Hetzner - running 3 Proxmox hosts behind dedicated firewall

[madhat2r]

Hello everyone,


This is a question about possibilities, because I cannot seem to find anything like this when searching. This may be more of a Hetzner issue but it looks like folks on here are pretty well versed in Hetzner so I am hoping someone has some ideas.

The premise:

I am attempteng to replace my current colocation servers with hetzner dedicated servers. I would need to have 3 Proxmox server, with several VMs on each. I would like to have a dedicated OPNsense (Proxmox) server that all the other Servers/VMS would use as their gateway. Several of the VMs will need to have Public IPv4 addresses. Also two of the VMs are Windows servers, if that makes any difference.

The problem:

I cannot see a way to have all the traffic from the VMs go through the OPNsense server. Since the Dedicated server also has a public IP, I really need to lock it down as well, but it looks like the firewall provider by Hetzner is not very flexible (understatement). Can I block all traffic exept management ports using their firewall, and stil be able to route traffic through it to the OPNsense server?

I appreciate any help or ideas you can provide. I am not a network engineer, so I am not sure if this is even possible. I am also open to other ideas if this is not possible.

Thanks so much for your attention.

 

[pille99]

i have the same config and it too me a while to figure it out

1. you have 2 ips per server, one management and this can be locked down per hetzner firewall, but you also need to add rules from each and to each server
2. on the public ip you connect your opnsense and opnsense takes care of the traffic. no need to put hetzner firewall in front. also not much space for a lot of rules
3. used sdwan to create networks to move the vms in all direction

 

[madhat2r]

i have the same config and it too me a while to figure it out

1. you have 2 ips per server, one management and this can be locked down per hetzner firewall, but you also need to add rules from each and to each server
2. on the public ip you connect your opnsense and opnsense takes care of the traffic. no need to put hetzner firewall in front. also not much space for a lot of rules
3. used sdwan to create networks to move the vms in all direction

Thanks for your help @pille99, I am glad to know that it can be done.

I am having a hard time understanding exactly what you mean. Would you mind posting a sanitized `/etc/network/interfaces` so I can see it in config?

Also I am unfamiliar with sd-wan. Could the same be accomplished with Hetzner's vSwitch?

 

[pille99]

auto lo
iface lo inet loopback

auto enp41s0
iface enp41s0 inet manual
#1GB UPLINK

auto enp1s0f0
iface enp1s0f0 inet static
        address 10.10.15.10/24
        mtu 9000
#10GB SDN

auto enp1s0f1
iface enp1s0f1 inet static
        address 10.10.12.10/24
        mtu 9000
#10GB Corosync

auto enp33s0
iface enp33s0 inet manual
        mtu 8972
#10GB Ceph

auto vmbr99
iface vmbr99 inet static
        address 10.10.10.10/24
        bridge-ports enp33s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#Bridge Ceph

auto vmbr0
iface vmbr0 inet static
        address public ip
        gateway hetzner gateway
        bridge-ports enp41s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#1GB UPLINK Public

auto vmbr99.11
iface vmbr99.11 inet static
        address 10.10.11.10/24
#10GB Ceph

source /etc/network/interfaces.d/*

 

[pille99]

the sd-wan you need because the nodes can not talk to each other, for moving the VMs around.
the vswitch from hetzner is something different.

 

[madhat2r]

Thank you so much @pille99. This is very helpful.