Configure Pfsense with a Public IP Single

Juancho

New Member
Aug 10, 2018
15
0
1
38
Hello Friends

I would like to be helped by a Network Card with a Public IP address. I have the idea of setting up Pfsense as a gateway to my Network, but I would like to be guided. I have the following configuration and I don't know if it is correct.

auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
#Single HOST IPv4
address 95.216.xx.xx
netmask 255.255.255.xx
#Gateway Hetzner
gateway 95.216.xx.xx
up route add -net 95.216.xx.xx netmask 255.255.255.xx gw 95.216.xx.xx dev enp0s31f6
post-up echo 1 > /proc/sys/net/ipv4/conf/enp0s31f6/proxy_arp
#IP Publica Por Defecto

auto vmbr0
iface vmbr0 inet static
address 95.216.xx.xx
netmask 255.255.255.xx
bridge_ports enp0s31f
bridge_stp off
bridge_fd 0
bridge_maxwait 0
#Tarjeta Virtual Publica

auto vmbr2
iface vmbr2 inet static
address 10.21.21.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
#Trafico Privado Lan Network
 

Rhinox

Active Member
Sep 28, 2016
272
36
28
30
What have iptables to do with pfSense? If you decided to use pfSense as gateway for your VMs (which imho is the right solution), disable all iptables-rules and let pfSense do the job...
 

Juancho

New Member
Aug 10, 2018
15
0
1
38
Hello Rhinox

What happens is that with IPtables I send the proxmox requests to the MV and secure the communications. But the only doubt I have is that it is somehow blocking my MV connections. Enclosed are the rules.

# ---------
# VARIABLES
# ---------

## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (PFSense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (PFSense LAN side)
PrxVmPrivVBR="vmbr2"

## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
## Network/Mmask of PrivNET
PrivNET="192.168.9.0/24"
## Network/Mmask of VpnNET
VpnNET="10.2.2.0/24"

## Public IP => Set your own
PublicIP="xx.xx.xx.xx"
## Proxmox IP on the same network than PFSense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="192.168.9.1"
## PFSense IP used by the firewall (inside VM)
PfsVmWanIP="10.0.0.2"


# ---------------------
# CLEAN ALL & DROP IPV6
# ---------------------

### Delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# --------------
# DEFAULT POLICY
# --------------

### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# ------
# CHAINS
# ------

### Creating chains
iptables -N TCP
iptables -N UDP

# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# ------------
# GLOBAL RULES
# ------------

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# --------------------
# RULES FOR PrxPubVBR
# --------------------

### INPUT RULES
# ---------------

# Allow SSH server
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 22 -j ACCEPT
# Allow Proxmox WebUI
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT

### Allow LAN to access internet
iptables -A OUTPUT -o $PrxPubVBR -s $PfsVmWanIP -d $PublicIP -j ACCEPT

### Proxmox Host as CLIENT
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 22 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT
# Allow Whois
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 43 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT

### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 22 -j ACCEPT
# Allow PROXMOX WebUI
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 8006 -j ACCEPT

### FORWARD RULES
# ----------------

# Allow request forwarding to PFSense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT

# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT

### MASQUERADE MANDATORY
# Allow WAN network (PFSense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE

### Redirect (NAT) traffic from internet
# All tcp to PFSense WAN except 22, 8006
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports 22,8006 -j DNAT --to $PfsVmWanIP
# All udp to PFSense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $PfsVmWanIP

# ----------------------
# RULES FOR PrxVmWanVBR
# ----------------------

### INPUT RULES
# ---------------

# SSH (Server)
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 22 -j ACCEPT

# Proxmox WebUI (Server)
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

# Allow SSH server
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 22 -j ACCEPT
# Allow PROXMOX WebUI on Public Interface from Internet
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 8006 -j ACCEPT

# -----------------------
# RULES FOR PrxVmPrivVBR
# -----------------------

# NO RULES => All blocked !!!
#!/bin/sh
 

Rhinox

Active Member
Sep 28, 2016
272
36
28
30
What happens is that with IPtables I send the proxmox requests to the MV and secure the communications...
By "MV" you mean "VM" (virtual machine)? If it is so, then you have (what I consider as) very dangerous configuration. I would never recommend routing access to PVE management interface (web, ssh) over VM (be it pfSense or whatever). It is very bad idea...

As a bare minimum, I recommend to have 2 physical NIC adapters on your PVE-server: one used solely for PVE (web, ssh), protected by true hw-firewall/vpn-server. The other for VMs (one VM can be i.e. pfSense used for filtering traffic for all other VMs). Then it's clear why iptables (on PVE) are actually useless...
 

Juancho

New Member
Aug 10, 2018
15
0
1
38
Hello, Rhinox,

My provider is Hetzner and I will try to manage the other NIC, I have mounting for test environment and of course I would like to do the configuration that you tell me. Thank you in advance
 

Rhinox

Active Member
Sep 28, 2016
272
36
28
30
If your server is collocated somewhere remotely, then it is even more important to have remote access configured properly. I'm actually using 3 eth-adapters, as my server has kvm-port too. But KVM & PVE are protected by dedicated hw-firewall. My setup looks like this (simplified):

 

Michel V

Member
Jul 5, 2018
31
1
8
120
@Juancho It is unclear why you use iptables in this setup. Did you also check the firewall in proxmox?
A setup that work well (for me) is having pfSense as a VM in proxmox. Block all unwanted access to the Proxmox GUI using the firewall in Proxmox, and then use pfSense as a firewall/router for all VMs.
 

Juancho

New Member
Aug 10, 2018
15
0
1
38
Hi.

I took your advice, hired another IP for an MV with pfsense and all the traffic goes through there.

And the Hypervisor's IP is blocked for security reasons and only allows me to connect to my office's IP.

Thanks to all
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!