Contabo - Proxmox - pfSense

[jukisuki]

Hi everyone,

I have trouble getting internet access to my VM's inside of proxmoxVE.
I have Contabo Dedicated server with one main and one additional IP.

I want to use one IP to access my proxmox host, and other one for pfsense, and then put all VM's behind pfSense.

Problem is my IP's do not have same gateway, and I can only configure one gateway.

HOST IP: 5.189.xx.xx/24
HOST GW: 5.189.xx.1

ADDITIONAL IP: 173.249.xx.xx/24
ADDITIONAL GW: 173.249.XX.1

--------------------------------------------------------------
This is my current configuration:

auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
address 5.189.xx.xx/24
gateway 5.189.xx.1

auto eth1
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
address 173.249.xx.xx/24
bridge-ports none
bridge-stp off
bridge-fd 0
up route add -net 173.249.xx.xx netmask 255.255.255.0 dev vmbr0
up ip route add 5.189.xx.xx/24 dev vmbr0

## I use vmbr1 as LAN network and attach it to pfSense as LAN interface, and later on every VM as LAN
auto vmbr1
iface vmbr1 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0

I cant figure out correct configuration , and if I change anything on eth0, or even assing bridge to that interface, I lose access to my host.
Where am I making a mistake, do I need to add MAC address to vmbr0 maybe.

On pfSense I choose for the wan interface, static ipv4 configuration with gateway, but no internet on pfSense.

Thank you

 

[anon1080p]

I am having the same issue. Contabo is bs

 

[jukisuki]

I am having the same issue. Contabo is bs

I managed to solve, PM me if you still have issue

 

[andrew-transparent]

I'm not familiar with Contabo, but do you know if they bind that additional ip to a MAC address or do they just use routing to get that to your host? At any rate, I see that you don't have any ports assigned to your bridge - not sure how it can get connectivity without that. It would just be an internal bridge inside the host. That being said I would set it up like this:

external bridge:
vmbr0 (assign your host IP here 5.189.xxx.xxx/24 + gateway) -> bound to eth0 (inet manual - no ip info here) -> Contabo physical switch.
Attach an virtual adapter to this bridge for your pfSense WAN adapter. Assign the additional IP in Pfsense here (172.249.xxx.xxx/24 + gw) if Contabo needs a MAC, you can spoof your pfSense MAC address here to match what Contabo is looking for). You should be able to ping from the pfSense to the outside world.

internal bridge
vmbr1 (assign an internal address for your host if you want ie 192.168.x.x/24) -> no physical port since its internal
Attach a second virtual adapter for your pfSense for LAN. Assign an internal IP address here (ie 192.168.x.x/24).

Any VMs that you want behind the firewall you attach a virual adatper for the VM to vmbr1 and assign appropriate LAN ip (either static, or setup DHCP on pfsense if you want).

Create the rules you want on pfsense (ie block WAN in ALL, allow LAN out ALL). Those VMs should be able to ping the pfSence LAN adatper and also be able to ping outside world.

If you want to keep your PVE host behind the pfSense firewall, you assign a LAN IP address for PVE to vmbr1 with the GW being your pfsense LAN ip and confirm you can get out. You can create a NAT rule in pfsense to allow a specific source address GUI access to your PVE host (ie port 8006) and lock that down. Better yet, create a VPN and/or wireguard connection so you can close off all WAN access to your PVE host (recommended).

Note - the above will only work for a single PVE host where VMs don't need to talk to VM's on other PVE hosts, since you don't have any physical port assigned to vmbr1.

Edit - sorry, I didn't see that you resolved. Feel free to share what you did to help others