Proxmox interfaces

vi /etc/interfaces

auto lo
iface lo inet loopback
source /etc/network/interfaces.d/*
—- Management interface (host console)
allow-hotplug enp116s0
iface enp116s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 198.18.0.192/24
gateway 198.18.0.1
bridge-ports enp116s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware no
—- VM trunk bridge (VLAN aware)
auto enp117s0
iface enp117s0 inet manual
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp117s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
—- Host IP inside VLAN 30 (optional)
auto vmbr1.30
iface vmbr1.30 inet static
address 172.30.30.11/24
gateway 172.30.30.1
vlan-raw-device vmbr1

<div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"></div>

ifdown -a; ifup -a

Best practice in Proxmox VE 9 is one VLAN-aware bridge (e.g., vmbr0) as a trunk, then tag each VM NIC with the VLAN it should use.

Why one VLAN-aware bridge? • Simplicity & scale: One trunked bridge carries many VLANs; you just set the VLAN Tag on each VM’s NIC. • Fewer moving parts: Easier to manage bonding/LACP and switch configs. • Works great with Proxmox firewall/ipfilter for per-VM IP enforcement.

Recommended setup 1. Make the main bridge VLAN-aware (UI: Datacenter → Node → Network → vmbr0 → check VLAN Aware). 2. Trunk the switchport facing your Proxmox NIC/bond (allow required VLANs). 3. On each VM NIC, set VLAN Tag to the right VLAN ID.

one VLAN-aware bridge (vmbr1) is enough for all my tagged containers:

What makes it work • Binding to 445: Inside an LXC, “root” has the capability CAP_NET_BIND_SERVICE by default, which allows binding to ports <1024 (like 445) even when the container is unprivileged. • Network isolation: The container gets its own network namespace and IP, so it can listen on 445 without conflicting with the host—as long as they don’t share the same IP.

Gotchas & fixes 1. Port already in use / same IP • You cannot have both the host and the container listen on 445 on the same IP. Give the container its own IP (bridge + VLAN tag is fine), or use NAT with a DNAT rule to forward 445.

/etc/network/interfaces

auto vmbr0

iface vmbr0 inet manual bridge-ports bond0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes

auto vmbr0.10 iface vmbr0.10 inet static address 192.168.10.2/24 gateway 192.168.10.1 # if this is your mgmt VLAN

bridge vlan show port vlan-id
enp116s0 1 PVID Egress Untagged enp117s0 1 PVID Egress Untagged vmbr0 1 PVID Egress Untagged vmbr1 1 PVID Egress Untagged 30 tap101i0 100 PVID Egress Untagged 172.30.100.20

INitial configs

This file describes the network interfaces available on your system

and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

The loopback network interface

auto lo iface lo inet loopback

The primary network interface

allow-hotplug ens18 iface ens18 inet dhcp

This is an autoconfigured IPv6 interface

iface ens18 inet6 auto

auto lo iface lo inet loopback

source /etc/network/interfaces.d/*

Physical NIC, no IP here

allow-hotplug enp117s0 iface enp117s0 inet manual

VLAN-aware bridge

auto vmbr0 iface vmbr0 inet manual bridge-ports enp117s0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes

Host management on VLAN 100

auto vmbr0.100 iface vmbr0.100 inet static address 192.168.248.2/24 # <– pick your host’s IP gateway 192.168.248.1 vlan-raw-device vmbr0

Disable IPv6 on ??

vi /etc/sysctl.d/99-disable-ipv6.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sysctl --system

Disable IPv6 on Debian LXC Container

vi /etc/sysctl.d/disable-ipv6.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sysctl --system

Proxmox & Debian sources

Sources are in /etc/apt/sources.list.d/debian.sources

vi /etc/apt/sources.list.d/debian.sources

Types: deb
URIs: http://download.proxmox.com/debian/pve
Suites: trixie
Components: pve-no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
Types: deb
URIs: http://download.proxmox.com/debian/ceph-squid
Suites: trixie
Components: no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
Types: deb deb-src
URIs: https://deb.debian.org/debian/
Suites: trixie trixie-updates
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb deb-src
URIs: https://security.debian.org/debian-security/
Suites: trixie-security
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: http://download.proxmox.com/debian/ceph-squid
Suites: trixie
Components: no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg

<div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"></div>

apt update -y; apt upgrade -y

Debian; SSH Server

On Debian 13 (Trixie), SSH access is handled by the OpenSSH server. By default, the SSH client is installed, but the server usually isn’t.

Here’s how to enable it:

1. Install OpenSSH server sudo apt update sudo apt install openssh-server -y

2. Enable and start the SSH service sudo systemctl enable ssh sudo systemctl start ssh

If you want to enable root login over SSH sudo vi /etc/ssh/sshd_config

uncomment PermitRootLogin yes PasswordAuthentication yes If you only want key-based login for root (more secure), place your public key into /root/.ssh/authorized_keys and set: PermitRootLogin prohibit-password PasswordAuthentication no

Restart SSH: sudo systemctl restart ssh

3. Verify the service is running systemctl status ssh

4. Adjust firewall (if applicable) If you’re using ufw (Uncomplicated Firewall): sudo ufw allow ssh sudo ufw reload

If you’re using iptables or nftables, make sure port 22/tcp is allowed.

