Hi, I am a newbie in linux, networking and proxmox in general. I followed this article to create a HA Proxmox cluster on Hetzner (for learning purpose). The network configuration is like this (you can see the image):
- 3 bare metals from Hetzner with 1 bare metal has an additional IP with MAC address (for routing to the outside, as the main address of the Hetzner VM does not allow routing)
- 3 vSwitch from Hetzner with VLAN ID: 4003, 4004, 4005
- These bare metals has only 1 NIC
- Pfsense running in a VM act as firewall + router/dhcp server for other VMs
I managed to setup the Proxmox cluster, and intended to turn it into a web server. On the Proxmox host I have put a reverse proxy, now I want to use the reverse proxy to direct traffic to apppropriate workload in VMs.
Right now Pfsense VM is attached with vmbr0 as WAN (with the MAC address bind with the additional IP) and vmbr1 as LAN, it's IP is 192.168.1.1. All the VMs I spinned up, are attached to vmbr1, got IP assigned from Pfsense as 192.168.1.xxx.
In Pfsense, I has whitelisted the IP from Proxmox host by setting firewall WAN rules in Pfsense. The host now can ping the public IP of Pfsense (the additional IP from Hetzner). All VMs connect to wmbr1 (Pfsense LAN) can also ping each other.
But the problem is from the host, I cannot reach the VMs behind Pfsense. What am I doing wrong here? Doesn't this line on the host mean any call to this IP 192.168.0.0/16 will be directed to <Additional IP from Hetzner>, which is Pfsense.
My question is: How can I route request from host to the correct VM/ how to configre host to talk with VMs?
Many thanks for your help!
Here is my network configuration
- 3 bare metals from Hetzner with 1 bare metal has an additional IP with MAC address (for routing to the outside, as the main address of the Hetzner VM does not allow routing)
- 3 vSwitch from Hetzner with VLAN ID: 4003, 4004, 4005
- These bare metals has only 1 NIC
- Pfsense running in a VM act as firewall + router/dhcp server for other VMs
I managed to setup the Proxmox cluster, and intended to turn it into a web server. On the Proxmox host I have put a reverse proxy, now I want to use the reverse proxy to direct traffic to apppropriate workload in VMs.
Right now Pfsense VM is attached with vmbr0 as WAN (with the MAC address bind with the additional IP) and vmbr1 as LAN, it's IP is 192.168.1.1. All the VMs I spinned up, are attached to vmbr1, got IP assigned from Pfsense as 192.168.1.xxx.
In Pfsense, I has whitelisted the IP from Proxmox host by setting firewall WAN rules in Pfsense. The host now can ping the public IP of Pfsense (the additional IP from Hetzner). All VMs connect to wmbr1 (Pfsense LAN) can also ping each other.
But the problem is from the host, I cannot reach the VMs behind Pfsense. What am I doing wrong here? Doesn't this line on the host mean any call to this IP 192.168.0.0/16 will be directed to <Additional IP from Hetzner>, which is Pfsense.
My question is: How can I route request from host to the correct VM/ how to configre host to talk with VMs?
Many thanks for your help!
Code:
up ip route add 192.168.0.0/16 via <Additional IP from Hetzner> dev vmbr0Here is my network configuration
Code:
### Hetzner Online GmbH installimage
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
iface enp195s0 inet manual
up ip route add -net up ip route add -net <GATEWAY_FROM_HETZNER> netmask <SUBNET_FROM_HETZNER> gw <GATEWAY_FROM_HETZNER> vmbr0
up sysctl -w net.ipv4.ip_forward=1
up sysctl -w net.ipv4.conf.enp195s0.send_redirects=0
up sysctl -w net.ipv6.conf.all.forwarding=1
up ip route add 192.168.0.0/16 via <ADDITIONAL_IP_FROM_HETZNER> dev vmbr0
up ip route add 172.16.0.0/12 via <ADDITIONAL_IP_FROM_HETZNER> dev vmbr0
up ip route add 10.0.0.0/8 via <ADDITIONAL_IP_FROM_HETZNER> dev vmbr0
iface enp195s0 inet6 static
address <MAIN_IP_V6_FROM_HETZNER>
netmask 64
gateway <MAIN_GATEWAY_V6_FROM_HETZNER>
auto vmbr0
iface vmbr0 inet static
address <MAIN_IP_FROM_HETZNER>
netmask 32
gateway <GATEWAY_FROM_HETZNER>
broadcast <BOARDCAST_FROM_HETZNER>
bridge-ports enp195s0
bridge-stp off
bridge-fd 0
pointopoint <GATEWAY_FROM_HETZNER>
#WAN
# Virtual switch for DMZ
# (connect your firewall/router KVM instance and private DMZ hosts here)
auto vmbr1
iface vmbr1 inet manual
bridge_ports enp195s0.4003
bridge_stp off
bridge_fd 0
#LAN0
#vlan between nodes
auto vmbr4004
iface vmbr4004 inet static
bridge_ports enp195s0.4004
bridge_stp off
bridge_fd 0
address 10.0.100.10
netmask 24
#COROSYNC1
#vlan between nodes
auto vmbr4005
iface vmbr4005 inet static
bridge_ports enp195s0.4005
bridge_stp off
bridge_fd 0
address 10.0.200.10
netmask 24
#COROSYNC2Attachments
Last edited: