Skip to main content
Proper network configuration is essential for containers and VMs. This guide covers everything from basic networking to advanced configurations.

Network Basics

Network Bridges

Proxmox uses Linux bridges to connect VMs and containers to networks.

vmbr0

Default Bridge
  • Created during Proxmox installation
  • Connected to physical network interface
  • Used by most containers/VMs

Custom Bridges

Additional Bridges
  • Isolated networks
  • VLAN separation
  • Internal-only communication

Viewing Network Configuration

  1. Select Proxmox node
  2. Navigate to SystemNetwork
  3. View bridges, interfaces, and bonds

Container Networking

Static IP Configuration

1

During Container Creation

When running a script, you can specify network settings:
  • Choose Advanced Settings
  • Configure static IP or DHCP
  • Set gateway and DNS servers
2

After Container Creation (Web UI)

  1. Select the container
  2. Navigate to Network
  3. Edit net0
  4. Set:
    • IPv4: 192.168.1.100/24
    • Gateway: 192.168.1.1
3

After Container Creation (CLI)

# Set static IP
pct set <CTID> -net0 name=eth0,bridge=vmbr0,ip=192.168.1.100/24,gw=192.168.1.1

# Restart container
pct reboot <CTID>

DHCP Configuration

  1. Container → Network
  2. Edit net0
  3. IPv4: Set to DHCP

DNS Configuration

Set DNS servers for containers: 
# Edit resolv.conf inside container
pct enter <CTID>

echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 1.1.1.1" >> /etc/resolv.conf
For permanent DNS settings in Debian/Ubuntu containers, edit /etc/network/interfaces or use /etc/systemd/resolved.conf.

VM Networking

Network Interface Types

VirtIO

Best Performance
  • Paravirtualized driver
  • Low CPU overhead
  • Recommended for Linux

Intel E1000

Compatibility
  • Emulated hardware
  • Broader OS support
  • Higher CPU usage

VMware vmxnet3

VMware Import
  • For migrated VMs
  • Good performance

Configure VM Network

1

Set Network Device (CLI)

# VirtIO network device
qm set <VMID> -net0 virtio,bridge=vmbr0

# With static MAC address
qm set <VMID> -net0 virtio,bridge=vmbr0,macaddr=02:00:00:00:00:01
2

Configure Inside VM

After VM boots, configure networking:Debian/Ubuntu:
# Edit /etc/network/interfaces
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 1.1.1.1
Using netplan (Ubuntu 18.04+):
# /etc/netplan/01-netcfg.yaml
network:
  version: 2
  ethernets:
    eth0:
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 1.1.1.1]
Apply:
netplan apply

VLANs

VLANs provide network segmentation for security and organization.

VLAN-Aware Bridge

1

Enable VLAN Awareness

Edit /etc/network/interfaces:
auto vmbr0
iface vmbr0 inet static
    address 192.168.1.10/24
    gateway 192.168.1.1
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
2

Apply Changes

ifreload -a

Assign VLAN to Container

  1. Container → Network
  2. Edit net0
  3. Set VLAN Tag (e.g., 10)

Assign VLAN to VM

qm set <VMID> -net0 virtio,bridge=vmbr0,tag=10

Common VLAN Use Cases

IoT Devices

VLAN 10
  • Home Assistant
  • Smart home devices
  • Isolated from main network

Guest Network

VLAN 20
  • Guest Wi-Fi
  • Limited access
  • Internet only

Management

VLAN 99
  • Proxmox host
  • Network switches
  • Administrative access

Servers

VLAN 30
  • Web servers
  • Databases
  • Production services

Firewall Configuration

Enable Proxmox Firewall

1

Enable Datacenter Firewall

  1. Navigate to DatacenterFirewall
  2. Check Enable Firewall
2

Enable Node Firewall

  1. Select node → FirewallOptions
  2. Enable firewall for the node
3

Enable Container/VM Firewall

  1. Select container/VM → FirewallOptions
  2. Enable firewall
Firewall rules are evaluated at three levels: Datacenter → Node → Container/VM. Ensure all levels are configured correctly.

