Hello everyone,
I would like to secure my Proxmox VE with OPNsense... currently ports 22 & 8006 are not forwarded to OPNsense.
How i can configur it ?
Here are the "/etc/network/Interfaces"
I have also installed CrowdSec on OPNsense and would like to block requests via OPNsense in the event of an incorrect login via SSH & Proxmox.
What installation do I need on the Proxmox server to implement this?
I would like to secure my Proxmox VE with OPNsense... currently ports 22 & 8006 are not forwarded to OPNsense.
How i can configur it ?
Here are the "/etc/network/Interfaces"
Code:
auto lo
iface lo inet loopback
iface enp193s0f0np0 inet manual
iface enx0e689c0ecab2 inet manual
iface enp193s0f1np1 inet manual
auto vmbr0
iface vmbr0 inet static
address 162.55.199.113/26
# primäre WAN-IP-Broadcast-Adresse
broadcast 162.55.199.127
# Gateway ist über Punkt-zu-Punkt erreichbar. (Gateway-IP)
pointopoint 162.55.199.65
gateway 162.55.199.65
# Einstellungen für die Brücke
# physische Schnittstelle enp193s0f0np0 überbrücken.
bridge-ports enp193s0f0np0
bridge-stp off
bridge-fd 0
# statische Route durch das Gateway für Subnetz der primären WAN-IP
up route add -net 162.55.199.127 netmask 255.255.255.192 gw 162.55.199.65 vmbr0
# Routing für weitere IPs (max 4 bei Hetzner)
up ip route add 162.55.199.115 dev vmbr0 # 2. WAN-IP
#up ip route add fff.fff.fff.fff dev vmbr0 # 3. WAN-IP
#up ip route add ggg.ggg.ggg.ggg dev vmbr0 # 4. WAN-IP
#up ip route add hhh.hhh.hhh.hhh dev vmbr0 # 5. WAN-IP
# TCP/UDP NAT zur OPNsense.
# Port 22 wird nicht weitergeleitet für SSH zugriff
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.0.0.1
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -j DNAT --to 10.0.0.1
post-up iptables -t nat -A PREROUTING -i vmbr0 -p icmp -j DNAT --to 10.0.0.1
#WAN_Public
auto vmbr1
iface vmbr1 inet static
# IP für NAT
address 10.0.0.0/31
bridge-ports none
bridge-stp off
bridge-fd 0
# lokales routing von privaten IPv4-IPs von dem
# Proxmox-Host über den zweiten WAN-Port der OPNsense
up ip route add 192.168.0.0/16 via 10.0.0.1 dev vmbr1
up ip route add 172.16.0.0/12 via 10.0.0.1 dev vmbr1
up ip route add 10.0.0.0/8 via 10.0.0.1 dev vmbr1
# MASQUERADE Regel für NAT
post-up iptables -t nat -A POSTROUTING -s '10.0.0.1/31' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/31' -o vmbr0 -j MASQUERADE
#WAN_Admin
auto vmbr2
iface vmbr2 inet manual
ovs_type OVSBridge
#VM Netzwerk
source /etc/network/interfaces.d/*I have also installed CrowdSec on OPNsense and would like to block requests via OPNsense in the event of an incorrect login via SSH & Proxmox.
What installation do I need on the Proxmox server to implement this?
Last edited:
