[SOLVED] Assign External IP to VM

utkonos

Active Member
Apr 11, 2022
149
37
33
I have two NIC cards: one is connected to the internet, the other is connected to an internal network. I am able to administrate the Proxmox instance just fine from the internal IP/NIC.

Is there a way to move the external IP from the host's external interface to a single VM on `vmbr0`?
 
You can do this multiple ways, I'd recommend reading this older post of mine for some basic methods to achieve this:
Hi,

I mean you have a few possibilities to do this. What you probably want is to hand-off all the WAN (internet) traffic to the pfSense, so that you just have one thing facing to the public network, I mean virtually, as the Proxmox VE box naturally still needs to be connected with a cable for real.

1. Two Linux bridges on the host, one will be the WAN one (vmbr1 in this post) and one the LAN one (vmbr0 in this post). The WAN one normally needs just to have one slave port assigned, the one from the ISP (modem), the LAN one can have the remaining, or at least the one which goes to your LAN switch.
The pfSense VM would then get two virtual NICs, one uses the WAN bridge vmbr1 and one the LAN bridge vmbr0. So, the traffic goes from the internet in over the vmbr1 and it's slave port to the pfSense VMs "WAN" NIC, there it gets filtered and whatever and then can go over the other vNIC to the hosts vmbr0 and from there to anywhere in the LAN or to other VMs using the "vmbr0" LAN bridge.

2. Passthrough of a NIC, this is similar to 1. but instead of doing the separation a bit more virtual over the extra bridge we hand over one whole NIC HW to the pfSense VM directly. Now, this works good for whole cards, and some newer cards should support virtual functions and thus it could maybe work also for just a port of that NIC - but that depends on your HW and not sure how well pfSense plays with that, so possibly worth a try but don't expect it to be easy peasy lemon squeezy working out of the box (could be but IMO rather not ^^).

3. .. there are other specific setups, using VLANs, ... but IMO above should get over the principle: you need to separate WAN and LAN in such a way that it can be handled by the pfSense VM directly.



Hmm, well that would be a possibility, but if you got the pfSense ISOs already downloaded and ready you should be able to just move it and change networking after the fact. I mean, some direct physical console access could be nice for that, but as you have a bunch of NICs you could just setup one to a static IP, e.g., 10.1.1.1 connect a laptop or the like to it directly, setup there a static IP too (10.1.1.2) and then the Proxmox VE node and interface should be reachable there - even if you broke it's internet and or LAN access.


Actually, doing this the first time it may lead to questions during this, so you could try to prepare most of it already now with the TP link still in place, just fake that the WAN link is the one from the TPlink and your lan is just the pve nodes vmbr1 bridge (if you go with 1.), then you can do a test VM there and check if you got internet, once that works you know that your pfSense setup and PVE setup should be sound, so you can do the change and connect it directly to the modem.
https://forum.proxmox.com/threads/installing-pfsense-vm-in-proxmox.68767/#post-308206

If you have further, specific questions just ask them here.
 
  • Like
Reactions: utkonos
@t.lamprecht I am trying #1, but have run into problems. I have two linux bridges configured with vmbr0 slave to ens3, the outside NIC. Then I have an inside empty bridge that will be the LAN interface on the OPNsense fw.

1667531666360.png

What MAC address should I use with the WAN interface (vmbr0) on the FW VM? I have tried using the MAC of that interface on the host, but pings to the gateway don't work. The ISP I think will only allow traffic from that MAC/IP combo.
 
I found the solution. The ISP does not allow the external IP to be associated with any other MAC than the original one from the host's interface. To circumvent this, I logged in from the internal interface and then changed the MAC address of the host's interface to a random MAC. Then I rebooted. The change I made is by adding a `hwaddress` to `/etc/network/interfaces` like so:

Code:
iface ens3 inet manual
        mtu 1500
        hwaddress 00:00:00:00:00:00

Just replace that MAC of all zeros with a new, randomly generated MAC.

At that point, I made a note of the MAC that was being used. I then used the. MAC, IP, Netmask, and Gateway formerly on the host interface, and plugged them into OPNsense's WAN interface. It worked!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!