Create Firewall Rules

  1. Container/VM → FirewallAdd
  2. Configure:
    • Direction: IN/OUT
    • Action: ACCEPT/REJECT/DROP
    • Protocol: TCP/UDP/ICMP
    • Source/Destination
    • Port

Common Firewall Rules

Direction: IN
Action: ACCEPT
Protocol: tcp
Dest. port: 22
Source: 192.168.1.0/24

Direction: IN
Action: ACCEPT
Protocol: tcp
Dest. port: 80,443

Direction: IN
Action: DROP
Protocol: any

Direction: OUT
Action: ACCEPT
Protocol: any

Advanced Networking

Multiple Network Interfaces

Add additional network interfaces: 
# Add second network interface
pct set <CTID> -net1 name=eth1,bridge=vmbr1,ip=192.168.2.100/24

Network Bonding

Combine multiple network interfaces for redundancy or bandwidth: 
# Edit /etc/network/interfaces
auto bond0
iface bond0 inet manual
    bond-slaves eno1 eno2
    bond-miimon 100
    bond-mode 802.3ad
    bond-xmit-hash-policy layer2+3

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.10/24
    gateway 192.168.1.1
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
Bond Modes:
  • balance-rr (0) - Round-robin
  • active-backup (1) - Failover
  • balance-xor (2) - XOR based
  • 802.3ad (4) - LACP (requires switch support)

Internal-Only Network

Create isolated network for container communication:
1

Create Bridge

Edit /etc/network/interfaces:
auto vmbr1
iface vmbr1 inet static
    address 10.0.0.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
2

Apply Configuration

ifreload -a
3

Assign to Containers

pct set <CTID> -net1 name=eth1,bridge=vmbr1,ip=10.0.0.10/24

NAT and Port Forwarding

Forward external ports to containers:
1

Enable IP Forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
2

Add iptables Rules

# Forward port 8080 to container on port 80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.1.100:80
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
3

Make Rules Persistent

apt install iptables-persistent
netfilter-persistent save

IPv6 Configuration

Enable IPv6

1

Configure Bridge

Edit /etc/network/interfaces:
iface vmbr0 inet6 static
    address 2001:db8::1/64
2

Assign to Container

pct set <CTID> -net0 name=eth0,bridge=vmbr0,ip=192.168.1.100/24,ip6=2001:db8::100/64,gw6=2001:db8::1

Troubleshooting

Check:
  1. Bridge configuration: brctl show
  2. Container network config: pct config <CTID>
  3. IP address: pct enter <CTID> then ip addr
  4. Restart network: systemctl restart networking
Verify:
# Check routing table
ip route

# Check ARP table
ip neigh

# Test from host
ping -c 4 192.168.1.1
Fix DNS:
# Inside container
echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 1.1.1.1" >> /etc/resolv.conf

# Test resolution
nslookup google.com
Checklist:
  1. Bridge is VLAN-aware
  2. Switch port is configured as trunk
  3. VLAN exists on switch
  4. Correct VLAN tag on container/VM

Network Monitoring

Monitor Traffic

apt install iftop
iftop -i vmbr0

Test Network Performance

# Install iperf3
apt install iperf3

# Server (on one container)
iperf3 -s

# Client (on another)
iperf3 -c <server-ip>

Best Practices

Plan IP Addressing

  • Use consistent IP scheme
  • Document assignments
  • Reserve ranges for DHCP
  • Use static for servers

Use VLANs

  • Segment networks
  • Isolate IoT devices
  • Separate management
  • Improve security

Enable Firewall

  • Default deny incoming
  • Allow only needed ports
  • Log dropped packets
  • Regular rule review

Monitor Traffic

  • Track bandwidth usage
  • Identify bottlenecks
  • Detect anomalies
  • Plan upgrades

Next Steps

Security Hardening

Secure your network configuration

Popular Apps

Deploy network-based applications

Docker Setup

Configure Docker networking

Build docs developers (and LLMs) love

Get started for freeTalk to us