HestiaCP behind NAT?

Are there any disadvantages and/or caveats with putting HestiaCP behind NAT ? (and using a private RFC1918 address for the eth0 interface)

I have noticed that HestiaCP correctly auto-detects its external IP, but has anyone been actually using it behind NAT in production?

Thanks in advance for your insights, KP

I know web is not real issue as we detect both “local” / external ip

Email have no idea I don’t use Hestia behind a nat currently

1 Like

The reason why I’m looking into using HestiaCP behind NAT rather than just assign a real IP, is because LXC / Proxmox uses the Linux kernel “macvlan” method to do it.

This means that LXC containers with macvlan can’t talk to the host or other CTs on the lxd bridge used for CT NAT.

This might be the reason for the problem described here (if the systems involved are on the same physical Proxmox host|):

That issue has been solved with

It is caused because “Proxmox” returns: web01 instead web01.domain.com when running exec(‘hostname’); It is also present on systems that use a “public” ip for the LXC container

The main issue is probally incoming mail (I have no idea to to sort it without a proxy infront).

He needs to override the DNS confg supplied by the Proxmox (or LXD) host.

The LXC container needs to operate completely independently from the host.

In my case for a Debian 10 LXC CT I edited:

  • /etc/hosts
  • /etc/hostname
  • /etc/network/intefaces
  • /etc/resolv.conf
  • /etc/dhcpd/dhclient.conf (to supersede DNS servers received over DHCP)

Otherwise you’ll get a hostname like web01.lxd …

But if I used “macvlan” to assign a real IP to the HestiaCP CT, it means that that the HestiaCP CT will be unable to communicate with the other LXC CTs or VMs on same host (Proxmox or LXD), I decided to revert it back to NAT (note: haven’t done the change from real-ip-macvlan to NAT yet, I’ll take this opportunity to install a new Debian 11 CT)

hostname --long works fine that is the strange thing…

Also if you reboot proxmox has the tendency to reset it …

Also see:

Probably a dhclient thing …

/etc/dhcpd/dhclient.conf (to supersede DNS servers received over DHCP)

Also check if this helps:
hostnamectl set-hostname srv02.srv.mydomain.tld

@eris off-topic but I suspect that a lot of people (if using a bigger ISP like Hetzner or Google / Cloudflare etc as their DNS forwarder) will have problems these days with HestiaCP rejecting incoming email due to SpamHaus changes.

I just replied to such a post: