Proxmox Mulitple Public IP

Question

I have a server at Hetzner with several public IPs. I configured it in bridge mode. Everything is working so far, but how do I tell the individual VM to please go online with this public IP address? so the gateway?

auto lo
iface lo inet loopback
auto enp7s0
iface enp7s0 inet static
        address 88.188.61.127/27
        gateway 88.188.61.161
        post-up sysctl -w net.ipv4.ip_forward=1
        post-up iptables -t nat -A PREROUTING -i enp7s0 -p tcp -m multiport ! --dport 45735 -j DNAT --to 10.10.10.1
        post-up iptables -t nat -A PREROUTING -i enp7s0 -p udp -j DNAT --to 10.10.10.1
auto vmbr0
iface vmbr0 inet static
        address 88.188.61.127/27
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 89.178.66.171/27 dev vmbr0
auto vmbr1
iface vmbr1 inet static
        address 10.10.10.0/31
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.10.10.1/31' -o enp7s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.1/31' -o enp7s0 -j MASQUERADE
#Mikrotik WAN Proxmox LAN
auto vmbr2
iface vmbr2 inet static
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#DMZ
auto vmbr3
iface vmbr3 inet static
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#VM-Intern
source /etc/network/interfaces.d/*

Nikita Kipriyanov · Answer 1 · 2024-04-17T13:29:47.927

You either assign other IPs to VMs (i.e. not to host), or you do NAT on the host, in which case you can match on the private IP of the VM in the SNAT rule and match on the public IP in the DNAT rule. (You can assign public IPs to some VMs and do NAT for others, that's perfectly fine.)

First approach (IPs directly in VMs/containers) is generally easier and gives you less hassle, but you you need to, again, either route those IPs without NATting, or bridge the main "WAN" interface of your PVE and specify VM MACs in the Hetzner web interface to allow those MACs to have Internet connection. Hetzner usually gives additionally only selected addresses, not whole subnets.

The "routing by the host without NAT" seems the best approach. For that:

you leave your enp7s0 setting exactly as it is now (that's your working PVE WAN, I believe)
you assign the same IP address but with /32 netmask to the "public IP bridge", which is, I assume, your vmbr0.
you add direct /32 routes to those selected addresses via bridge interface
on virtual machines or containers, you add direct route to this address of vmbr0 and set it as a default gateway also.

So, for example, if you were given one 89.178.66.171 additional address, you set up on the host:

auto vmbr0
iface vmbr0 inet static
        address 88.188.61.127/32
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 89.178.66.171 dev vmbr0

and on the VM, which gets plugged into this bridge:

auto ens18
iface ens18 inet static
        address 89.178.66.171/32
        up ip route add 88.188.61.127 dev ens18
        up ip route add default via 88.188.61.127

This is based on the experience I had in the past. Things may change. It would be nice if you show the instructions they gave to you, so I can help you adapt that for PVE.

Proxmox Mulitple Public IP

1 Answers1