Skip to content

Setting up a new Proxmox VE node

Prerequisites

Before starting the node configuration process, make sure you have:

  • SSH key pair produced and ready for usage.
  • Required firewall rules documented and authorised.

Node Provisioning and Configuration

Prepare the Operating System

You should be starting with a fresh install of the latest Proxmox VE version.

1. Update the DNS nameservers

Under the node settings, update the system DNS nameservers to the following:

  • DNS server 1: 10.0.90.1
  • DNS server 2: 1.1.1.3
  • DNS server 3: 1.0.0.3

The IP for DNS server 1 assumes you're running a self-hosted private DNS server on the Proxmox VE node.

2. Move storage to "local"

3. Run the post-install script

Open a shell session on the Proxmox VE node and run the following command, then follow its setup wizard:

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/misc/post-pve-install.sh)"
Post-install wizard steps
  1. Correct Proxmox VE sources?: Yes
  2. Disable 'pve-enterprise' repository?: Yes
  3. Enable 'pve-no-subscription' repository?: Yes
  4. Correct 'ceph' package sources?: Yes
  5. Add (Disabled) 'pvetest' repository?: No
  6. Disable subscription nag?: Yes
  7. Disable high availability?: Yes
  8. Update Proxmox VE now?: Yes
  9. Reboot Proxmox VE now?: Yes

Network Configuration with single public IP

Manual static IP addresses

The following steps assume that you can manually set the static IP addresses for each VM via manual configuration or services like cloud-init or Terraform. If you feel adventurous, you can use dnsmasq to automatically create a DHCP server on the Proxmox VE node for your private network.

If the Proxmox VE node has a single public IP address, you will need to configure the network to use masquerading to enable VMs to access the internet and vice versa.

The following steps are based on the guide "Using Proxmox with one public IP address" by Nicolas Simond. You can find the original guide here.

1. Create a private network

Under the node settings, create a new Linux Bridge under the Network tab with the following settings:

  • Name: vmbr1
  • IPv4/CIDR: 10.0.0.1/8
  • IPv6/CIDR: fd42:1111:1111:1111::1/64
  • Autostart: Yes

2. Enable NAT masquerading

Once the bridge is created, you will need to add the post-up and post-down lines to the /etc/network/interfaces file to enable the bridge and masquerade the traffic. See the example below:

# vmbr1
auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1/8
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o vmbr0 -j MASQUERADE
        post-up /root/dnat.sh
        post-down iptables -t nat -D POSTROUTING -s 10.0.0.0/8 -o vmbr0 -j MASQUERADE

# vmbr1 IPv6
iface vmbr1 inet6 static
        address fd42:1111:1111:1111::1/64
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
        post-up ip6tables -t nat -A POSTROUTING -s fd42:1111:1111:1111::1/64 -o vmbr0 -j MASQUERADE
        post-down ip6tables -t nat -D POSTROUTING -s fd42:1111:1111:1111::1/64 -o vmbr0 -j MASQUERADE

3. Open relevant ports to the public internet

If the virtual machines on the private network need to be accessible from the public internet, you will need to open the relevant ports to the public internet. To do this, use the /root/dnat.sh script to create the necessary iptables rules.

# /root/dnat.sh
sleep 60

# HTTP port 80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.10:80
ip6tables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd42:1111:1111:1111::10]:80

Repeat the same lines as above for the other ports you need to open. For example, if you need to open port 443 for HTTPS, you would add the following lines:

# HTTPS port 443
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.10:443
ip6tables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd42:1111:1111:1111::10]:443

Adding the lines above to the script will open the relevant ports to the public internet. The final script should appear as follows:

# /root/dnat.sh
sleep 60

# HTTP port 80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.10:80
ip6tables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd42:1111:1111:1111::10]:80

# HTTPS port 443
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.10:443
ip6tables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd42:1111:1111:1111::10]:443