Hello!
Thanks in advance for your time.
I`m deploying a new Proxmox Cluster on Hetzner. (12 ryzen 5 3900 physical hosts)
I have 2 NICS for each physical host:
- 1Gbit => for public Internet with a public IP attached
- 10 Gbit => connected to a private Ubiquity 10G switch
Created a bridge on proxmox for each of that physical ports.
But not sure how it will work if all the traffic that the host receives is not forwarded to this VM. (Some years ago I managed to install pfsense on proxmox with only one NIC, but I dont want to go that way, too complex config, and relies heavily on iptables forwarding). Maybe now that I have two NICs with physical switch for the LAN I can get an easier setup.
Im not sure the best way to deploy a pfsense instance to work as firewall / NAT / defaultgw / openvpn , etc.
I want to install on the first proxmox node and to disable public access to the remaining 11 nodes. (making all of them only accesible through the VPN on the pfsense).
What I want to accomplish is some kind of isolation between public internet and my private LAN.
I want to use pfsense like a bastion and, as my only point of access to my infrastructure. Then I will use haproxy/nginx to load balance traffic to my private api/bbdd machines.
Also im thinking of using it as the default gateway for every machine and my only exit point to internet. All vms and hosts would be on the same subnet, using bridge port to the private switch. That makes sense?
Using a baremetal machine just for pfsense would be easier, but seems a little overkill, a waste of resources "only" for this, that's why i`m searching for a virtualized solution.
Any hint to achieve this architecture would be very appreciated.
Thanks!
Thanks in advance for your time.
I`m deploying a new Proxmox Cluster on Hetzner. (12 ryzen 5 3900 physical hosts)
I have 2 NICS for each physical host:
- 1Gbit => for public Internet with a public IP attached
- 10 Gbit => connected to a private Ubiquity 10G switch
Created a bridge on proxmox for each of that physical ports.
But not sure how it will work if all the traffic that the host receives is not forwarded to this VM. (Some years ago I managed to install pfsense on proxmox with only one NIC, but I dont want to go that way, too complex config, and relies heavily on iptables forwarding). Maybe now that I have two NICs with physical switch for the LAN I can get an easier setup.
Im not sure the best way to deploy a pfsense instance to work as firewall / NAT / defaultgw / openvpn , etc.
I want to install on the first proxmox node and to disable public access to the remaining 11 nodes. (making all of them only accesible through the VPN on the pfsense).
What I want to accomplish is some kind of isolation between public internet and my private LAN.
I want to use pfsense like a bastion and, as my only point of access to my infrastructure. Then I will use haproxy/nginx to load balance traffic to my private api/bbdd machines.
Also im thinking of using it as the default gateway for every machine and my only exit point to internet. All vms and hosts would be on the same subnet, using bridge port to the private switch. That makes sense?
Using a baremetal machine just for pfsense would be easier, but seems a little overkill, a waste of resources "only" for this, that's why i`m searching for a virtualized solution.
Any hint to achieve this architecture would be very appreciated.
Thanks!
Last edited: