Setting up a proxmox host

Initial Setup (already completed)

• Set up Proxmox environment (this is already done)

• Add student@pam user (also already done):

    $ useradd -m student 
    $ pveum user add student@pam -comment "Summer 2025" 
    $ pveum acl modify / -user student@pam -role Administrator 
    $ echo "student:$(head /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9!@#$%^&*()_+{}|:<>?' | head -c 32)" >| ~/passwd
    $ cat ~/passwd | chpasswd student
    $ usermod -aG sudo student
  

Proxmox Host Setup for the CAT Network Environment

• Update the system: sudo apt update && sudo apt upgrade -y

• Install https://free-pmx.pages.dev/tools/free-pmx-no-subscription_0.3.0~pre1.deb to remove nag warning on Proxmox >= 8.4.2

  $ curl -LO https://free-pmx.pages.dev/tools/free-pmx-no-subscription_0.3.0~pre1.deb
  $ dpkg -i free-pmx-no-subscription_0.3.0~pre1.deb
  

• upgrade the system: apt update ; apt upgrade -y
• install sudo: apt install sudo
• setup SNAT

  • In the host shell run

     $ apt install dnsmasq
     $ systemctl disable --now dnsmasq
    

    • In the PVE UI, navigate to Datacenter → SDN → Zones: Create a new Simple zone with an ID of SNAT. Tick the ‘automatic DHCP’ option in the advanced settings. As IPAM we select pve.
    • Datacenter → SDN → VNet:
      • Create a new VNet with ID of vnet0.
      • Put it the simple zone you created above
      • With vnet0 selected, create a new subnet in the pane on the right.
        • Set the subnet to a private IP range
        • Set the gateway to the base address of the subnet
        • Tick the SNAT option
        • Go to DHCP Ranges tab and create a new range that is contained within the subnet.
        • I like to use
          • 172.20.100.1/24
          • 172.20.100.1
          • 172.20.100.100 - 172.20.100.150
    • Click apply on the SDN panel.

• setup NAT forwarding:

  On your proxmox host itself, open a shell. In file /etc/nftables.conf, add the following rules to set up NAT forwarding for SSH traffic:

  #!/usr/sbin/nft -f
  
  flush ruleset
  
  table inet filter {
      chain input {
          type filter hook input priority filter;
      }
      chain forward {
          type filter hook forward priority filter;
    }
    chain output {
        type filter hook output priority filter;
    }
  }
  
  table ip nat {
      chain prerouting {
          type nat hook prerouting priority -100; policy accept;
          ip daddr <HOST_IP> tcp dport 22 dnat to 172.18.100.100:22
      }
  }
  

  Make sure to replace <HOST_IP> with the actual host IP address from the vmbr0 interface.

  One way to get the IP:

  $ ip -o -f inet addr show vmbr0 | awk '{print $4}' | cut -f1 -d/
  

  Then apply the rules:

  $ nft -f /etc/nftables.conf
  $ #verify
  $ nft list table ip nat
  

  • To add more port forwards, just add additional ip daddr <HOST_IP> tcp dport <PORT> dnat to <TARGET_IP>:<TARGET_PORT> lines to the prerouting chain in the ip nat table. In our case, this is mostly going to forward directly to the FreeBSD host, which will then forward to the Ubuntu host(s).

• Move ssh port to 8022 on the proxmox host

    $ sed -i 's/#Port 22/Port 8022/' /etc/ssh/sshd_config
    $ systemctl restart sshd
  

Creating a VM Template

$  cd /var/lib/vz/images/
$  curl -LO https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.img
$  qemu-img resize ubuntu-24.04-server-cloudimg-amd64.img 32G
$  qm create 1001 --name "template-ubuntu-24.04" --ostype l26 --memory 4096 --agent 1 --bios seabios --machine q35 --cpu host --socket 1 --cores 4 --vga serial0 --serial0 socket --net0 virtio,bridge=vnet0
$  qm importdisk 1001 ubuntu-24.04-server-cloudimg-amd64.img local-lvm
$  qm set 1001 --scsihw virtio-scsi-pci --virtio0 local-lvm:vm-1001-disk-0,discard=on
$  qm set 1001 --boot order=virtio0
$  qm set 1001 --ide2 local-lvm:cloudinit
$  cat << EOF | tee /var/lib/vz/snippets/vendor.yaml
#cloud-config
runcmd:
   - apt update
   - apt install -y qemu-guest-agent
   - systemctl start qemu-guest-agent
   - reboot
EOF
$  qm set 1001 --cicustom "vendor=local:snippets/vendor.yaml"
$  qm set 1001 --ciuser student
$  qm set 1001 --cipassword $(openssl passwd -6 super_secret_password)
$  qm set 1001 --ipconfig ip=dhcp
$  qm set 1001 --ipconfig0 ip=dhcp
$  qm cloudinit update 1001
$  qm template 1001
$  qm help clone
$  qm clone 1001 101 --format qcow2 --full --name "Ubuntu-101"