Proxmox 7 IPFO with PFSENSE (OVH IP fail over)

stormy27

Member
Feb 28, 2019
12
0
6
Dear all,

Last weeks I've spend many hours/days for searching a solution to my problem: IPFO declaration with PFENSE VM architecture....

As shown in this picture above:
OVH MAIN IP/FAILOVER -> VMBR0 --> VMBR1 (WAN) --> PFSENSE (WAN) --> PFSENSE (LAN) --> VMs
... and I don't know/understand how to proceed in my situation.... any tips please???

In 2 words: VMBR0 is having unique public IP, throwing requests to PFSENSE (WAN) using VMBR1. Then following PFSENSE rules the LAN part is managing access to different VMs. And for admin access, a VPN tunnel directly to PFSENSE, giving ability to access everything inside.

It's working finely, it's good but only with .... 1 IP address. (I followed different threads on internet to build this architecture)
test.jpg


Now HOW can I integrate IPFO for VMBR0?? I want to keep VMBR1/PFSENSE WAN filtering (that's the reason of this architecture!).

But on DEBIAN 11, how/where to declare the IPFO?
@jinjer gave on another post info related to vmbr0: OK, but in my situation VM are inside the protected LAN with alternative VMBR1/PFENSE redirection.

How to integrate OVH IP FO here? Where to put declaration/redirection/etc???

I bought different IPFO from OVH (so with MAC address) but I'm spending time and having no clue.....

My target is to have many IPFO for each VM located inside the LAN part (so protected by PFSENSE).


Need help, thanks! :) and take care
 
Last edited:

stormy27

Member
Feb 28, 2019
12
0
6
Hi! I was able to run this scenario, entering traffic is OK, but I'm not able from inside LAN (so my VMs) to use specific IP address when going to Internet. (using IP failover #1, ip failover #2, etc... every IP linked to vmbr0 as $IFACE:1, $IFACE:2 etc)

For instance, a simple scenario:
if a PVE VM Messaging is trying to send something on internet through SMTP, the visible IP used on vmbr0 will be the MAIN VMBR0 Ip address.
And not a failover IP..... which is what I'm trying to do.

BUT unfortunately, all the other IPs aliases are not used.... and I'm searching since many many days and not having a solution.


For incoming traffic, everything is send to proxmox, them I use a NAT Port Forward to throw 80 and 443 to HAPROXY VM, spreading traffic to other VMs. So it's generic forward of everything 80 and 443 to a specific VM.
I was not able to use Firewall Rules for this VM or another VM.... please help also on this topic. (each VM is in LAN 192.168.9.x network only)
How to configure PFSENSE to redirect to a specific VM? I search and tries NAT 1:1, ALIASES,.... but now way... I certainly using it with bad configuration, please help on this!!


Here is an extract from /etc/network/interface configuration with ip/down IP failover addresses:
[I]auto vmbr0 iface vmbr0 inet static address 141.xx.xx.xx/24 gateway 141.xx.xx.254 bridge-ports eth0 bridge-stp off bridge-fd 0 hwaddress d0:xx:xx:fb:c6:04 #BLOC1 up ip addr add 92.xx.122.4/24 dev $IFACE label $IFACE:1 down ip addr del 92.xx.122.4/24 dev $IFACE label $IFACE:1 up ip addr add 92.xx.122.5/24 dev $IFACE label $IFACE:2 down ip addr del 92.xx.122.5/24 dev $IFACE label $IFACE:2 up ip addr add 92.xx.122.6/24 dev $IFACE label $IFACE:3 down ip addr del 92.xx.122.6/24 dev $IFACE label $IFACE:3 up ip addr add 92.xx.122.7/24 dev $IFACE label $IFACE:4 down ip addr del 92.xx.122.7/24 dev $IFACE label $IFACE:4[/I]


So how to use specific IP Failover Addresses for outside world ???

And how to route a entering traffic to specific VM???? (as currently a request from internet to 92.xx.xx.xx is entering from vmbr0, entering pfsense, using Port Forward for 80 and 443 port to redirect to HAPROXY VM, which is redirecting to specific VM). But no way to use rules for each VM (because I can't match external real IP address from Internet to Internal LAN 192.168.9.x..)

Anybody can help please???? Thanks in advance! :)
 
Last edited:

openmomo

New Member
Sep 8, 2022
1
0
1
Hi there.

Looks like you want to use outbound nat. Heres my scenario:

- OVH physical server. 1 public interface with a bridge.
- Proxmox 7.2 with SDN
- Created a simple zone
- PFSense 2.6. WAN connected to the bridge and LAN connected to the simple zone.
- Elementary OS linux machine for managing PFSense connected to the simple zone.
- Virtual machine that will use NAT for incoming and outgoing traffic, translating into failover public IP.

Then, follow this guide for using virtual PFSense with a WAN static failover IP. This was crazy years ago when the option "use not local gateway" was not available.

https://docs.ovh.com/ie/en/dedicated/pfSense-bridging/

Configure OVH failover IPs creating a new MAC for PFSense WAN interface. Use same MAC for all IPs.
Create single Virtual IPs in PFSense in IP Alias mode. Remember to use /24

At this point, incoming traffic should work. If you want each machine to send traffic using same IP, you must create an outbound NAT rule like this:

- Interface: WAN
- Address family: IPv4
- Protocol: any
- Source: lets say that your VM has local IP 10.10.11.100 and use /32
- Destination: any
- Translation: the Virtual IP of your choice

Hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!