I use Proxmox on a Debian 11 host with two public IP addresses.
One ip gets bridged to a virtual machine (VM1) via vmbr0.
For another machine (VM2, IP 192.168.10.2) I want to use NAT to get internet access and expose some ports to the internet.
I use the following network configuration. I obfuscated my public IP to 1.1.1.1.
#/etc/network/interfaces
auto lo
iface lo inet loopback
iface lo inet6 loopback
iface enp41s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 1.1.1.1/32
gateway 1.1.1.255
bridge-ports enp41s0
bridge-stp off
bridge-fd 1
pointopoint 1.1.1.255
#Bridge mode
auto vmbr1
iface vmbr1 inet static
address 192.168.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -F
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2023 -j DNAT --to 192.168.10.2:2022
post-up iptables -t nat -A PREROUTING -m multiport -i vmbr0 -p tcp --dport 80,443,5050 -j DNAT --to 192.168.10.2
#NAT mode
The setup works fine when connecting from the internet, but I can't access the main IP (1.1.1.1) from VM2 because the ports are not redirected properly.
I already tried adding post-up iptables -t nat -A PREROUTING -m multiport -i vmbr1 -p tcp --dport 80,443,5050 -j DNAT --to 192.168.10.2
but afterwards connections won't work at all.
hairpin on
withbridge link set dev $slave
orip link set $slave type bridge_slave
for the bridge slave that VM2 is attached to. Besides, unlike the-i vmbr0
one, you probably have to add-d 1.1.1.1
to the-i vmbr1
DNAT rule.