[PVE-User] Using Public IP onto VM

Timh B timh at shiwebs.net
Mon May 2 13:35:48 CEST 2011 

On Fri, April 29, 2011 11:24, Hugo Letemplier wrote:
> 2011/4/29 Flavio Stanchina <flavio.stanchina at ies.it>:
>> On 26/04/2011 19:34,
>> Bruce B <bruceb444 at gmail.com> wrote:
>>> I have two interfaces on the Proxmox server. One is having the
192.168.0.0/24 range [...]
>>> Now I have other public IPs that I can assign from my router
>>> or maybe NAT forward. Is it best to do another network on vmbr1 like
192.168.2.0/24 and then assign that to the VMs?
>>> or is it easier to get the public IP on vmbr1?
>>> I am wondering how this works?
>>> I need to be running maybe multiple HTTP servers on VMs.
>> You should configure networking on the VMs as if they were real
servers;
>> there's no general answer. Depending on your requirements, you may need
to
>> have both public ad internal IP addresses on the same machine, isolate
VMs
>> on a network that is completely separate from the Proxmox servers
and/or
>> your LAN, have a (virtual, maybe) firewall filtering and redirecting
connections to the VM, or something completely different: there are so many
>> possible configurations that it would take a book just to enumerate
them.
>> That is, if you have any doubts, ask your local network administrator.
Your
>> question doesn't have much to do with the fact that your servers are
virtual, except maybe for the added benefit that you can create and destroy
>> network adapters at the touch of a button.
>> --
>> Flavio Stanchina
>> Informatica e Servizi
>> Trento - Italy
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> I think you can also create a new virtual bridge on your host thats
bound to a vlan of your physical interface then you can bind the vitrual
interface of the VM to the virtual bridge of the host.
> It's not a perfect solution, but I dont know your networking
> environemnt ! Prefer something with a DMZ and port forwarding
> configured on your router.
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

In our case we utilize linux networking as much as we can, we run;

1. Bonding (eth0+1) active-backup
2. vmbr0 on bond0 with host-only ip-range (10.x.x.x)
3. vlan-interfaces *without* ip-address for our virtual network (vmbrXXYY)
4. bridged network on vmbrXXYY for the virtual server depending on which
VLAN it should have access to.

All gateways are on firewalls or in the router with rules and filters for
inter-vlan communication, for example the host-servers dont have
internet-access per se, but uses a proxy for apt and internal
nameservers/timeservers/backup-targets etc.

In essence, you can do exactly how and what you want with the networking.

To reply to your question specifically, I would configure the vmbr1
network in a vlan without an ip and just set the link to active (ip link
set dev vmbr1 up) and configure the public ips inside the guests as any
normal interface. Thus the HN is only accessible from your "internal"
network and the guests can use the public addresses freely.

<interfaces>
iface eth0 inet manual
iface eth1 inet manual
...
iface bond0 inet manual
        slaves eth0 eth1
        bond_miimon 100
        bond_mode active-backup
        bond_updelay 2000
        bond_downdelay 2000
...
iface vmbr0 inet static
        address  10.1.2.151
        netmask  255.255.255.0
        gateway  10.1.2.1
        bridge_ports bond0
        bridge_stp off
        bridge_fd 0
...
iface bond0.531 inet manual
        vlan_raw_device bond0
...
auto vmbr531
iface vmbr531 inet manual
        bridge_ports bond0.531
        bridge_stp off
        bridge_fd 0

</interfaces>

-- 
//Timh

More information about the pve-user mailing list