Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

hosting proxmox vms with single ip, NAT forwarding help

ChillBirdChillBird Member
in Help

I followed this guide https://wiki.abyssproject.net/en/proxmox/proxmox-with-one-public-ip

where i completed 1. Routing configuration 2. DHCP for virtual machines

It is working however virtualmin get installed on private ip. how to fix it?

how to allow NAT forwarding for all the important ports 22, 23, 80, 443, 10000 to access vm outside proxmox?

Thanks.

Comments

  • spiritlhlspiritlhl Member

    If your server is a cloud server and it's easy to do a system reinstall, I would first recommend trying https://www.spiritlhl.net/en/guide/dashboard.html for a one-click setup.

    Thanked by 3R4ain Frameworks iamroot2
  • tridinebandimtridinebandim Member
    edited December 2024

    You will only have 5 to 10 Max vm in proxmox right? Dont use dhcp and make it more complicated give ips by hand and add required nat config lines to networking thing...

  • ralfralf Member

    There are many ways to achieve this, the "simplest" is using iptables, but virsh will trample over your rules every time you bring up a new VM. I should note that I use virsh directly rather than proxmox. But anyway, the important thing is the iptables DNAT rules.

    I've settled on using the package netfilter on debian. I have many configs, one per service, for example /usr/share/netfilter-persistent/plugins.d/21-haproxy looks like this:

    #!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <[email protected]>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

# can be iterated on using:
#
# /etc/init.d/netfilter-persistent flush
# /etc/init.d/netfilter-persistent reload

set -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

load_rules()
{
        echo Setting up my haproxy rules

        iptables -N HAPROXY_FWD
        iptables -A FORWARD -j HAPROXY_FWD

        iptables -t nat -N HAPROXY_PRE
        iptables -t nat -A PREROUTING -j HAPROXY_PRE

        EXT=2.x.x.x
        INT=192.168.x.x

        for p in 80 443
        do
                iptables -A HAPROXY_FWD -d $EXT/32 -p tcp -m state --state NEW -m tcp --dport $p -j ACCEPT

                iptables -t nat -A HAPROXY_PRE -d $EXT/32 -i virbr17 -p tcp -m tcp --dport $p -j DNAT --to-destination $INT:$p
                iptables -t nat -A HAPROXY_PRE -d $EXT/32 -i virbr20 -p tcp -m tcp --dport $p -j DNAT --to-destination $INT:$p
                iptables -t nat -A HAPROXY_PRE -d $EXT/32 -i virbr23 -p tcp -m tcp --dport $p -j DNAT --to-destination $INT:$p
                iptables -t nat -A HAPROXY_PRE -d $EXT/32 -i eth0 -p tcp -m tcp --dport $p -j DNAT --to-destination $INT:$p
        done

        iptables -A HAPROXY_FWD -s $INT -d 192.168.y.y -j ACCEPT
        iptables -A HAPROXY_FWD -d $INT -s 192.168.y.y -j ACCEPT

        iptables -A HAPROXY_FWD -s $INT -d 192.168.y.y -p tcp --dport 8080 -j ACCEPT

        iptables -A HAPROXY_FWD -s $INT -d 192.168.z.z -j ACCEPT
        iptables -A HAPROXY_FWD -s $INT -d 192.168.z.z -p tcp --dport 80 -j ACCEPT

        iptables -A HAPROXY_FWD -s 192.168.0.0/16 -d $EXT -p tcp --dport 443 -j ACCEPT
        iptables -A HAPROXY_FWD -s 192.168.0.0/16 -d $INT -p tcp --dport 443 -j ACCEPT
}

flush_rules()
{
        echo Pulling down my haproxy rules

        iptables -D FORWARD -j HAPROXY_FWD || true
        iptables -F HAPROXY_FWD || true
        iptables -X HAPROXY_FWD || true

        iptables -t nat -D PREROUTING -j HAPROXY_PRE || true
        iptables -t nat -F HAPROXY_PRE || true
        iptables -t nat -X HAPROXY_PRE || true
}

case "$1" in
start|restart|reload|force-reload)
        load_rules
        ;;
save)
        ;;
stop)
        # Why? because if stop is used, the firewall gets flushed for a variable
        # amount of time during package upgrades, leaving the machine vulnerable
        # It's also not always desirable to flush during purge
        #echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
        ;;
flush)
        flush_rules
        ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac
    Thanked by 1ariq01
  • ChillBirdChillBird Member

    still looks complicated, adding additional ip will work? i assume i can route traffic using a vm pfsense for 2nd ip?

  • jmgcaguiclajmgcaguicla Member
    edited December 2024

    @aryanraj said:
    still looks complicated, adding additional ip will work? i assume i can route traffic using a vm pfsense for 2nd ip?

    How the hell is it complicated, it's literally a one-liner:
    iptables -t nat -I PREROUTING -d 1.1.1.1 -p tcp --dport 2222 -j DNAT --to-destination 2.2.2.2:22

    Some compromise has to be done if you're skimping out on something, if you don't want complexity then cough up the cash and just get another IP.

