Post-Install: Network

Settings post-install Proxmox

What this category covers

Five independent network options. Two are small (APT over IPv4, Open vSwitch install), two tune TCP behaviour (network sysctl profile, BBR + Fast Open), and one fixes a common operational headache — pinning interface names so a new NIC or a BIOS update doesn't rename enp3s0 to enp4s0 and break your bridges.

Force APT to use IPv4

Writes Acquire::ForceIPv4 "true"; to /etc/apt/apt.conf.d/99-force-ipv4. APT then refuses to use IPv6 for package downloads, even if the host has IPv6 connectivity.

Who benefits

Useful when your IPv6 path is flaky, slower than IPv4, or the Debian/Proxmox mirror occasionally breaks over IPv6 (it happens). Harmless on hosts without IPv6. On a healthy dual-stack network, it's just a guarantee of predictable behaviour — apt won't surprise you with an IPv6 timeout.

Apply network optimizations

Writes a curated sysctl profile to /etc/sysctl.d/99-network.conf covering core socket buffers, ICMP hardening, basic spoof protection, and TCP buffer sizes that make sense on a hypervisor with lots of concurrent flows.

What gets tuned

Area	Key settings
Core socket buffers	`netdev_max_backlog=8192`, `rmem_max=16M`, `wmem_max=16M`, `somaxconn=8192`
ICMP hardening	`icmp_echo_ignore_broadcasts=1`, `icmp_ignore_bogus_error_responses=1`
Routing safety	`accept_redirects=0`, `accept_source_route=0`, `secure_redirects=0`, `send_redirects=0`
Reverse path filter	`rp_filter=2` (loose mode, see note below)
TCP	`tcp_mtu_probing=1`, `tcp_rfc1337=1`, `tcp_sack=1`, `tcp_rmem=8K/87K/16M`, `tcp_wmem=8K/64K/16M`
Ports	`ip_local_port_range=1024 65535` (ephemeral port pool)
Unix sockets	`net.unix.max_dgram_qlen=4096`

It also adds source /etc/network/interfaces.d/* to /etc/network/interfaces if not already present — standard practice so you can drop modular interface snippets without editing the main file.

Why rp_filter=2 (loose) instead of 1 (strict)

Strict reverse-path filtering drops packets whose source would be routed out a different interface. That's the right default on a client machine, but breaks badly on a Proxmox host where VM traffic often arrives on a bridge and leaves on an uplink with asymmetric routes. rp_filter=2 (loose) only drops packets with truly unroutable sources. It's a pragmatic trade-off — slight reduction in local-IP-spoof detection in exchange for not breaking your VM network.

Install Open vSwitch

Installs openvswitch-switch + openvswitch-common. These packages add OVS as a bridge implementation alternative to the standard Linux bridges that Proxmox uses by default. The install alone doesn't change any networking — existing vmbrX bridges keep working. OVS becomes available in the Proxmox UI when you create a new bridge and pick it from the type dropdown.

When OVS makes sense

Consider OVS if you need VLAN trunking with non-contiguous VLAN IDs, LACP with LLDP on specific modes, fine-grained flow programming (OpenFlow), or interoperation with SDN controllers. For a home lab with a couple of VLANs and a single LACP uplink, standard Linux bridges + vmbrX.VID are simpler and perfectly fine.

Not reversible from the Uninstall menu

Installing OVS is not tracked in Uninstall Optimizations. If you decide you don't want it, remove it manually — but only after migrating any bridges back to Linux bridges first:

# After moving bridges off OVS:
apt purge openvswitch-switch openvswitch-common
apt autoremove --purge

Enable TCP BBR + TCP Fast Open

Writes two sysctl files and reloads them. BBR replaces the default CUBIC congestion control with Google's bandwidth-based algorithm, which handles long-fat pipes and lossy links much better. TCP Fast Open (TFO) eliminates a round trip on repeat TCP connections by piggy-backing data on the SYN.

# /etc/sysctl.d/99-kernel-bbr.conf
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# /etc/sysctl.d/99-tcp-fastopen.conf
net.ipv4.tcp_fastopen = 3        # enable TFO for both client and server sockets

Verification

# BBR is active
sysctl net.ipv4.tcp_congestion_control
# Expected: net.ipv4.tcp_congestion_control = bbr

# Qdisc is fair queuing (required for BBR to work well)
tc qdisc show | head

# TFO enabled (value 3 = client + server)
sysctl net.ipv4.tcp_fastopen

Impact is workload-dependent

BBR shines on high-latency or lossy links (cross-continent replication, VPN tunnels, mobile clients). On a LAN between two machines on the same switch, the difference is often within noise. TFO helps short, repeated HTTP connections the most.

Not reversible from the Uninstall menu

BBR/TFO aren't tracked. To revert, remove the two sysctl files and reload:

rm /etc/sysctl.d/99-kernel-bbr.conf /etc/sysctl.d/99-tcp-fastopen.conf
sysctl --system

Interface Names (persistent)

Iterates over every physical NIC the host has (skipping loopback, Docker veths, bridges, TAP devices, bonds, Cilium, ZeroTier, WireGuard) and writes a systemd .link file binding the current interface name to the current MAC address. The kernel's naming logic can then no longer rename that NIC — the MAC wins.

Why this matters

Adding or removing PCIe devices can shift the bus numbering, turning enp3s0 into enp4s0. If your /etc/network/interfaces references the old name, the bridge vanishes on reboot.
BIOS / firmware updates sometimes change how devices enumerate, with the same effect.
LXC containers with hotplug NICs and bonded links can race on boot and end up named inconsistently. Pinning fixes that.

What gets written

One file per physical NIC, at /etc/systemd/network/10-<iface>.link:

[Match]
MACAddress=aa:bb:cc:dd:ee:ff

[Link]
Name=enp3s0

Any pre-existing .link files in that directory are copied to /etc/systemd/network/backup-<timestamp>/ before touching anything.

PVE 9 vs PVE 8

On Proxmox VE 9 (systemd-networkd native), the script reloads udev rules after writing the .link files so new hotplug NICs pick up the correct name without a reboot. On PVE 8 (ifupdown2), interface naming is resolved at boot anyway — a reboot is required for the changes to take effect. The script sets the reboot flag either way so Customizable prompts you.

Review existing /etc/network/interfaces first

If your host has legacy configuration in /etc/network/interfaces that references NIC names generated by the kernel's default scheme, pinning today's names is exactly what you want. But if you've already manually customised the config around specific names, double-check the pinning matches what the interfaces file expects before rebooting.

Reversible from the Uninstall menu

Uninstall Optimizations deletes every .link file from /etc/systemd/network/, restoring the kernel's default naming on next reboot. The timestamped backup of the original files stays behind in case you need to restore specific ones manually.

Network Management — diagnostics, bridge analysis, guided repairs.
Persistent interface names — same idea exposed as its own menu later (use either, not both).
Network commands reference — ip, ss, ethtool, sysctl.
Uninstall Optimizations — revert any of these network changes.
Customizable Post-Install — back to the parent menu.

ProxMenux Scripts: Previous

Virtualization

ProxMenux Scripts: Next

Storage