cptcr.
Back to all posts
Tools & Resources
September 4, 2025
6 min read

Install a IPv4 subnet on Proxmox VE

In this guide you will learn how to install an IPv4 subnet on Proxmox VE.

Tony
Tony
@cptcr

Proxmox VE Subnet Configuration Guide

Understanding the Basics

What is Proxmox VE?

Proxmox VE is an Open-Source virtualization platform primarily known as Proxmox Virtual Environment (PVE). With Proxmox you can create virtual machines (VMs) and Linux Containers (LXC).

What is a Subnet?

A subnet, or subnetwork, is a logical subdivision of an IP network that creates smaller, more manageable segments within a larger network.

Prerequisites

  • You need a server with Proxmox VE installed. For this, I have a Debian 12 server from Hetzner SB.
    • Installing PVE on your server: https://www.cptcr.dev/blog/hetzner-and-proxmox
  • Additionally you need a subnet from your ISP or hosting provider, if you use Hetzner, you can order one in the Hetzner Robot panel.
    • Go to "Server" → Select the server you want to install a subnet on → Go to the "IPs" section → Click on "Order additional IPs / Nets" → Select a subnet that matches your preferences, since each subnet gives you a different amount of IPs.
    • Subnet Cheatsheet

Personally, I use a /29 subnet which has 8 IPs from which 6 IPs are usable. 2 IPs are used for the bridge, the first is for your network address and the last is your broadcast address.

Example Network Configuration

For this guide, we'll use the following example configuration:

  • Main server IP: 192.168.1.100
  • Subnet: 10.10.10.0/29
  • Gateway: 192.168.1.1
  • Usable IPs: 10.10.10.1 to 10.10.10.6

Creating a Network Bridge

Method 1: Via Proxmox Web Interface

  1. Access the Proxmox Web Interface

    • Navigate to your Proxmox server: https://your-server-ip:8006
    • Login with your root credentials

  2. Navigate to Network Configuration

    • Select your node from the left sidebar
    • Click on "System" → "Network"

  3. Create a New Linux Bridge

    • Click "Create" → "Linux Bridge"
    • Configure the following settings:
      • Name: vmbr1 (or any available bridge number)
      • IPv4/CIDR: 10.10.10.1/29 (first usable IP of your subnet)
      • Gateway: Leave empty for this bridge
      • Bridge ports: Leave empty (routed setup)
      • Comment: "Subnet bridge for VMs"

  4. Apply Configuration

    • Click "OK" to save
    • Click "Apply Configuration" button
    • The system will reload network configuration

Method 2: Via Shell

  1. SSH into your Proxmox server

    ssh root@your-server-ip

  2. Backup existing network configuration

    cp /etc/network/interfaces /etc/network/interfaces.backup

  3. Edit the network configuration

    nano /etc/network/interfaces

  4. Add the bridge configuration Add the following configuration to the file:

    auto vmbr1
iface vmbr1 inet static
    address 10.10.10.1/29
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/29' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/29' -o vmbr0 -j MASQUERADE

  5. Restart networking service

    systemctl restart networking

Configuring the Network Bridge for Routing

Enable IP Forwarding Permanently

  1. Edit sysctl configuration

    nano /etc/sysctl.conf

  2. Uncomment or add the following line

    net.ipv4.ip_forward=1

  3. Apply the changes

    sysctl -p

Configure Routing Rules

  1. Add static route for the subnet

    ip route add 10.10.10.0/29 dev vmbr1

  2. Make routing persistent Add to /etc/network/interfaces under the vmbr1 configuration:

    post-up ip route add 10.10.10.0/29 dev vmbr1
post-down ip route del 10.10.10.0/29 dev vmbr1

Assigning IPv4 Addresses from the Subnet to VMs

For Virtual Machines (KVM)

  1. Create or edit a VM

    • Select your VM from the left sidebar
    • Go to "Hardware" → "Network Device"

