Networking Models

Bridged, NAT, and isolated networking for VMs and containers, with practical guidance on when to use each one.

Published December 8, 2024

Networking Models

This page is about attachment strategy, not packet theory. It answers a practical question: how should this guest join the network?

For deeper bridge and routing behavior, use the networking pages:

What vmbr0 Actually Is

The default Proxmox bridge is basically a virtual switch inside the host.

Your physical NIC uplinks into that bridge, and guests attach to it as if they were ports on the same switch. That is why bridged networking feels so natural in a homelab: the guest really does behave like a first-class machine on the LAN instead of an application hiding behind the host.

Bridged Networking

Bridged mode is the normal answer for most homelab guests.

The guest attaches to a bridge such as vmbr0 and appears on the LAN like a separate machine. That makes it easy to:

  • give it a stable address
  • reach it from other devices
  • expose services cleanly
  • debug it with normal network tools

For VMs, use a VirtIO NIC unless the guest forces you elsewhere.

NAT Networking

NAT is useful for quick tests, disposable guests, and situations where inbound access does not matter.

It is also less transparent. Proxmox documentation is blunt here: the built-in NAT style used by QEMU user networking is slower and mostly suited to testing.

If you find yourself layering port forwards, exceptions, and odd workarounds onto a guest that matters, it probably wants bridged networking instead.

Isolated Networks

An isolated bridge is a good tool when you want a lab inside the lab.

Use it for:

  • destructive testing
  • malware analysis or sketchy software experiments
  • training environments that should not leak onto the main LAN
  • service clusters that only need controlled ingress points

This is one of those designs that feels like overkill right up until the first time it saves you from an avoidable mess.

VLANs Are How You Keep Curiosity From Becoming Collateral Damage

Once the lab grows, not every guest should live in the same broadcast domain.

A VLAN-aware bridge lets one Proxmox host carry several networks cleanly: a normal LAN segment, a quieter management segment, maybe a lab or IoT segment, and perhaps a more isolated place for experiments that should not touch anything important.

This is usually a better long-term answer than inventing a pile of special-case firewall rules after everything has already been mixed together.

VMs And Containers Attach Differently

VMs usually present a virtual NIC backed by a tap-style interface on the host.

Containers usually show up through a veth pair that lands on the bridge.

The day-to-day implication is not that one is "better at networking." It is that troubleshooting starts at slightly different places.

Practical Defaults

  • Use bridged mode on vmbr0 for most long-lived guests.
  • Use VLAN tags when a guest belongs on a different segment, not a different physical box.
  • Use VirtIO NICs for modern VMs.
  • Use isolated bridges for risky experiments and test stacks.
  • Use NAT when convenience matters more than transparency.

Those defaults keep the network understandable, which is more valuable than it sounds.

Continue Through The Series

  • Proxmox Stack — the wider platform view if you want to reconnect networking to the rest of the stack.
  • Storage and Snapshots — because guests with good networking and bad storage are still a bad day.
  • Resource Allocation — the practical sizing pass once the attachment model is decided.

Comments

Sign in with GitHub to leave a comment or reaction.