In this article we show you how to create a private and virtual network bridge on Proxmox with NAT configured. In Proxmox virtualization infrastructure, network configuration can be done either via the CLI (manually editing network configuration files), or from an intuitive graphical user interface. Either method can be used, but a choice may depend on your Linux administration expertise.
One advantage of modifying network configurations from GUI is that Proxmox VE does not write changes directly to /etc/network/interfaces. Instead, it will use a temporary file called /etc/network/interfaces.new, which allows many related changes at once. It also helps to ensure the network changes are correct before committing to /etc/network/interfaces , as a wrong network configuration may render a node inaccessible.
Create Virtual Network Bridge on Proxmox With NAT
For CLI method you’ll edit /etc/network/interfaces configuration file directly.
sudo vim /etc/network/interfaces
I’ll create a virtual network bridge based on below network parameters:
- Network: 192.168.50.0
- Network mask: 255.255.255.0
- Proxmox host IP: 192.168.50.1
Print current active network interfaces on the server:
$ sudo ip -f inet a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 inet 192.168.58.236/26 brd 220.127.116.11 scope global enp4s0 valid_lft forever preferred_lft forever
I’ll create a virtual bridge named vmbr1
auto vmbr1 iface vmbr1 inet static address 192.168.50.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0
Notice there is no physical interface linked to the bridge (bridge_ports none).
Configure NAT (Masquerading)
Masquerading allows your virtual machines in a private network created to access the external networks by using the host IP address for outgoing traffic. Each outgoing packet is rewritten by iptables to appear as originating from the host, and responses are rewritten accordingly to be routed to the original sender.
I’ll modify above network configurations to add routing for internet connectivity. Since my primary interface enp4s0 is connected to physical switch and has internet connectivity, we’ll route traffic coming from vmbr1 through it.
auto vmbr1 iface vmbr1 inet static address 192.168.50.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '192.168.50.0/24' -o enp4s0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '192.168.50.0/24' -o enp4s0 -j MASQUERADE
Note that enp4s0 can be replaced with a VLAN interface or another Linux bridge. iptables provides the masquerading feature that allow instances on the private virtual network to access the internet.
Bring up the bridge interface
Validate your network configurations are correct by manually bringing up the bridge interface
$ sudo ifup vmbr1 Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).
Check bridge IP information:
$ ip address show dev vmbr1 3: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 16:cf:7e:23:de:1e brd ff:ff:ff:ff:ff:ff inet 192.168.50.1/24 brd 192.168.50.255 scope global vmbr1 valid_lft forever preferred_lft forever inet6 fe80::14cf:7eff:fe23:de1e/64 scope link valid_lft forever preferred_lft forever
From the output it can be confirmed the IP address on the vmbr1 is correct.
You should be able to restart networking service without any failures:
$ sudo systemctl restart networking
Confirm status is active:
$ systemctl status networking.service ● networking.service - Raise network interfaces Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2021-05-07 19:27:34 CEST; 29s ago Docs: man:interfaces(5) Process: 27355 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=0/SUCCESS) Main PID: 27355 (code=exited, status=0/SUCCESS) May 07 19:27:29 proxmox systemd: Starting Raise network interfaces... May 07 19:27:34 proxmox ifup: Waiting for DAD... Done May 07 19:27:34 proxmox ifup: Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds). May 07 19:27:34 proxmox systemd: Started Raise network interfaces.
Once you create a Virtual machine on the bridge created, it will behave as if it is directly connected to the physical network. The network, in turn, sees each virtual machine as having its own MAC, even though there is only one network cable connecting all of these VMs to the network.
Our next articles will cover more ares on Proxmox server administration. In the meantime, checkout other articles we have on Virtualization: