If you need for whatever reasons to have a NAT behind the vmbr0 default bridge do this:
On host machine create a vmbr1 interface
Don’t forget to apply the changes.
From ssh edit /etc/network/interfaces and add netmask to vmbr1 and following lines:
auto vmbr1
iface vmbr1 inet static
address 10.10.10.1/24
netmask 255.255.255.0
bridge-ports none
bridge-stp off
bridge-fd 0post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s ‘10.10.10.0/24’ -o vmbr0 -j MASQUERADE
post-down iptables -t nat -A POSTROUTING -s ‘10.10.10.0/24’ -o vmbr0 -j MASQUERADE
Restart the network or reboot the PVE machine.
This has no DHCP server, so you will need to set manually the IP addresses to guest machines you want to be behind NAT, or you can setup a DHCP.
Have fun!
