By default, Proxmox creates the Linux bridge vmbr0, which looks through the external interface and all other virtual machine interfaces connected to this bridge will also look to the world. Therefore, it is necessary to raise the NAT from under which all other virtual machines will exit.

To do this, in the Network node section, create a new Linux bridge vmbr1 already with local network settings of the private network:

Linux bridge

In our case, we assigned the IP address to the bridge interface. We do not configure the gateway for this bridge, as this will be the interfaced interface.

Rebooting the server, then using ssh in the console, edit the network configuration file /etc/network/ interfaces and find our private grid section and bring it to the following form:

auto vmbr1
iface vmbr1 inet static
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s ‘’ -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s ‘’ -o vmbr0 -j MASQUERADE

that is, we enable forwarding of packets between interfaces and enable NAT for the network on the vmbr0 interface.

Packet forwarding can also be set in a classical way in /etc/sysctl.conf by setting the line there:


After that, we reboot the server and proceed to set up the guest virtual machine, in our case for Windows OS.

Before this, we create a network interface for our machine model VirtIO and belonging to the bridge vmbr1 and turn on the machine.


For Windows, you first need to download Stable virtio-win.iso and then upload it via the web interface, which is somewhat dreary because the iso image weighs 300+ MB, so that you can download directly to the Proxmox storage directly from the server:

wget -P /var/lib/vz/template/iso/

and connect the ISO disk already through the web interface in the machine settings. In the guest machine drivers for network, cards are installed. After installing drivers are registered in the network, where IP specifies the required address, gateway address and so on in our case

This completes the NAT setup.

If necessary, it is possible to configure port forwarding.

If you need to forward certain ports to the desired virtual machines. This can be done with iptables:

iptables -t nat -A PREROUTING -p tcp -d %ext_ip% –dport %ext_port% -i vmbr0 -j DNAT –to-destination %int_ip%:%int_port%

%ext_ip% – external IP 

%ext_port% – the external port that will access the server from the Internet.

%int_ip%  – internal IP of the virtual machine

%int_port% – the internal port on which the service will run in the virtual machine.

The result should be a record of the form, for example:

iptables -t nat -A PREROUTING -p tcp -d –dport 4001 -i vmbr0 -j DNAT –to-destination

That is, the request that will be sent to IP on port 4001 will be forwarded to the IP of the virtual machine on port 3389

You can view the created rules with the command:

iptables -L -t nat

Save rules iptables:


Setup complete.