Setting Up an Internal Network with NAT and DHCP in Proxmox VE

This article will guide you through the process of creating an internal network in Proxmox VE using the virtual bridge vmbr1, and configuring NAT (Network Address Translation) and DHCP (Dynamic Host Configuration Protocol) services to automatically assign private IP addresses to VMs and enable external network connectivity.

This article is suitable for users with basic Linux knowledge who have Proxmox VE installed. The following content will provide clear steps and explanations to help you complete the configuration.

Goals

• Create an internal network using the virtual bridge vmbr1 to allow VMs to obtain private IP addresses (e.g., 192.168.100.X).
• Enable NAT to allow VMs to connect to the external network through the host's external IP (via vmbr0).
• Configure DHCP service to automatically assign internal IP addresses to VMs.

Prerequisites

• Proxmox VE is properly installed and running.
• The host's virtual bridge vmbr0 is connected to the external network (usually via a physical network card) and configured with a fixed external IP.
• You have root privileges and can connect to the Proxmox VE host via SSH.

Step 1: Create Internal Bridge vmbr1

The internal bridge serves as the foundation for communication between VMs. Here, we will create a virtual bridge named vmbr1.

1. Log in to the Proxmox VE Web Interface
   Use a browser to access your Proxmox VE management page (usually https://your_host_IP:8006) and log in as an administrator.
2. Navigate to Network Settings
   In the left panel, click on "Datacenter" > "Your Node" > "Network".
3. Create a New Linux Bridge
   Click the "Create" button and select "Linux Bridge".
4. Fill in the Configuration Information
   In the pop-up window, enter the following settings:
   • Name: vmbr1
   • IPv4/CIDR: 192.168.100.1/24 (the host's IP address on this internal network)
   • Gateway: Leave blank
   • Bridge Ports: Leave blank (do not connect to a physical network card)
   • Autostart: Check the box
5. Apply Configuration
   Click "Create", then click the "Apply Configuration" button in the upper right corner to make the changes take effect.

Explanation

vmbr1 is an independent virtual bridge isolated from the external network. Its IP range is 192.168.100.0/24, with the host's IP in this segment being 192.168.100.1, serving as the default gateway for the internal network.

Step 2: Install and Configure ISC DHCP Server

The DHCP service will automatically assign IP addresses to VMs. Here are the steps to install and configure it.

1. Connect to the Host via SSH
   Use an SSH tool (such as PuTTY or a terminal) to log in to the Proxmox VE host as root.
   • Save (Ctrl+O, Enter) and exit (Ctrl+X).

Configure the DHCP Address Pool
Edit the main DHCP configuration file:

nano /etc/dhcp/dhcpd.conf

Add the following content at the end of the file:

subnet 192.168.100.0 netmask 255.255.255.0 {
    range 192.168.100.100 192.168.100.200;
    option routers 192.168.100.1;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    authoritative;
}

Save and exit.

Ensure that INTERFACESv6 is empty:

INTERFACESv6=""

Find the INTERFACESv4 line and change it to:

INTERFACESv4="vmbr1"

Set the DHCP Service Interface
Edit the default configuration file for the DHCP service:

nano /etc/default/isc-dhcp-server

Install ISC DHCP Server
Run the following commands to update the package list and install the DHCP server:

apt update
apt install isc-dhcp-server

Explanation

• subnet and netmask define the internal network segment as 192.168.100.0/24.
• range specifies the IP range that DHCP can assign (from 192.168.100.100 to 192.168.100.200).
• option routers sets the internal network gateway to 192.168.100.1.
• option domain-name-servers uses Google's public DNS servers (8.8.8.8 and 8.8.4.4).

Step 3: Enable IP Forwarding and NAT

To allow internal VMs to access the external network, you need to enable IP forwarding and configure NAT.

Persist the Rules
Install iptables-persistent and save the rules:

apt install iptables-persistent

During installation, the system will ask if you want to save the current rules; choose "Yes".

Set NAT Rules
Use iptables to configure NAT, forwarding internal traffic to the external network:

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o vmbr0 -j MASQUERADE

Enable IP Forwarding
Edit the system configuration to enable forwarding:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Explanation

• net.ipv4.ip_forward=1 enables the host's IP forwarding feature.
• The NAT rule forwards traffic from 192.168.100.0/24 through vmbr0 to the external network, using masquerading to allow VMs to share the host's external IP.

Step 4: Configure VM Network

Connect the VM to the internal bridge vmbr1 and ensure its network is set to DHCP.

1. Access VM Settings
   In the Proxmox VE Web interface, select the target VM and click on the "Hardware" tab.
2. Edit Network Device
   • Bridge: Select vmbr1
   • Model: Keep the default (usually VirtIO)
3. Check Internal Network Settings in the VM
   • Linux: Ensure the network interface is set to dhcp in /etc/network/interfaces, or run dhclient to obtain an IP.
   • Windows: In network settings, select "Obtain an IP address automatically".

Step 5: Start Services and Test

Finally, start all services and verify if the configuration is effective.

1. Start the VM and Check IP
   In the VM, run the following commands:
   • Linux: ip addr, confirm that the obtained IP is within the 192.168.100.X range.
   • Windows: ipconfig, confirm the same.
2. Test External Connectivity
   In the VM, run:
   • ping 8.8.8.8 (test network connectivity)
   • ping google.com (test DNS resolution)
     If both are successful, the configuration is correct.

Check Service Status

systemctl status isc-dhcp-server

Ensure the service is running normally without error messages.

Start the DHCP Service

systemctl restart isc-dhcp-server
systemctl enable isc-dhcp-server

Notes

• IP Conflicts: Ensure that the internal IP range (192.168.100.0/24) does not overlap with the external network or other internal networks.
• Firewall: If the host has a firewall enabled, you need to allow traffic forwarding from the internal to the external network (e.g., adjust ufw or iptables rules).
• Performance Considerations: This configuration is suitable for small environments. For a large number of VMs, it is recommended to use a dedicated router VM (such as pfSense).
• Fixed IP: If you need to assign a fixed IP to a specific VM, you can add a host block in /etc/dhcp/dhcpd.conf or set a static IP inside the VM.

Conclusion

Through the above steps, you have successfully set up an internal network in Proxmox VE, enabled NAT and DHCP services, allowing VMs to automatically obtain IPs and connect to the external network. This configuration is simple and practical, suitable for testing, development, or small production environments. I hope this article helps you smoothly complete the network configuration and further explore the powerful features of Proxmox VE.