How to route additional IP address exclusively to nested virt instance?

k9banger

I have a host running Proxmox and I want to create another nested Proxmox instance which will use the additional IP address.

How do I configure the main host so that connections to the additional IP go directly to the nested instance without any interference from the host?

Does that entail creating an additional NIC on the host and somehow binding it to the nested instance? Quite simply I want it such that if the nested virt is shutdown the IP does not respond in any manner.

xvps

To achieve this, you can configure routing and networking on your Proxmox host so that the additional IP is directly routed to the nested Proxmox instance, ensuring no interference from the host itself. Here's how you can set it up step by step:

---

1. Obtain an Additional IP

• Confirm that your additional IP address is properly assigned to your host by your provider. Check if it is on the same subnet as the main host or if it requires a routed setup.

---

2. Set Up a Bridge on the Host

• Create a dedicated bridge interface on the host. This bridge will be exclusively used by the nested instance.

  Example /etc/network/interfaces configuration for the Proxmox host:

  auto vmbr1
  iface vmbr1 inet manual
     bridge_ports none
     bridge_stp off
     bridge_fd 0
  

• Restart networking or add the bridge dynamically:
  bash systemctl restart networking

---

3. Assign the Additional IP to the Nested Instance

• Do not assign the additional IP to the Proxmox host itself.

• Create or edit the network configuration of the nested Proxmox instance:

  • Attach the nested instance's virtual NIC to vmbr1.

  • Inside the nested Proxmox instance, assign the additional IP address to its interface.

    Example /etc/network/interfaces for the nested instance:

    auto ens18
    iface ens18 inet static
     address <ADDITIONAL_IP>
     netmask <NETMASK>
     gateway <GATEWAY>
    

    Replace <ADDITIONAL_IP>, <NETMASK>, and <GATEWAY> with the details provided by your provider. If using routed IPs, the gateway may be your Proxmox host's primary IP.

---

4. Set Up a MAC Address (If Required)

• Some providers require you to use a specific MAC address for the additional IP. Generate a virtual MAC address (often done in the provider's control panel) and assign it to the virtual NIC of the nested instance.

  In Proxmox, edit the VM configuration (/etc/pve/qemu-server/<VMID>.conf):
  bash net0: virtio=<GENERATED_MAC>,bridge=vmbr1

---

5. Ensure the Host Doesn't Respond to the Additional IP

• Do not assign the additional IP to the Proxmox host at all.
• Verify that no processes are listening on this IP:
  bash ss -lntp

---

6. Test the Setup

• Start the nested Proxmox instance and verify that the additional IP responds correctly.
• Stop the nested Proxmox instance and confirm that the additional IP does not respond to pings or connections.

---

Additional Notes

• Dedicated NIC: If desired, you can bind a physical NIC to the nested instance (pass-through), but this is not necessary for the described scenario.

• Firewall Rules: Optionally, configure the host's firewall (e.g., UFW or iptables) to ensure no accidental interference with the additional IP:

  iptables -A INPUT -d <ADDITIONAL_IP> -j DROP
  iptables -A FORWARD -d <ADDITIONAL_IP> -j ACCEPT
  

• Routing Setup: If the additional IP requires routed configuration, ensure proper forwarding and routing rules are applied.

This setup ensures that the additional IP is exclusively tied to the nested instance, and the host does not interfere or respond to it.

Regards,

Chatgpt

Clouvider

If the subnet is statically routed to your bare metal, you’d just enable forwarding and set it up on the bridge towards the nested VM.

If not, you are looking at a less clean setup with NAT and/or proxy arp.