  2. Configure Network Device

    • Bridge: Select vmbr1
    • Model: VirtIO (recommended for performance)
    • MAC Address: Auto-generated or manual

  3. Configure IP inside the VM

    For Debian/Ubuntu VMs:

    a. Edit network configuration:

    nano /etc/network/interfaces

    b. Add static IP configuration:

    auto ens18
iface ens18 inet static
    address 10.10.10.2
    netmask 255.255.255.248
    gateway 10.10.10.1
    dns-nameservers 8.8.8.8 8.8.4.4

    c. Restart networking:

    systemctl restart networking

    For CentOS/RHEL/Rocky Linux VMs:

    a. Edit network configuration:

    nano /etc/sysconfig/network-scripts/ifcfg-eth0

    b. Configure static IP:

    TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.10.10.2
PREFIX=29
GATEWAY=10.10.10.1
DNS1=8.8.8.8
DNS2=8.8.4.4

    c. Restart networking:

    systemctl restart NetworkManager

For Linux Containers (LXC)

  1. Create or edit a container

    • Select your container from the left sidebar
    • Go to "Network"

  2. Configure Network Interface

    • Name: eth0
    • Bridge: vmbr1
    • IPv4: Static
    • IPv4/CIDR: 10.10.10.3/29
    • Gateway: 10.10.10.1

  3. Apply and restart container

    pct restart <container-id>

Advanced Configuration

Setting up NAT for Internet Access

If your VMs need internet access through the main server IP:

  1. Configure NAT masquerading

    iptables -t nat -A POSTROUTING -s 10.10.10.0/29 -o vmbr0 -j MASQUERADE

  2. Make NAT rules persistent Install iptables-persistent:

    apt-get install iptables-persistent

    Save current rules:

    netfilter-persistent save

Port Forwarding to VMs

To forward specific ports from your main IP to VMs:

  1. Forward port 80 to a VM

    iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.2:80

  2. Forward port 443 to a VM

    iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to-destination 10.10.10.2:443

  3. Allow forwarded traffic

    iptables -A FORWARD -p tcp -d 10.10.10.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -d 10.10.10.2 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Troubleshooting

Check Bridge Status

brctl show
ip addr show vmbr1

Verify Routing

ip route show
cat /proc/sys/net/ipv4/ip_forward

Test Connectivity from VM

ping 10.10.10.1
ping 8.8.8.8
traceroute google.com

Check NAT Rules

iptables -t nat -L -n -v

Monitor Bridge Traffic

tcpdump -i vmbr1 -n

Security Considerations

  1. Firewall Rules

    • Always restrict access to management interfaces
    • Use Proxmox firewall for VM-level protection
    • Implement rate limiting for exposed services

  2. Network Segmentation

    • Use VLANs for different VM groups
    • Separate production and development environments
    • Isolate sensitive services

  3. Regular Updates

    apt update && apt upgrade
pveupgrade

Subnet IP Allocation Table

Keep track of your IP assignments:

| IP Address | Assignment | Type | Notes | |--------------|-------------------|------|----------------------| | 10.10.10.0 | Network Address | - | Not usable | | 10.10.10.1 | Bridge Gateway | PVE | vmbr1 interface | | 10.10.10.2 | Web Server | VM | Apache/Nginx | | 10.10.10.3 | Database Server | VM | MySQL/PostgreSQL | | 10.10.10.4 | Mail Server | VM | Postfix/Dovecot | | 10.10.10.5 | DNS Server | LXC | BIND/Unbound | | 10.10.10.6 | Monitoring | LXC | Prometheus/Grafana | | 10.10.10.7 | Broadcast Address | - | Not usable |

Conclusion

You now have a fully configured Proxmox VE server with a working subnet bridge. Your VMs and containers can use the assigned IP addresses from your subnet, with proper routing and optional NAT for internet access. Remember to document your IP assignments and maintain regular backups of your network configuration.

Back to all posts
Share this article: