Networking

Proxmox NAT and Masquerading: Route VM Traffic Through Your Host

Learn how to configure NAT masquerading and port forwarding in Proxmox VE so VMs on private networks can reach the internet and accept incoming connections.

ProxmoxR app icon

Managing Proxmox? Try ProxmoxR

Monitor and control your VMs & containers from your phone.

Try Free

When Do You Need NAT in Proxmox?

By default, Proxmox VE bridges VMs directly onto your physical network, giving each VM its own routable IP address. But there are plenty of scenarios where you want VMs on a private, isolated subnet instead: homelabs with limited public IPs, development environments that should not be exposed, or multi-tenant setups where each customer gets a private range. In these cases, NAT masquerading lets your Proxmox host act as a router, translating private VM addresses to the host's public IP for outbound traffic.

Step 1: Enable IP Forwarding

The Linux kernel must be told to forward packets between interfaces. Check the current setting:

sysctl net.ipv4.ip_forward

If it returns 0, forwarding is disabled. Enable it immediately and make it persistent:

# Enable now
sysctl -w net.ipv4.ip_forward=1

# Make persistent across reboots
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-forwarding.conf
sysctl -p /etc/sysctl.d/99-forwarding.conf

Without this setting, packets arriving on your private bridge will simply be dropped instead of being routed to the external interface.

Step 2: Create a Private Bridge

Create an internal bridge with a private subnet. Edit /etc/network/interfaces and add a new bridge with no physical port attached:

auto vmbr1
iface vmbr1 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

This configuration does several things:

  • Creates bridge vmbr1 with the gateway address 10.10.10.1.
  • Attaches no physical ports, making it a purely internal bridge.
  • Adds an iptables MASQUERADE rule on interface up, so outbound traffic from the 10.10.10.0/24 network is translated to the host's IP on vmbr0.
  • Cleans up the rule when the interface goes down.

Apply the new configuration:

ifreload -a

Step 3: Assign VMs to the Private Bridge

When creating or editing a VM, set its network device to use vmbr1. Inside the VM, configure a static IP in the 10.10.10.0/24 range with 10.10.10.1 as the gateway and your preferred DNS server:

# Example inside a Debian/Ubuntu VM (/etc/network/interfaces)
auto ens18
iface ens18 inet static
    address 10.10.10.100/24
    gateway 10.10.10.1
    dns-nameservers 1.1.1.1 8.8.8.8

Alternatively, you can run a DHCP server on the host or in a dedicated VM to hand out addresses automatically.

Step 4: Port Forwarding (DNAT)

To make services inside NAT-ed VMs accessible from the outside, add DNAT rules. For example, to forward port 8080 on the host to port 80 on a VM at 10.10.10.100:

auto vmbr1
iface vmbr1 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    # Outbound NAT
    post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

    # Port forward: host:8080 -> 10.10.10.100:80
    post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 10.10.10.100:80
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 10.10.10.100:80

    # Forward SSH: host:2222 -> 10.10.10.100:22
    post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 10.10.10.100:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 10.10.10.100:22

You also need a FORWARD rule if you have restrictive firewall policies:

iptables -A FORWARD -i vmbr0 -o vmbr1 -p tcp --dport 80 -d 10.10.10.100 -j ACCEPT
iptables -A FORWARD -i vmbr0 -o vmbr1 -p tcp --dport 22 -d 10.10.10.100 -j ACCEPT

Verifying the Setup

From inside the VM, test outbound connectivity:

ping -c 3 8.8.8.8
curl -s ifconfig.me

The curl command should return the public IP of your Proxmox host, confirming masquerading works. To verify port forwarding from an external machine:

curl http://YOUR_HOST_IP:8080
ssh -p 2222 user@YOUR_HOST_IP

Check your NAT rules at any time with:

iptables -t nat -L -n -v

Tips and Common Pitfalls

  • Always use post-up and post-down in /etc/network/interfaces so rules survive reboots cleanly.
  • If you use the Proxmox firewall, ensure it does not conflict with your manual iptables rules. The Proxmox firewall inserts its own chains that run before custom rules.
  • For IPv6, use ip6tables and the MASQUERADE target in the same fashion, but consider whether your provider supports native IPv6 assignment instead.
  • Monitor NAT connection tracking table usage with conntrack -C. On busy hosts, you may need to increase nf_conntrack_max.

NAT masquerading is one of the most common Proxmox networking patterns, especially in homelabs and VPS environments. If you manage multiple Proxmox nodes with complex NAT rules, ProxmoxR can help you keep track of which VMs sit behind which forwarding rules, giving you a consolidated view across your entire infrastructure.

Take Proxmox management mobile

All the features discussed in this guide — accessible from your phone with ProxmoxR. Real-time monitoring, power control, firewall management, and more.

Download ProxmoxR — Free Trial

Related Articles

Networking

Proxmox Network Configuration: Complete Guide

 Networking

Setting Up VLANs in Proxmox VE

 Networking

Proxmox Firewall Rules: Complete Guide
ProxmoxR

Manage Proxmox from your phone

Monitor, control, and manage your clusters on the go.

Download for iOS Download for Android

Free 7-day trial · No credit card required