To get Proxmox to serve its web app using the standard SSL port 443, we must run the following iptables rule:

iptables -t nat -I PREROUTING --src 0/0 --dst 128.143.67.32 -p tcp --dport 443 -j REDIRECT --to-ports 8006

There is a private network inside of the VM cluster 10.0.5.0/24

This is created by the vmbr1 bridge interface on vmsrv01. This is all set up by the following /etc/network/interfaces entry:

auto vmbr1
iface vmbr1 inet static
        address  10.0.5.1
        netmask  255.255.0.0
        ovs_type OVSBridge
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.5.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.5.0/24' -o vmbr0 -j MASQUERADE

Proxmox wants you to do a reboot after adding network interfaces/bridges, but this is not necessary! Just add the bridge manually and it will behave.

Storage volumes are created using ZFS as a backend. This is advantageous because we can allocate ZFS datasets to be given to users to store iso images and VM disk images.

These volumes must be created on the server host and then allocated using the Proxmox GUI

root@vmsrv01:~# zpool list
NAME   SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
vm01  3.62T    93K  3.62T         -     0%     0%  1.00x  ONLINE  -
root@vmsrv01:~# zfs create vm01/user01
root@vmsrv01:~# zfs set refquota=500G vm01/user01
root@vmsrv01:~# zfs list
NAME          USED  AVAIL  REFER  MOUNTPOINT
vm01          112K  3.51T    24K  /vm01
vm01/user01    24K   500G    24K  /vm01/user01

The subscription warning can be removed by running the following one-liner on the vm host:

sed -i.bak "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js && systemctl restart pveproxy.service