Hi there,
After several attempts to make the aforementioned work, I would like to reach out to you all with the aim to seek guidance and to learn a thing or two.
Main goal:
- I would like to access Proxmox GUI and SSH into the tty via a Firewall VM(not pfSense).
- Once established, I would like to route all traffic through the Firewall, 'acting as an edge' device
Up so far I have attempted the following [steps and configuration will be provided in a historical manner for ease of reading]:
1. Collected the physical MAC of the server, hosting the public/WAN interface
2. Created a Firewall VM and configured via the following:
- Attached 3 vmbr's
>(vmbr999, placeholder as the initially mapped interface to the Firewall results in a Management interface, which cannot route data packets)
>(vmbr0, serving as the WAN interface [I disabled the interface when I attached it on the VM)
>(vmbr4, serving as the "local_net" interface, where the Proxmox 8006 and 22 ports will live)
- Configured default routes, NATs, ACLs, etc (alongside ssh access on port 22 to the Firewall from my public IP
3. Created a cronjob .sh script on the Proxmox, which basically will restore the original /etc/network/interfaces config via performing a replacement with the .bak which I created under /usr/local/bin. The script will execute every 30 minutes, issue ifreload -a -> wait 2 minutes and do a shutdown -r 0
4. Mapped the SSH port on Proxmox to listen on 2222, in order to be able to both SSH on port 22 on the Firewall and to the Proxmox itself
4. I enabled the egress(WAN) interface on the Firewall
5. Pasted the new configuration under /etc/network/interfaces and issued an ifreload -a
6. Well.. neither the cronjob worked, and lost total access to everything
[Configuration]
=== /etc/network/interfaces [ORIGINAL]
=== /etc/network/interfaces [MODIFIED]
Any idea on why this is not working ?
After several attempts to make the aforementioned work, I would like to reach out to you all with the aim to seek guidance and to learn a thing or two.
Main goal:
- I would like to access Proxmox GUI and SSH into the tty via a Firewall VM(not pfSense).
- Once established, I would like to route all traffic through the Firewall, 'acting as an edge' device
Up so far I have attempted the following [steps and configuration will be provided in a historical manner for ease of reading]:
1. Collected the physical MAC of the server, hosting the public/WAN interface
2. Created a Firewall VM and configured via the following:
- Attached 3 vmbr's
>(vmbr999, placeholder as the initially mapped interface to the Firewall results in a Management interface, which cannot route data packets)
>(vmbr0, serving as the WAN interface [I disabled the interface when I attached it on the VM)
>(vmbr4, serving as the "local_net" interface, where the Proxmox 8006 and 22 ports will live)
- Configured default routes, NATs, ACLs, etc (alongside ssh access on port 22 to the Firewall from my public IP
3. Created a cronjob .sh script on the Proxmox, which basically will restore the original /etc/network/interfaces config via performing a replacement with the .bak which I created under /usr/local/bin. The script will execute every 30 minutes, issue ifreload -a -> wait 2 minutes and do a shutdown -r 0
4. Mapped the SSH port on Proxmox to listen on 2222, in order to be able to both SSH on port 22 on the Firewall and to the Proxmox itself
4. I enabled the egress(WAN) interface on the Firewall
5. Pasted the new configuration under /etc/network/interfaces and issued an ifreload -a
6. Well.. neither the cronjob worked, and lost total access to everything
[Configuration]
=== /etc/network/interfaces [ORIGINAL]
Code:
auto lo
iface lo inet loopback
iface lo inet6 loopback
iface enp98s0f0 inet manual
iface enp97s0f0 inet manual
iface enp97s0f1 inet manual
iface enp98s0f1 inet manual
auto vmbr0
iface vmbr0 inet static
address X.X.X.X/26
gateway X.X.X.X
bridge-ports enp98s0f0
bridge-stp off
bridge-fd 0
up sysctl -p
auto vmbr4
iface vmbr4 inet static
address 172.10.10.1/16
bridge-ports none
bridge-stp off
bridge-fd 0
auto vmbr999
iface vmbr999 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0=== /etc/network/interfaces [MODIFIED]
Bash:
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp98s0f0
iface enp98s0f0 inet manual
iface enp97s0f0 inet manual
iface enp97s0f1 inet manual
iface enp98s0f1 inet manual
pre-up ebtables -t nat -A POSTROUTING -j snat --to-src <REAL_MAC> -o enp98s0f0
pre-up ip link set enp98s0f0 address <FAKE/BOGUS_MAC>
auto vmbr0
iface vmbr0 inet manual
bridge-ports enp98s0f0
bridge-stp off
bridge-fd 0
up sysctl -p
auto vmbr4
iface vmbr4 inet static
address 172.10.10.1/16
bridge-ports none
bridge-stp off
bridge-fd 0
auto vmbr999
iface vmbr999 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0Any idea on why this is not working ?