    Thanked by 2tridinebandim iamroot2
  • ChillBirdChillBird Member

    @jmgcaguicla said:

    @aryanraj said:
    still looks complicated, adding additional ip will work? i assume i can route traffic using a vm pfsense for 2nd ip?

    How the hell is it complicated, it's literally a one-liner:
    iptables -t nat -I PREROUTING -d 1.1.1.1 -p tcp --dport 2222 -j DNAT --to-destination 2.2.2.2:22

    Some compromise has to be done if you're skimping out on something, if you don't want complexity then cough up the cash and just get another IP.

    i can get another ip but not when you have to manage 5-10vms.

  • aUser_aUser_ Member
    edited December 2024

    Just buy a second IP.
    If you are not familiar with the ins and outs of Linux networking, and remote VM hosting you will probably not appreciate the difficulties when you get it wrong trying to share one IP address!

    Does your server have a 2nd (private) ethernet port? If so you could probably pay a low monthly fee for VPN access to admin the machine via the 2nd port and use the main port for proxmox VM access.
    Or you could use tailscale for private access. Look that up - its wireguard on easy mode using SSH security. ;-)

    If this is all new to you, ... just pay for the simple option, get it working, then teach yourself how to do it the other ways.

    just my 2 sitoshis ! ;-)

    Thanked by 1iamroot2
  • SeederKunSeederKun Member

    This simple script done by @loay will make it easier for you ;)

    Thanked by 1loay
  • tfgp99tfgp99 Member

    @aryanraj said:
    still looks complicated, adding additional ip will work? i assume i can route traffic using a vm pfsense for 2nd ip?

    I'd suggest a LXC container running OpenWRT instead of a PFsense, it uses less resources and i believe that is more user friendly!

    Thanked by 1ChillBird
  • naphthanaphtha Member
    edited December 2024

    kinda off topic but that guide tells you to use ufw with pve. don't. ufw breaks pve's builtin firewall (including ipset filters), just use pve's directly, even has a nice ui

  • ChillBirdChillBird Member

    @tfgp99 said:

    @aryanraj said:
    still looks complicated, adding additional ip will work? i assume i can route traffic using a vm pfsense for 2nd ip?

    I'd suggest a LXC container running OpenWRT instead of a PFsense, it uses less resources and i believe that is more user friendly!

    you mean using lxd instead of proxmox?

  • ChillBirdChillBird Member

    @naphtha said:
    kinda off topic but that guide tells you to use ufw with pve. don't. ufw breaks pve's builtin firewall (including ipset filters), just use pve's directly, even has a nice ui

    not offtopic, thanks. i am just looking optional ways if i can setup a gui based container after buying additional ip to run multiple vms.

  • naphthanaphtha Member

    @aryanraj said: you mean using lxd instead of proxmox?

    proxmox does containers. but it looks like you're looking for something simpler like docker/podman, not full proxmox. depends on what you want to do really

  • ChillBirdChillBird Member

    @naphtha said:

    @aryanraj said: you mean using lxd instead of proxmox?

    proxmox does containers. but it looks like you're looking for something simpler like docker/podman, not full proxmox. depends on what you want to do really

    sorry, i just checked, CT is lxc container for only linux distribution. i want to use proxmox > cloudpanel for running sites.

  • tridinebandimtridinebandim Member

    install proxmox, set vmbr1,add masquareds to networking, list the ports that cloud panel uses, install cloudpanel, add the required iptable codes about ports to networking... Use your ip to access cloudpanel

    if you plan to add multiple websites in cloud panel add and configure haproxy (i think...)

    Thanked by 1ChillBird
  • FalzoFalzo Member

    you can use/forward each port only once if using regular NAT. just in case you plan on running multiple VMs for webhosting, this won't work with a single IP and only forwarding rules. for that you would indeed need some proxy on the node itself. same for mail and so on...

    read up on NAT and networking, it feels like you are missing quite some basics here...

    Thanked by 1ChillBird
  • ChillBirdChillBird Member

    @Falzo said:
    you can use/forward each port only once if using regular NAT. just in case you plan on running multiple VMs for webhosting, this won't work with a single IP and only forwarding rules. for that you would indeed need some proxy on the node itself. same for mail and so on...

    read up on NAT and networking, it feels like you are missing quite some basics here...

    i am very new to NAT and networking. i recently tried to resetup and it all worked. :) i understand the port 80, 443 will work with only one vm as all the vm pointing to same ip:port will not work. i reviewed and reconfigured it and got my main vm needed for cloudpanel working. i can now use the idle resources for other stuff that not requires those ports.

    Thanked by 1Falzo
  • msattmsatt Member, Host Rep

    Really worth looking at https://community-scripts.github.io/ProxmoxVE/scripts. You can install openwrt which allows you to create many internal networks.
    Also the site has many other handy tools for proxmox.

    Thanked by 2ChillBird ariq01
  • ChillBirdChillBird Member

    @msatt said:
    Really worth looking at https://community-scripts.github.io/ProxmoxVE/scripts. You can install openwrt which allows you to create many internal networks.
    Also the site has many other handy tools for proxmox.

    this is really useful. Thanks.

Sign In or Register to comment.