Hetzner Root Server with Proxmox, OPNsense Firewall and two virtual Interfaces

H

hitchhiker24

Member
Dec 31, 2019
2
0
21
46
Hi @all,

i just setup a new Root Server with Hetzner and installed Proxmox 6.1-3 on it. Now i want to install a OPNsense VM to manage remote access with SSL VPN and setup a couple of VMs.

Therefore i plan to setup two virtual Interfaces (1# 10.100.1.0/24 - 2# 10.100.2.0/24). The first only for the Firewall (WAN) and the second for the Firewall (LAN) and the VMs. So i can manage all the traffic which should go all in and out through the Firewall.

Does Somebody have Experience with Routing and Firewalls inside of Proxmox like this?


thx
 
hitchhiker24 said:
Hi @all,

i just setup a new Root Server with Hetzner and installed Proxmox 6.1-3 on it. Now i want to install a OPNsense VM to manage remote access with SSL VPN and setup a couple of VMs.

Therefore i plan to setup two virtual Interfaces (1# 10.100.1.0/24 - 2# 10.100.2.0/24). The first only for the Firewall (WAN) and the second for the Firewall (LAN) and the VMs. So i can manage all the traffic which should go all in and out through the Firewall.

Does Somebody have Experience with Routing and Firewalls inside of Proxmox like this?


thx
Click to expand...


auto lo
iface lo inet loopback

iface lo inet6 loopback

auto eno1
iface eno1 inet static
address 144.xxx.xxx.xxx.
netmask 255.255.255.224
gateway xxx.xxx.xxx.xxx
up route add -net xxx.xxx.xxx.xxx netmask 255.255.255.224 gw xxx.xxx.xxx.xxx dev eno1
# route xxx.xxx.xxx.xxx/27 via xxx.xxx.xxx.xxx

iface eno1 inet6 static
address 2a01:4f8:200:30f2::2
netmask 64
gateway fe80::1

auto vmbr0
iface vmbr0 inet static
address 144.xxx.xxx.xxx
netmask 255.255.255.224
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
pre-up brctl addbr vmbr0
up ip route add xxx.xxx.xxx.xxx/xx dev vmbr0


auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0

Here is my working config, vmbr0 is the WAN and the vmbr1 is the LAN interface for Proxmox, eno1 is what is done by the setup itself so shouldnt need to be touched really, the WAN virtual bridge should be set as the primary IP of your server so you can push all traffic coming in through that one IP and redirect it to opnsense which then directs traffic to were ever it needs to go.

The up ip route add line is just for additional IPs if you have any additional IPs.

Then, I believe the WAN for opnsense (if you have additional IPs like I do), set it up as the first additional IP on a /32 range (dont ask why, just how I was told to set it up so it works and it does lol), and set the gateway as the Primary server IP and subnet mask also set as the primary servers subnet. This should automatically create the gateway then.

For the LAN, I set the IP on opnsense as 10.0.0.1 on /24 range, which I use to push traffic out to the servers through port forwarding.

I'm still quite new to it all myself, so someone may have a better way of getting you up and running but this is just how I use it and was helped off a friend setting it up :)

EDIT: also set up DNS for 1.1.1.1 :)
 
Last edited:
  • Like
Reactions: hitchhiker24
@jrshaw Just to make it clear:
The up route add beneath eno1 is for a additional ip and the gateway is the same like for the first ip (main)
the vmbr0 has the same ip then the eno1

inside the opnsense you define the wan interface with the additional ip and for the gateway you use the first ip (main) and not the real gateway ip.
But what do you mean with opnsense wan ip with 32 subnet range and gateway with other subnet mask? The Gateway is only a ip without additional subnet mask and when its not inside the subnet of the wan interface ip it shouldn't work i guess...

am i right?
 
Hiya bud,

Sorry for a late reply!

eno1s config doesn't need to be touched as it is the main interface for the physical server and set automatically, its vmbr0 that you make the changes on if that is your WAN bridge like mine, so as stated vmbr0 needs to be configured in the following way to work:

auto vmbr0
iface vmbr0 inet static
address <MAIN SERVER IP>
netmask <MAIN SERVER NETMASK>
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
pre-up brctl addbr vmbr0 <-- Remove this
up ip route add xxx.xxx.xxx.xxx/xx dev vmbr0

So say your servers main IP you was given is 1.1.1.1 with a netmask of 1.1.1.255, just copy that over from eno1 to vmbr0's address and netmask sections (if they don't exist, create them).

Now the bold line needs removing, for reasons unknown, I was having difficulty getting my opnsense firewall to ping 1.1.1.1 and google.com after I rebuilt my server, thus meaning it was getting any traffic, I remove that line roughly a few hours ago (after trying to figure out for a few weeks what was wrong) and bam, I could ping them, I was happy I sorted it, as well as pissed off one little thing stopped it all haha.

And anyway, so lets also say you have an additional IPs off /29, so if I am correct, thats 8 IPs. So lets say for argument sake that it is correct and you had the following IPs: 1.1.1.2 - 1.1.1.10, the up ip route that is underlined just add all your additional ips there like:

1.1.1.2/29
1.1.1.3/29

And so on :D

vmbr1 is just an internal network I'm still stuck with again... Its fun starting from scratch when your a novice :(

Anyway, I hope this is more helpful and clear to you :)
 
hitchhiker24 said:
inside the opnsense you define the wan interface with the additional ip and for the gateway you use the first ip (main) and not the real gateway ip.
But what do you mean with opnsense wan ip with 32 subnet range and gateway with other subnet mask? The Gateway is only a ip without additional subnet mask and when its not inside the subnet of the wan interface ip it shouldn't work i guess...
Click to expand...


Sorry missed this question, ooook, so for the OPNSense set up, you would set the main IP as the first additional IP so as the posted example above, that would be set as 1.1.1.2 with a netmask of 32, don't ask why, I don't understand why, it just works. Trust me lol, but the IPv4 Gateway is what you set as the main servers IP so 1.1.1.1 and the IPv4 Name server is DNS, so 8.8.8.8 (or even 1.1.1.1 as it is actually a DNS IP, I just used it for an easy example)

Good luck, and if I can help any further feel free to ask and I'll do my best to assist!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom