Hello,
I have been using a Proxmox for a while with a very simple network configuration, with only one NIC and one bridge that NAT the traffic to a private VLAN like this: (/etc/network/interfaces of the host)
And I would like to go one step further now:
I have a fresh Proxmox 5 on Debian 9 by online.net with one failover IP, so that:
- main IP is only used to reach the host
- VLAN is accessed via the failover IP that is used on a pfsense VM that makes the routing and so on.
I am not a network specialist and despite many hours of googling and trial & error, I still don't get how I have to tweak the host interfaces file to have the pfsense VM getting the Public Failover IP address.
For the record, here are the few highlights of my setup at online.net:
- there is *only one interface* on the WAN eno1
- failover IP address has a generated MAC
- I have installed a fresh Proxmox pve on an up-to-date debian 9, rather than using the pre-packaged proxmox offered by online.net: that's the only way to go if I don't want to have half of my SSD space spoiled to make RAID 1.
- host must not access the VLAN
I imagine it should be obvious and straightforward because this setup seems very _classic_ to me but I cannot make it work and would be very gratefull for any hint or pointers: all step by step guides I have found always seems to miss THE crucial point that makes things work.
Please don't hesitate to ask if you need more info or if something is not clear.
Many thanks!
I have been using a Proxmox for a while with a very simple network configuration, with only one NIC and one bridge that NAT the traffic to a private VLAN like this: (/etc/network/interfaces of the host)
Code:
auto eno1
# internet facing interface
iface eno1 inet static
address XXX.XXX.XXX.105
netmask 255.255.255.0
gateway XXX.XXX.XXX.1
auto vmbr0
# private VLAN
iface vmbr0 inet static
address 10.10.10.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
# Redirect all trafic for http ports to internal reverse proxy
post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80
post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443
post-down iptables -t nat -D PREROUTING -i eno1 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80
post-down iptables -t nat -D PREROUTING -i eno1 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443
# NAT
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
# SSH
post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 22100 -j DNAT --to 10.10.10.100:22
post-down iptables -t nat -D PREROUTING -i eno1 -p tcp --dport 22100 -j DNAT --to 10.10.10.100:22
.... More ssh rules
And I would like to go one step further now:
I have a fresh Proxmox 5 on Debian 9 by online.net with one failover IP, so that:
- main IP is only used to reach the host
- VLAN is accessed via the failover IP that is used on a pfsense VM that makes the routing and so on.
I am not a network specialist and despite many hours of googling and trial & error, I still don't get how I have to tweak the host interfaces file to have the pfsense VM getting the Public Failover IP address.
For the record, here are the few highlights of my setup at online.net:
- there is *only one interface* on the WAN eno1
- failover IP address has a generated MAC
- I have installed a fresh Proxmox pve on an up-to-date debian 9, rather than using the pre-packaged proxmox offered by online.net: that's the only way to go if I don't want to have half of my SSD space spoiled to make RAID 1.
- host must not access the VLAN
I imagine it should be obvious and straightforward because this setup seems very _classic_ to me but I cannot make it work and would be very gratefull for any hint or pointers: all step by step guides I have found always seems to miss THE crucial point that makes things work.
Please don't hesitate to ask if you need more info or if something is not clear.
Many thanks!