HowTo: Proxmox Networking

Reading Time: 3 minutes

This time, I would like to show how Proxmox networking configuration can be configured. In my last post, I showed, how to install Proxmox and get ready to create VM’s. I will show a typical configuration, which I always use. The official documentation can be found here:

Proxmox Network Model

I will show, how to configure the network connection for the Proxmox host itself and how to separate the VM traffic from the host traffic using VLAN’s.

Proxmox Networking: Management Traffic

To use the Proxmox host, you must be able to manage it somehow. If you have only one network interface, as I in my test lab, you can use the native network interface for the management and guest traffic. There is no spacial configuration needed. If yo have more than one network card I would recommend to use one for the host management and the other(s) network card(s) for the guest traffic.

Proxmox Networking: Bridged VM Traffic

This type is used to directly connect the VM’s to your network. If you have two or more network cards in your system, you should use a different network card then the one used for management traffic to separate the guest traffic from the management traffic.

To create a bridged networking, you have to create a virtual network card. You can use the web GUI of Proxmox for this, but I prefer to use the CLI. Login to your host, using ssh and open this file:

vi /etc/network/interfaces

Just create a new virtual network interface by adding those lines:

auto vmbr1
iface vmbr1 inet manual
 bridge_ports eth1
 bridge_stp off
 bridge_fd 0

This will create “vmbr1” which is bound to the “eth1” interface. I will not assign an IP address to the “eth1” or the “vmbr1” interface. This way, the guest VM’s are not able to connect to the host directly.

If you have no separate interface, you can either bound the virtual network card to the available interface like this:

auto eth0
iface eth0 inet static

auto vmbr1
iface vmbr1 inet static
 address 10.3.5.1
 netmask 255.255.255.0
 bridge_ports eth0
 bridge_stp off
 bridge_fd 0

You have to assign the IP address which is used for “eth0″ to vmbr1”.

You can also use VLAN’s to separate the traffic, even if you only have one network interface. This can be configured this way:

auto vmbr1
iface vmbr1 inet manual
 bridge_ports eth0.10
 bridge_stp off
 bridge_fd 0

Creating “vmbr1” and binding it to “eth0.10” will create the tagged VLAN 10 on “eth0”. You have to configure the Switch port with the same setting. All VM’s bound to this virtual bridge interface, will be placed into VLAN 10.

Proxmox Networking: Host Only Network

If you need to connect VM’s directly on the host, without sending the traffic to the external world, you can use host only networks. You have to create another virtual bridge interface, but this time, you did not have to bind it to a physical network interface.

Open this file again:

vi /etc/network/interfaces

Add the following lines to the file:

auto vmbr1
iface vmbr1 inet static
 bridge_ports none
 bridge_stp off
 bridge_fd 0

All VM’s connected to this interface will be able to talk to each other. They will not be able to connect to the external world using this interface.

Proxmox Networking: Routed Networking

If you would like to hide your VM’s behind the host IP you can use a routed networking configuration. You have to create another virtual network interface and enable routing on this interface.

Open this file again:

vi /etc/network/interfaces

When working with a routed configuration, you need to enable proxy arp on the outgoing interface. In my scenario, this is “eth0”:

auto eth0
iface eth0 inet static
 post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

To create the virtual interface and enable routing add those lines:

auto vmbr1
iface vmbr1 inet static
 address 10.3.5.1
 netmask 255.255.255.0
 bridge_ports none
 bridge_stp off
 bridge_fd 0
 post-up echo 1 > /proc/sys/net/ipv4/ip_forward

The last line will enable routing on the interface. With this configuration the VM traffic will routed using the routing table of the host. The outside world needs to know, how to reach the “10.3.5.0/24” subnet. To avoid working with static routes, you could NAT the traffic. This will hide the “10.3.5.0/24” subnet behind the IP address of the Proxmox host. To enable the NAT function add those lines to the virtual network interface:

post-up iptables -t nat -A POSTROUTING -s '10.3.5.0/24' -o eth0 -j MASQUERADE
 post-down iptables -t nat -D POSTROUTING -s '10.3.5.0/24' -o eth0 -j MASQUERADE

This will enable the NAT function for the internal network “10.3.5.0/24” by using “eth0” as the egress network.

