Proxmox behind OPNsense VM

Lord Retr0

Lord Retr0

New Member
Proxmox Subscriber
Aug 11, 2024
5
1
3
Germany, Frankfurt am Main
Hello everyone,
I would like to secure my Proxmox VE with OPNsense... currently ports 22 & 8006 are not forwarded to OPNsense.

How i can configur it ?

Here are the "/etc/network/Interfaces"
Code: 
auto lo
iface lo inet loopback

iface enp193s0f0np0 inet manual

iface enx0e689c0ecab2 inet manual

iface enp193s0f1np1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 162.55.199.113/26

        # primäre WAN-IP-Broadcast-Adresse
        broadcast 162.55.199.127

        # Gateway ist über Punkt-zu-Punkt erreichbar. (Gateway-IP)
        pointopoint 162.55.199.65
        gateway 162.55.199.65

        # Einstellungen für die Brücke
        # physische Schnittstelle enp193s0f0np0 überbrücken.
        bridge-ports enp193s0f0np0
        bridge-stp off
        bridge-fd 0

        # statische Route durch das Gateway für Subnetz der primären WAN-IP
        up route add -net 162.55.199.127 netmask 255.255.255.192 gw 162.55.199.65 vmbr0

        # Routing für weitere IPs (max 4 bei Hetzner)
        up ip route add 162.55.199.115 dev vmbr0 # 2. WAN-IP
        #up ip route add fff.fff.fff.fff dev vmbr0 # 3. WAN-IP
        #up ip route add ggg.ggg.ggg.ggg dev vmbr0 # 4. WAN-IP
        #up ip route add hhh.hhh.hhh.hhh dev vmbr0 # 5. WAN-IP

        # TCP/UDP NAT zur OPNsense.
        # Port 22 wird nicht weitergeleitet für SSH zugriff
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.0.0.1
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -j DNAT --to 10.0.0.1
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p icmp -j DNAT --to 10.0.0.1
#WAN_Public

auto vmbr1
iface vmbr1 inet static
        # IP für NAT
        address 10.0.0.0/31

        bridge-ports none
        bridge-stp off
        bridge-fd 0

        # lokales routing von privaten IPv4-IPs von dem
        # Proxmox-Host über den zweiten WAN-Port der OPNsense
        up ip route add 192.168.0.0/16 via 10.0.0.1 dev vmbr1
        up ip route add 172.16.0.0/12 via 10.0.0.1 dev vmbr1
        up ip route add 10.0.0.0/8 via 10.0.0.1 dev vmbr1

        # MASQUERADE Regel für NAT
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.1/31' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/31' -o vmbr0 -j MASQUERADE
#WAN_Admin

auto vmbr2
iface vmbr2 inet manual
        ovs_type OVSBridge
#VM Netzwerk

source /etc/network/interfaces.d/*

I have also installed CrowdSec on OPNsense and would like to block requests via OPNsense in the event of an incorrect login via SSH & Proxmox.
What installation do I need on the Proxmox server to implement this?
 
Last edited:
  • Like
Reactions: Gregyski
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back