How To Configure Bridged Proxmox Networking

In a Routed Proxmox setup, you add your IP addresses to your interface then forward the connection to guests. For a Proxmox bridged network you don’t need MAC addresses to do this but it poses some security concerns. Concerns like IP stealing if you don’t use protection against this. Bridged Proxmox Networking allows you to use MAC addresses and you then configure your guests to use the bridge as a connection. This is a much better way of configuring your Proxmox networking because customers can’t steal IPs and you can attach multiple IP blocks to the same guest.

Interfaces File

Inside your Proxmox interfaces file, we are going to specify the bridge for IPv4 and IPv6 plus configure a private network. Let’s look at this how Proxmox is configured in a bridged network.

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp5s0f0 inet manual

iface enp5s0f1 inet manual

iface enp7s0f3u2u2c2 inet manual

auto vmbr0
iface vmbr0 inet static
        address HOST-IP/32
        gateway HOST-GATEWAY
        bridge-ports enp5s0f0
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/proxy_ndp

iface vmbr0 inet6 static
        address 2001:41d0:xxx:xxxx::0001/64
        gateway 2001:41d0:xxx:xxxx:xx
        post-up /sbin/ip -f inet6 route add 2001:41d0:xxx:xxxx:xx dev vmbr0
        post-up /sbin/ip -f inet6 route add default via 2001:41d0:xxx:xxxx:xx
        pre-down /sbin/ip -f inet6 route del default via 2001:41d0:xxx:xxxx:xx
        pre-down /sbin/ip -f inet6 route del 2001:41d0:xxx:xxxx:xx dev vmbr0

auto vmbr1
iface vmbr1 inet static
        address 10.10.10.1/24
        bridge-ports enp5s0f1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Let’s go through this. The iface is your adapter. Most servers will have one but you may see many here. The first one is always your physical connection. In this example, iface enp5s0f0 inet manual.

Bridged Proxmox Networking

vmbr0 inet

Here’s your Bridged Proxmox Networking. This is the connection guests use in the adapter settings. All VMs and CTs use vmbr0.

The address is always the main IPv4 of your business dedicated server. You append a subnet to the IP. We’re using a /32 subnet.

The gateway is listed in your F2H client area. Do not append a subnet to the gateway.

So for the bridged connection, we specify the adapter in the bridge-ports field. This is always your physical adapter. The first listed in the file. In our example our physical adapter is enp5s0f0

vmbr0 inet6

So, just like for IPv4 in vmbr0, we bridge the connections for IPv6. we specify the main IPv6 assigned to the server. Usually, you just append 0001 to your IPv6 subnet. Remember, you must include the /64 or whatever subnet you are assigned. You specify the IPv6 gateway and forward IPv6 to the vmbr0 adapter. Specify the gateway in all lines.

vmbr1 inet

This is used for private networking. It’s ready to go and doesn’t need to be changed unless you want to change the private IP subnet.

That is the connection settings for a bridged proxmox setup. It’s much more flexible than a routed proxmox setup and some would say more secure. The key thing to remember is you must decide which configuration is best for your end use.