From my point of view, this describes the three main Proxmox networking options. There are other options, e.g. using a virtual switch or router on the host.

If you have any questions, regarding this post or if you would like provide feedback, please use the comment function below.

17 thoughts on “HowTo: Proxmox Networking”

  1. Hi,

    I’m testing Proxmox VE to make a presentation of this software solution to my employer (i’m a junior sysadmin).

    Using Virtualbox on Linux Mint 19.2 stable, i’ve installed three instances of Proxmox VE 6.0 on three VM.

    My problem is that i cannot find a proper network configuration for the three Proxmox VM.
    The idea would be to have a private network for my three VM and my host (so Host Only network option in Virtualbox) AND allowing my Proxmox VM to have an internet access WITHOUT being accessible from a public address (so a second network card using NAT).

    But i cannot find a proper configuration for this.

    Would it be possible to help me understand how to setup properly this infrastructure?

    Reply
    • Hi Korben,

      I’m not an expert on virtual Box, actually, I never used Virtual Box before in a way that I could help you with this on the Virtual Box site.

      But if your problem is to configure the Network Adapter in Proxmox I might be able to help.
      Just a few comments which are popping up in my mind. If you would like to allow Proxmox to reach the internet using NAT, you already have everything in place (sourcing my knowledge from VMWare Workstation). If you create a network, which is NAT’d to you physical host adapter, the Proxmox VM’s could also use this network to communicate with each other and you can communicate with them as well? Or is Virtual Box behaving completely different here?

      BR
      Florian

      Reply
  2. Hi Florian,
    Thanks for the information, good notes to the world of proxmox networking

    The difficulty for me comes by trying to hook up OpnSense as a firewall and a freenas server.
    I get the basics working but performance is bad , I am coming to the conclusion this is a network issue ..lol.

    Luckily for me I have a super-micro motherboard with 5 interfaces on the mother board.
    eno1 is a 1gb and want to use for the management of both OPNsense and Proxmox.
    the others are all 10Gb and ideally Opnsence uses eno3 and eno5 with passthrough.
    and the eno2 shared for the other VMs (Freenas, Linux VM, etc)

    05:00.0/net/eno1 (1Gb)
    06:00.0/net/eno2
    06:00.1/net/eno3
    07:00.0/net/eno4
    07:00.1/net/eno5

    so far my basic setup eg.
    adjusted /etc/modules file for passthrough
    adjusted /etc/pve/qemu-server/100.conf (opnsensense) for pci passthrough (hostpci0: 06:00.1 and hostpci1: 07:00.1)

    I configured the eno1 for static

    auto vmbr0
    iface vmbr0 inet static
    address 192.168.1.5
    netmask 255.255.255.0
    gateway 192.168.1.1
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

    and

    as im new to this network proxmox world, It word be great if you could share how to approach this in the most optimal fashion.

    thanks
    Curtis

    Reply
  3. Hello,

    I’m a bit confuse, Is it possible to get help by mail ?
    Last time that I followed a tutorials my host was not accessible anymore … so now I’m afraid and stuck …

    My setup is simple I think but, I’m quiet lost so…
    1 server | 1 network card with public IP | 3 vms ?

    Thanks a lot

    Reply
    • Hi Jerome,
      Thanks for your comment. And I fully understand that you are a little bit afraid. I did the setup on a production server, running in a faraway data center. So what I did was testing the setup locally in a VM. Which means, running Proxmox in a VMware or VirtualBox VM and test the whole setup before doing so with the remote server. Maybe this is something you can do as well.
      I also had a safety net during my setup, as I could boot my server into a rescue system which gave me access to the filesystem so I could change the config if the server was not accessible after my config change.

      Unfortunately, I’m not able to provide dedicated mail support and I would not even think of it as I’m not an expert on Proxmox. My work here should only show what I have done and what works for me and my setup.

      I hope this will help and feel free to ask more questions.

      BR
      Florian

      Reply
  4. Hi Jerome, best to post your problem or where you are getting stuck , so others can learn or help, feels like Florian is busy.

    Reply
    • Hi Curt,

      Thanks for your comment. you are correct, I was quite busy with family life during the last weeks as my little daughter was born and nights were pretty short. But after my relocation to our new home (hopefully until the end of this year), I will be back online to create new stuff for my blog and answer all questions more regularly.

