Pfsense + Haproxy inside Proxmox at Hetzner

gnleot

New Member
Jun 26, 2018
1
0
1
43
Hi all,
we have 4 dedi server at Hetznet, and it seams impossible to get what we need…
What Hetzner give us?

  • 4 dedicated server each one with it’s own public “MAIN IP” assigned to one interface (eno3) and all cabled to a dedicated 10 gb switch, for internal LAN comunications (eno1).
  • Additional ip (+MAC), additional subnet, Failover IP (yes we have taken everything, but nothing works), we tried every possible combination following they guidelines, and many other online stuff.
What we need?

  • PVE cluster (this works thanks to the VLANs bridged on internal LAN NIC)
  • PfSense to get out correctly (of course) , handle internal lan traffic and route it out
  • HA via pfsync, each node must be able to handle some VIP CARP, assigned to different services (OpenVPN, IpSEC, HAProxy frontend). Regarding this, on Hetzner the only way to get CARP VIP is to use FailoverIP? Quite right?
I cut other parts of /etc/network/interfaces file:

  • In this type of configuration (routed?) they say to give to the guest system (in this case pfsense) as ip address the additional, and as gateway the MAIN IP of server, so i setup on pfsense the AdditionalIP as WAN and MAIN IP as gateway.
    The gateway status is online, but I can’t ping outside.
Code:
auto eno3
iface eno3 inet static
        address  MAIN IP
        netmask  255.255.255.255
        gateway  GW BY Hetzner
        pointopoint GW BY Hetzner

auto vmbr0
iface vmbr0 inet static
        address  MAIN IP    #on pfsense guest VM the Gateway
        netmask  255.255.255.255
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        up route add -host AdditionalIP/32 dev vmbr0  #on pfsense guest VM the WAN IP
        up route add -host FailoverIP/32 dev vmbr0

  • With this conf (bridged?) I set on pfsense the MAIN IP as WAN and GW BY Hetzner as gateway, in this way I get out correctly, but from outside I’can’t reach the FailoverIP added into pfsense as VIP CARP (because from hetzner FailoverIPs are routed to MainIP, that in this case assigned to a VM)
Code:
iface eno3 inet manual

auto vmbr0
iface vmbr0 inet static
        address  AdditionalIP
        netmask  255.255.255.128
        broadcast  BRDC-IP
        network NET-IP
        gateway  GW BY Hetzner
        pointopoint GW BY Hetzner
        bridge_ports eno3
        bridge_stp off
        bridge_fd 0

Someone who knows how to help me?

Thanks for reading
 
Please write me a PM if you are willing to pay for someone who will fix it. It will work once I'm done with it. Did it several times with success at Hetzner DCs.
 
Are you able to solve your problems? Just to understand if it's doable (I'm in a similar context right now)
 
Are you able to solve your problems? Just to understand if it's doable (I'm in a similar context right now)
Meanwhile Hetzner offers vSwitch with public Subnets. Using this CARP/VRRP is easily usable for HA IPs and Failover to other devices.
So yes those problems are resolvable. :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!