5. Connect via SSH

From another machine: ssh username@server-ip

If you want ssh to connect without trying any of your local keys, you can tell it explicitly to skip key-based authentication: ssh -o PubkeyAuthentication=no username@server-ip

Modify your ~/.ssh/config to connect with just: ssh myserver

Host myserver HostName example.com User myuser PubkeyAuthentication no PreferredAuthentications password

Proxmox

• pve-firewall status

Uncomplicated Firewall (UFW)

• sudo ufw allow ssh
• sudo ufw reload

iptables

• To be defined

nftables

• To be defined

Disable IPv6 on ??

vi /etc/sysctl.d/99-disable-ipv6.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sysctl --system

Disable IPv6 on Debian LXC Container

vi /etc/sysctl.d/disable-ipv6.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sysctl --system

Proxmox & Debian sources

Sources are in /etc/apt/sources.list.d/debian.sources

vi /etc/apt/sources.list.d/debian.sources

Types: deb
URIs: http://download.proxmox.com/debian/pve
Suites: trixie
Components: pve-no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
Types: deb
URIs: http://download.proxmox.com/debian/ceph-squid
Suites: trixie
Components: no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
Types: deb deb-src
URIs: https://deb.debian.org/debian/
Suites: trixie trixie-updates
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb deb-src
URIs: https://security.debian.org/debian-security/
Suites: trixie-security
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: http://download.proxmox.com/debian/ceph-squid
Suites: trixie
Components: no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg

<div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"></div>

apt update -y; apt upgrade -y

Debian; SSH Server

On Debian 13 (Trixie), SSH access is handled by the OpenSSH server. By default, the SSH client is installed, but the server usually isn’t.

Here’s how to enable it:

1. Install OpenSSH server sudo apt update sudo apt install openssh-server -y

2. Enable and start the SSH service sudo systemctl enable ssh sudo systemctl start ssh

If you want to enable root login over SSH sudo vi /etc/ssh/sshd_config

uncomment PermitRootLogin yes PasswordAuthentication yes If you only want key-based login for root (more secure), place your public key into /root/.ssh/authorized_keys and set: PermitRootLogin prohibit-password PasswordAuthentication no

Restart SSH: sudo systemctl restart ssh

3. Verify the service is running systemctl status ssh

4. Adjust firewall (if applicable) If you’re using ufw (Uncomplicated Firewall): sudo ufw allow ssh sudo ufw reload

If you’re using iptables or nftables, make sure port 22/tcp is allowed.

5. Connect via SSH

From another machine: ssh username@server-ip

If you want ssh to connect without trying any of your local keys, you can tell it explicitly to skip key-based authentication: ssh -o PubkeyAuthentication=no username@server-ip

Modify your ~/.ssh/config to connect with just: ssh myserver

Host myserver HostName example.com User myuser PubkeyAuthentication no PreferredAuthentications password

Proxmox interfaces

vi /etc/interfaces

auto lo
iface lo inet loopback
source /etc/network/interfaces.d/*
—- Management interface (host console)
allow-hotplug enp116s0
iface enp116s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 198.18.0.192/24
gateway 198.18.0.1
bridge-ports enp116s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware no
—- VM trunk bridge (VLAN aware)
auto enp117s0
iface enp117s0 inet manual
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp117s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
—- Host IP inside VLAN 30 (optional)
auto vmbr1.30
iface vmbr1.30 inet static
address 172.30.30.11/24
gateway 172.30.30.1
vlan-raw-device vmbr1

<div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"></div>

ifdown -a; ifup -a

Best practice in Proxmox VE 9 is one VLAN-aware bridge (e.g., vmbr0) as a trunk, then tag each VM NIC with the VLAN it should use.

Why one VLAN-aware bridge? • Simplicity & scale: One trunked bridge carries many VLANs; you just set the VLAN Tag on each VM’s NIC. • Fewer moving parts: Easier to manage bonding/LACP and switch configs. • Works great with Proxmox firewall/ipfilter for per-VM IP enforcement.

Recommended setup 1. Make the main bridge VLAN-aware (UI: Datacenter → Node → Network → vmbr0 → check VLAN Aware). 2. Trunk the switchport facing your Proxmox NIC/bond (allow required VLANs). 3. On each VM NIC, set VLAN Tag to the right VLAN ID.

one VLAN-aware bridge (vmbr1) is enough for all my tagged containers:

What makes it work • Binding to 445: Inside an LXC, “root” has the capability CAP_NET_BIND_SERVICE by default, which allows binding to ports <1024 (like 445) even when the container is unprivileged. • Network isolation: The container gets its own network namespace and IP, so it can listen on 445 without conflicting with the host—as long as they don’t share the same IP.

Gotchas & fixes 1. Port already in use / same IP • You cannot have both the host and the container listen on 445 on the same IP. Give the container its own IP (bridge + VLAN tag is fine), or use NAT with a DNAT rule to forward 445.

/etc/network/interfaces

auto vmbr0

iface vmbr0 inet manual bridge-ports bond0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes

auto vmbr0.10 iface vmbr0.10 inet static address 192.168.10.2/24 gateway 192.168.10.1 # if this is your mgmt VLAN

bridge vlan show port vlan-id
enp116s0 1 PVID Egress Untagged enp117s0 1 PVID Egress Untagged vmbr0 1 PVID Egress Untagged vmbr1 1 PVID Egress Untagged 30 tap101i0 100 PVID Egress Untagged 172.30.100.20

INitial configs

This file describes the network interfaces available on your system

and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

The loopback network interface

auto lo iface lo inet loopback

The primary network interface

allow-hotplug ens18 iface ens18 inet dhcp

This is an autoconfigured IPv6 interface

iface ens18 inet6 auto

auto lo iface lo inet loopback

source /etc/network/interfaces.d/*

Physical NIC, no IP here

allow-hotplug enp117s0 iface enp117s0 inet manual

VLAN-aware bridge

auto vmbr0 iface vmbr0 inet manual bridge-ports enp117s0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes

Host management on VLAN 100

auto vmbr0.100 iface vmbr0.100 inet static address 192.168.248.2/24 # <– pick your host’s IP gateway 192.168.248.1 vlan-raw-device vmbr0