Hetzner Dual IP Set up

[apn4fighter]

Hi Community

At the moment i have a Hetzer Host with 1 IP and this config

auto eno1
iface eno1 inet static
        address 80.120.X.XX/27
        gateway 80.120.X.XX
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i eno1 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.10.10.2
        post-up iptables -t nat -A PREROUTING -i eno1 -p udp -j DNAT --to 10.10.10.2

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/30' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/30' -o eno1 -j MASQUERADE

auto vmbr4
iface vmbr4 inet static
        address 80.120.X.XX/32
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 80.120.X.XX dev vmbr4
#opnsense-2

Now i have rent a second IP and addet it to the second opnsense fw..but i cant ping it..i used this guide
https://serverfault.com/questions/1158086/proxmox-mulitple-public-ip


Can someone help me?

Regards,

Michael

 

[dmgeurts]

You have to use a /32 on the eno1 interface. Also by blanking the third and fourth octets with the same character we can't tell which of the two IP addresses you've put where.

Hetzner have a good document on this: https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve#routed-setup

 

[Swfty]

I do not think that you have to change the /27 to /32. I have /26 there.
But what I see as a problem is that vmbr4 has no external connections. This is why it is not reachable.
You can do some NAT magic, or you should create a "WAN" bridge with your physical interface and connect your opensense there.

Could you please tell us, what is your plan? What do you want to achieve?

 

[dmgeurts]

I don't have a physical NIC on the internal vmbr either, because IP routing is turned on so the host routes the traffic. But, this implies extra public IPv4 addresses are used.

The best advice I can give is to follow Hetzner's advice given in the link I provided earlier.

If you're trying to use only the single IPv4 address that came with the host, then you don't need vmbr4 at all. NAT rules should be enough for internal guests with a private IP address to get out to the internet.

Without knowing exactly what you want to achieve, we can only guess...

 

[Swfty]

Well, I have this on my server:

auto wan
iface wan inet static
    address xxx.yyy.116.171/26
    gateway xxx.yyy.116.129
    up route add -net xxx.yyy.116.128 netmask 255.255.255.192 gw xxx.yyy.116.129 dev wan
    up ip address add uuu.ppp.91.8/32 dev wan
    up ip address add uuu.ppp.91.9/32 dev wan
    up ip address add uuu.ppp.91.10/32 dev wan
    up ip address add uuu.ppp.91.11/32 dev wan
    up ip address add uuu.ppp.91.12/32 dev wan
    up ip address add uuu.ppp.91.13/32 dev wan
    up ip address add uuu.ppp.91.14/32 dev wan
    up ip address add uuu.ppp.91.15/32 dev wan
    down ip address del uuu.ppp.91.8/32 dev wan
    down ip address del uuu.ppp.91.9/32 dev wan
    down ip address del uuu.ppp.91.10/32 dev wan
    down ip address del uuu.ppp.91.11/32 dev wan
    down ip address del uuu.ppp.91.12/32 dev wan
    down ip address del uuu.ppp.91.13/32 dev wan
    down ip address del uuu.ppp.91.14/32 dev wan
    down ip address del uuu.ppp.91.15/32 dev wan

Of course, I do the aforementioned NAT magic to route the 8 secondary IPs I got from Hetzner.

 

[dmgeurts]

@Swfty Fair enough, I think I responded to you a bit too quickly, message adjusted accordingly. You hit the nail on the head about not knowing what the plan is.

This is my config for a routed subnet with no NAT, minus the private networking parts. I have to add that the routed subnet is located behind a firewall:

auto enp6s0
iface enp6s0 inet manual
    address xx.yy.zz.132/32
    gateway xx.yy.zz.129
    up ip route add 10.0.0.0/8 dev lo metric 255
    up ip route add 172.16.0.0/12 dev lo metric 255
    up ip route add 192.168.0.0/16 dev lo metric 255

iface enp6s0 inet6 manual
    address aa:bb:cc:dd::2/64
    gateway fe80::1

auto vmbr0
iface vmbr0 inet static
    address xx.yy.zz.132/32
    ovs_type OVSBridge
    up ip route add uu.vv.ww.32/32 dev vmbr0
    up ip route add uu.vv.ww.32/29 via uu.vv.ww.32
#Public network

iface vmbr0 inet6 static
    address aa:bb:cc:dd:1::1/80

The resulting routing table:

user@host ~ # ip r
default via xx.yy.zz.129 dev enp6s0 proto kernel onlink
10.0.0.0/8 dev lo scope link metric 255
uu.vv.ww.32 dev vmbr0 scope link
uu.vv.ww.32/29 via uu.vv.ww.32 dev vmbr0
172.16.0.0/12 dev lo scope link metric 255
192.168.0.0/16 dev lo scope link metric 255

So the OP should probably start by removing "up ip route add 80.120.X.XX dev vmbr4" from vmbr4 and then check the NAT rules.

 

[Swfty]

Yeah @dmgeurts, your solution is a good, routed one.
However you are "loosing" 2 IPs with it... The network IP (aka the first in the subnet) and the broadcast IP (aka the last in the subnet).
I wanted to have all of them

 

[dmgeurts]

Yeah @dmgeurts, your solution is a good, routed one.
However you are "loosing" 2 IPs with it... The network IP (aka the first in the subnet) and the broadcast IP (aka the last in the subnet).
I wanted to have all of them

Me too, trust me I'm not losing any.

See here: https://www.linkedin.com/pulse/bein...ts-eo4se/?trackingId=Mpewo9I1MqGOyYJafG/FWQ==

 

[Swfty]

WOW! Nice solution!
I'll write a documentation in the Hetzner Community Content
Maybe you can too!

 

[dmgeurts]

WOW! Nice solution!
I'll write a documentation in the Hetzner Community Content
Maybe you can too!

Happy to give back wherever I can. Networking is my bread and butter...