and all is good in the pve world :)

    Thanked by (1)AlwaysSkint
Sign In or Register to comment.