In this article we show you how to create a private and virtual network bridge on Proxmox with NAT configured. In Proxmox virtualization infrastructure, network configuration can be done either via the CLI (manually editing network configuration files), or from an intuitive graphical user interface. Either method can be used, but a choice may depend on your Linux administration expertise.

One advantage of modifying network configurations from GUI is that Proxmox VE does not write changes directly to /etc/network/interfaces. Instead, it will use a temporary file called /etc/network/interfaces.new, which allows many related changes at once. It also helps to ensure the network changes are correct before committing to /etc/network/interfaces , as a wrong network configuration may render a node inaccessible.

Create Virtual Network Bridge on Proxmox With NAT

For CLI method you’ll edit /etc/network/interfaces configuration file directly.

sudo vim /etc/network/interfaces

I’ll create a virtual network bridge based on below network parameters:

  • Network: 192.168.50.0
  • Network mask: 255.255.255.0
  • Proxmox host IP: 192.168.50.1

Print current active network interfaces on the server:

$ sudo ip -f inet a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.58.236/26 brd 195.201.58.255 scope global enp4s0
       valid_lft forever preferred_lft forever

I’ll create a virtual bridge named vmbr1

auto vmbr1
iface vmbr1 inet static
 address 192.168.50.1
 netmask 255.255.255.0
 bridge_ports none
 bridge_stp off
 bridge_fd 0

Notice there is no physical interface linked to the bridge (bridge_ports none).

Configure NAT (Masquerading)

Masquerading allows your virtual machines in a private network created to access the external networks by using the host IP address for outgoing traffic. Each outgoing packet is rewritten by iptables to appear as originating from the host, and responses are rewritten accordingly to be routed to the original sender.

I’ll modify above network configurations to add routing for internet connectivity. Since my primary interface enp4s0 is connected to physical switch and has internet connectivity, we’ll route traffic coming from vmbr1 through it.

auto vmbr1
iface vmbr1 inet static
  address 192.168.50.1
  netmask 255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up   iptables -t nat -A POSTROUTING -s '192.168.50.0/24' -o enp4s0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '192.168.50.0/24' -o enp4s0 -j MASQUERADE

Note that enp4s0 can be replaced with a VLAN interface or another Linux bridge. iptables provides the masquerading feature that allow instances on the private virtual network to access the internet.

Bring up the bridge interface

Validate your network configurations are correct by manually bringing up the bridge interface

$ sudo ifup vmbr1
Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).

Check bridge IP information:

$ ip address show dev vmbr1
3: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 16:cf:7e:23:de:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global vmbr1
       valid_lft forever preferred_lft forever
    inet6 fe80::14cf:7eff:fe23:de1e/64 scope link
       valid_lft forever preferred_lft forever

From the output it can be confirmed the IP address on the vmbr1 is correct.

You should be able to restart networking service without any failures:

$ sudo systemctl restart networking

Confirm status is active:

$ systemctl status networking.service
● networking.service - Raise network interfaces
   Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2021-05-07 19:27:34 CEST; 29s ago
     Docs: man:interfaces(5)
  Process: 27355 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=0/SUCCESS)
 Main PID: 27355 (code=exited, status=0/SUCCESS)

May 07 19:27:29 proxmox systemd[1]: Starting Raise network interfaces...
May 07 19:27:34 proxmox ifup[27355]: Waiting for DAD... Done
May 07 19:27:34 proxmox ifup[27355]: Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).
May 07 19:27:34 proxmox systemd[1]: Started Raise network interfaces.

Once you create a Virtual machine on the bridge created, it will behave as if it is directly connected to the physical network. The network, in turn, sees each virtual machine as having its own MAC, even though there is only one network cable connecting all of these VMs to the network.

Our next articles will cover more ares on Proxmox server administration. In the meantime, checkout other articles we have on Virtualization:

Install Proxmox VE 6.x on Debian 10

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here