PVE设置NAT网络
配置NAT网卡
新建网卡
新建好了网卡之后,点击“应用配置”即可生成新的配置文件/etc/network/interfaces
编辑配置文件
配置文件默认是这样的
iface vmbr1 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
#NAT
首先需要添加这个网卡是否需要桥接,显然当前需求是NAT类型的网卡,所以不需要桥接到任何网卡。
我们只需要新增三条规则即可,如下
# 开启ipv4转发
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
# 开启网卡的时候添加规则
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
# 启用网卡的时候删除规则
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
注意,也可以在/etc/sysctl.conf中配置net.ipv4.ip_forward=1并执行sysctl -p来应用开启IPv4转发
所以最终的配置文件看起来是这样的:
root@pve:/etc/network# cat interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
auto lo
iface lo inet loopback
iface enp0s25 inet manual
iface enp11s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.6.167/24
gateway 192.168.6.1
bridge-ports enp0s25
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
#NAT
source /etc/network/interfaces.d/*
最后通过ifreload命令重启网络
root@pve:/etc/network# ifreload -a
root@pve:/etc/network# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp11s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 98:6e:e8:27:31:dd brd ff:ff:ff:ff:ff:ff
altname enx986ee82731dd
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr0 state UP group default qlen 1000
link/ether d8:9e:f3:2e:98:cf brd ff:ff:ff:ff:ff:ff
altname enxd89ef32e98cf
25: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d8:9e:f3:2e:98:cf brd ff:ff:ff:ff:ff:ff
inet 192.168.6.167/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::da9e:f3ff:fe2e:98cf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
26: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 6a:d3:85:a1:78:22 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 scope global vmbr1
valid_lft forever preferred_lft forever
inet6 fe80::68d3:85ff:fea1:7822/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
可以看到已经显示了vmbr1了,状态为UNKNOWN是因为暂时没有任何一个网络设备连接到这个虚拟网卡
测试网络
现在我们创建一个CT来测试网络,记得选择vmbr1网卡,并且手动设置IP地址(我们没有这个网段的DHCP服务)
启动CT之后使用命令测试网络
[root@nwtest ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:24:11:4c:b3:0d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.0.2/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::be24:11ff:fe4c:b30d/64 scope link
valid_lft forever preferred_lft forever
[root@nwtest ~]# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.168 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.067 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.035 ms
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2062ms
rtt min/avg/max/mdev = 0.035/0.090/0.168/0.056 ms
[root@nwtest ~]# ping 192.168.6.1
PING 192.168.6.1 (192.168.6.1) 56(84) bytes of data.
64 bytes from 192.168.6.1: icmp_seq=1 ttl=63 time=0.637 ms
64 bytes from 192.168.6.1: icmp_seq=2 ttl=63 time=0.463 ms
64 bytes from 192.168.6.1: icmp_seq=3 ttl=63 time=0.514 ms
--- 192.168.6.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2079ms
rtt min/avg/max/mdev = 0.463/0.538/0.637/0.073 ms
[root@nwtest ~]# ping 192.168.6.167
PING 192.168.6.167 (192.168.6.167) 56(84) bytes of data.
64 bytes from 192.168.6.167: icmp_seq=1 ttl=64 time=0.085 ms
64 bytes from 192.168.6.167: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.6.167: icmp_seq=3 ttl=64 time=0.036 ms
--- 192.168.6.167 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2081ms
rtt min/avg/max/mdev = 0.036/0.052/0.085/0.023 ms
[root@nwtest ~]# curl https://www.google.com.hk
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com.hk/&q=EgQmtUjzGMDslsUGIjCotC2bhMEaXTSAFS493rVoHtodPeQ426dCbS1-qHDzo6utAxKgRKgqPuZn5o5qfaIyAnJSShlTT1JSWV9BQlVTSVZFX05FVF9NRVNTQUdFWgFD">here</A>.
</BODY></HTML>
完美!可以正常访问外部网络了
配置DHCP
配置DHCP可以使用软路由实现