Create Private Network Bridge on Proxmox VE with NAT

Posted on 110 views

In this article we show you how to create a private and virtual network bridge on Proxmox with NAT configured. In Proxmox virtualization infrastructure, network configuration can be done either via the CLI (manually editing network configuration files), or from an intuitive graphical user interface. Either method can be used, but a choice may depend on your Linux administration expertise.

One advantage of modifying network configurations from GUI is that Proxmox VE does not write changes directly to /etc/network/interfaces. Instead, it will use a temporary file called /etc/network/interfaces.new, which allows many related changes at once. It also helps to ensure the network changes are correct before committing to /etc/network/interfaces , as a wrong network configuration may render a node inaccessible.

Create Virtual Network Bridge on Proxmox With NAT

For CLI method you’ll edit /etc/network/interfaces configuration file directly.

sudo vim /etc/network/interfaces

I’ll create a virtual network bridge based on below network parameters:

  • Network: 192.168.50.0
  • Network mask: 255.255.255.0
  • Proxmox host IP: 192.168.50.1

Print current active network interfaces on the server:

$ sudo ip -f inet a s
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp4s0:  mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.58.236/26 brd 195.201.58.255 scope global enp4s0
       valid_lft forever preferred_lft forever

I’ll create a virtual bridge named vmbr1

auto vmbr1
iface vmbr1 inet static
 address 192.168.50.1
 netmask 255.255.255.0
 bridge_ports none
 bridge_stp off
 bridge_fd 0

Notice there is no physical interface linked to the bridge (bridge_ports none).

Configure NAT (Masquerading)

Masquerading allows your virtual machines in a private network created to access the external networks by using the host IP address for outgoing traffic. Each outgoing packet is rewritten by iptables to appear as originating from the host, and responses are rewritten accordingly to be routed to the original sender.

I’ll modify above network configurations to add routing for internet connectivity. Since my primary interface enp4s0 is connected to physical switch and has internet connectivity, we’ll route traffic coming from vmbr1 through it.

auto vmbr1
iface vmbr1 inet static
  address 192.168.50.1
  netmask 255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up   iptables -t nat -A POSTROUTING -s '192.168.50.0/24' -o enp4s0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '192.168.50.0/24' -o enp4s0 -j MASQUERADE

Note that enp4s0 can be replaced with a VLAN interface or another Linux bridge. iptables provides the masquerading feature that allow instances on the private virtual network to access the internet.

Bring up the bridge interface

Validate your network configurations are correct by manually bringing up the bridge interface

$ sudo ifup vmbr1
Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).

Check bridge IP information:

$ ip address show dev vmbr1
3: vmbr1:  mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 16:cf:7e:23:de:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global vmbr1
       valid_lft forever preferred_lft forever
    inet6 fe80::14cf:7eff:fe23:de1e/64 scope link
       valid_lft forever preferred_lft forever

From the output it can be confirmed the IP address on the vmbr1 is correct.

You should be able to restart networking service without any failures:

sudo systemctl restart networking

Confirm status is active:

$ systemctl status networking.service
● networking.service - Raise network interfaces
   Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2021-05-07 19:27:34 CEST; 29s ago
     Docs: man:interfaces(5)
  Process: 27355 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=0/SUCCESS)
 Main PID: 27355 (code=exited, status=0/SUCCESS)

May 07 19:27:29 proxmox systemd[1]: Starting Raise network interfaces...
May 07 19:27:34 proxmox ifup[27355]: Waiting for DAD... Done
May 07 19:27:34 proxmox ifup[27355]: Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).
May 07 19:27:34 proxmox systemd[1]: Started Raise network interfaces.

Once you create a Virtual machine on the bridge created, it will behave as if it is directly connected to the physical network. The network, in turn, sees each virtual machine as having its own MAC, even though there is only one network cable connecting all of these VMs to the network.

Our next articles will cover more ares on Proxmox server administration. In the meantime, checkout other articles we have on Virtualization:

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.