      BR
      Florian

      Reply
  5. can you make tutorail how to change proxmox ip address from terminal , i tried by editing /etc/network/interfaces/ but its still showing same old ip address on top when i reboot , actually i had changed the router that’s why i want to change ip from terminal because i have lost access to web UI

    Reply
  6. I have an Optiplex 3020 with a wired NIC and Intel WiFi.

    I’d like to set up the WiFi as a management network, and the wired NIC as a bridged VM passing traffic through from my public faced network to the VMs. The VM will be running Citadel (citadel.org) and should have a routable, public IP address. The Bridged NIC will have an IP address on the same subnet, I suppose, and the wired NIC will be a slave.

    The WiFi should be on my internal network, not bridged to the public network or to the VM, on a separate VM, and allow me to connect to the Proxmox management interface internally without exposing the management interface to the public network.

    Is this possible? You describe having a public network for the VMs and the bridge, and an internal network for the management console, but you don’t describe how this would be configured. I’m at my wits end – but you’re the only link I’ve found that even discusses this possibility.

    I assume the bridged network and the wired NIC would still expose the management console to the public network – and I need to set up firewall rules to prevent that. But how do I make the WiFi NIC have access to the management console separate from the bridged network?

    Reply
    • Hi,

      thanks for your comment. Let me try to give you an answer.

      You have two nic, for simplicity I use eth0 for the wired nic and eth1 for the wireless nic.

      All examples are from my mind, without checking them against real life.

      You need to create two new virtual interfaces. first the one for wired traffic (external interface eth0):

      auto vmbr0
      iface vmbr1 inet manual
      bridge_ports eth0
      bridge_stp off
      bridge_fd 0

      Do not set an IP to that interface. This will make this interface a pure layer 2 interface and no one can connect to this interface.
      Attach your public-facing VM to that interface.

      Create a second virtual interface for internal traffic (management):

      auto eth1
      iface eth1 inet static

      auto vmbr1
      iface vmbr1 inet static
      address 10.3.5.1
      netmask 255.255.255.0
      bridge_ports eth0
      bridge_stp off
      bridge_fd 0

      Replace the IP with your IP.

      This should create what you are looking for.

      BR
      Florian

      Reply
  7. Thanks for taking the time to give examples, I appreciate it. I am new to Proxmox and Debian/Ubuntu. What I would like to do is:
    1st = Internet (5 available IP addresses to be used by my VM’s)
    2nd= 192.168.20.0/23 Internal network
    3rd= 192.168.30.0/24 Internal network used to assign VOIP Phones & PBX

    I would like to build VM’s in the future and assign one or two NICs to that VM.
    1st internet (if needed)
    2nd using either 2nd or 3rd NIC as indicated above.

    Could you please give an example and how to set this up in Proxmox.

    I have Proxmox set up now using (1) one NICon the 192.168.20.0/23 network and don’t want to break anything.
    This is just a home network, so I can take anything down at any time.

    I would like to send you a screen show of the existing network if you can please help me out.

    Thanks very much.

    Reply
  8. auto lo
    iface lo inet loopback

    iface enp9s0f1 inet manual

    auto vmbr0
    iface vmbr0 inet static
    address 192.168.20.2/23
    gateway 192.168.20.1
    bridge_ports enp9s0f1
    bridge_stp off
    bridge_fd 0

    iface enp11s0f0 inet manual

    iface enp11s0f1 inet manual

    iface enp9s0f0 inet manual

    iface enp3s0 inet manual

    iface enp2s0 inet manual

    *****EXISTING***** interfaces file

    Reply
    • Hi Steve,

      sorry for letting you wait for so long, but I was caught by my real life.

      Using your examples above you simply need to create additional vmbr interfaces, like vmbr1 and vmbr2.
      IF you just want to bridge traffic to the VM’s without having an IP on the interface you simply do this:

      auto vmbr1
      iface vmbr1 inet manual
      bridge_ports bridge_stp off
      bridge_fd 0

      If you need an IP on the interface you might do this:

      auto iface inet static

      auto vmbr2
      iface vmbr2 inet static
      address
      netmask
      bridge_ports eth0
      bridge_stp off
      bridge_fd 0

      I hope this will help you.

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: