Hetzner

Debian 9 Proxmox Hetzner network setup?

Good afternoon!
not the first day I've been struggling with the problem, Google has been smoking for a long time, I decided to ask for help ...
The essence of the problem: rented physical. server on hetzner.de, respectively, there is a static IP, Debian 9 is installed, Proxmox is installed on it, a previously prepared image (qcow2) win2016 is uploaded there, it is not possible to set up an internal lan network, to be more precise, routing between bridges (the local network does not see the Internet).
I do according to the manuals, of which there are many, it all comes down to the fact that you need to add 3 lines to /etc/network/interfaces:
post-up echo 1> /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
But no matter how hard you try, it doesn't work. Moreover, after adding the lines, the bridge is not raised when the network service is restarted.
some info:
PVE 5.3-6
uname -a
Linux Debian-95-stretch-64-minimal 4.15.18-9-pve #1 SMP PVE 4.15.18-30 (Thu, 15 Nov 2018 13:32:46 +0100) x86_64 GNU/Linux
nano /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
source /etc/network/interfaces.d/*
[spoiler]
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp0s31f6
iface enp0s31f6 inet manual
auto vmbr0
iface vmbr0 inet static
address xxx.xxx.xxx.182
netmask 255.255.255.192
gateway xx.xxx.xxx.129
bridge-ports enp0s31f6
bridge-stp off
bridge-fd 0
# up route add -net xxx.xxx.xxx.128 netmask 255.255.255.192 gw xxx.xxx.xxx.129 dev enp0s31f6
auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge-ports none
bridge-stp off
bridge-fd 0
# post-up echo 1 > /proc/sys/net/ipv4/ip_forwardpost-up
# iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o enp0s31f6 -j MASQUERADE
# post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o enp0s31f6 -j MASQUERADE[/spoiler]
What is supposed to be in the config is commented out. If I uncomment the line under vmbr0, after service network restart vmbr0 does not rise.
[spoiler]systemctl status networking.service
networking.service - Raise network interfaces
Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2019 -01-14 08:37:34 CET; 11s ago
Docs: man:interfaces(5)
Process: 3941 ExecStop=/sbin/ifdown -a --read-environment --exclude=lo (code=exited, status=0/SUCCESS)
Process: 4530 ExecStart=/sbin/ ifup -a --read-environment (code=exited, status=1/FAILURE)
Process: 4520 ExecStartPre=/bin/sh -c [ "$CONFIGURE_INTERFACES" != "no" ] && [ -n "$(ifquery --read-environment --list --exclude=lo)" ] && udevadm settle ( code=exited, status=0/SUCCESS)
Main PID: 4530 (code=exited, status=1/FAILURE)
CPU: 30ms
Jan 14 08:37:34 Debian-95-stretch-64-minimal systemd[1]: Starting Raise network interfaces...
Jan 14 08:37:34 Debian-95-stretch-64-minimal ifup[4530]: Waiting for vmbr0 to get ready (MAXWAIT is 2 seconds).
Jan 14 08:37:34 Debian-95-stretch-64-minimal ifup[4530]: RTNETLINK answers: File exists
Jan 14 08:37:34 Debian-95-stretch-64-minimal ifup[4530]: ifup: failed to bring up vmbr0
Jan 14 08:37:34 Debian-95-stretch-64-minimal systemd[1]: networking.service: Main process exited, code=exited, status=1/FAILURE
Jan 14 08:37:34 Debian-95-stretch -64-minimal systemd[1]: Failed to start Raise network interfaces.
Jan 14 08:37:34 Debian-95-stretch-64-minimal systemd[1]: networking.service: Unit entered failed state.
Jan 14 08:37:34 Debian-95-stretch-64-minimal systemd[1]: networking.service: Failed with result 'exit-code'.[/spoiler]
If I comment out the line back, it gives the same error. What is strange, the config is brought to its original state. When uncommenting the lower lines, vmbr1 does not rise similarly. I suspect that VPE is somehow blocking, if so, you need to edit it directly from the web interface. but what and where to edit is not clear. on all forums and in all manuals, including hetzner's manual and proxmox's manual, it is said that you only need to add these lines ... in fact, that
's the question. how to make masquerading and where to dig further. (Of course, I try not only to reboot the service, but also reboot the server after failure... if the lines are commented out, the service is rebooted without errors after the reboot, if uncommented, those are errors, it cannot raise the interface...)
well, just in case, the virtual machine settings:
ip 10.0.0.2
mask 255.255.255.0
gate 10.0.0.1
dns 8.8.8.8
in a PVE network with vmbr1, an Intel card (I also tried virtio, there are firewood, on the previous PVE the machine worked with virtio network) . I tried to put the car there from scratch (I don’t consider the possibility that “something in Windows” was stuck, it’s not the case, but my thoughts just ran out in 2 days of work), the result is the same. 10.0.0.1 is pinged, 8.8.8.8 is not pinging...
Tell me, what other inputs are needed to solve the problem. Or maybe someone stacked and immediately tell you where to dig?