[TUTORIAL] Proxmox @ Hetzner, using a single public IPv4 address (+IPv6/64) while all traffic, including host goes through virtualized Firewall (ex. Pfsense)


Active Member
Jul 29, 2013
I'm a bit short on time and I was hesitant to share this as recently Hetzner started sending out MAC abuse messages which took me a long time to resolve as it was both a Proxmox issue, which was fixed with PVE 7, and also an issue with this configuration which I finally resolved.

I have been using this configuration for quite a few years and it works great.

Proxmox built in firewall is good, but a bit inflexible as well as I like the VPN functionality (and simplifications) of Firewall dedicated vms. I also wanted to access both my port mapped virtual machines as well as the host with a single public ip, protected by my virtualized firewall of choice.

Most people eventually break down and buy extra ipv4 address, ex. 1 ip for host, 1 for virtualized firewall + vms. With this technique, an extra ip is not necessary

You can have your cake and eat it too.

Quick Overview

This is not going to be a step by step, you will need to be able to understand the configuration here and conceptually understand how to apply the configuration.
Oftentimes a mistake will force you to reboot into rescue mode and reconfigure you network.

Also, understand, since all traffic will be forced through a virtual firewall, if it malfunctions, you will not have access to the host. Additionally, during a reboot, until the virtual firewall has booted, your port mappings to the host will not be functional as well.

I keep two copies of my interfaces file,
  • vm-firewall-as-public-interface interfaces file
  • and 1 for the standard-baremetal-config where the host has the public ip (standard setup).

Create your firewall VM, with 2 virtual network interfaces.
  • Virtual FW, eth1 will be the "LAN" connected to vmbr1
  • Virtual FW, eth0, will be the firewall WAN port, connected to vmbr0.
    • Its IP (4/6) settings should match what you normally would set the host physical card to.
    • Because Hetzner switch ports only answer traffic from the registered physical MAC address, we need to push the physical MAC address into a virtual network adapter attached to the Firewall VM.
      • Setup the MAC address of Virtual FW, eth0 to match your physical cards MAC. (Pro-tip: In the VM config, leave this port unplugged under advanced while you configure it, only virtually plug it in while the firewall is turned off before you reboot the PVE host to swap into the vm-firewall-as-public-interface interfaces, otherwise you gonna have a bad time)

/etc/network/interfaces - vm-firewall-as-public-interface interfaces file

source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface lo inet6 loopback # Bring up the physical interface auto enp3s0 # Set the physical interface to manual networking configuration, but we DO NOT assign it any IPs. iface enp3s0 inet manual # We rewrite any bridge traffic leaving through the physical adapter (enp3s0) to the real MAC to avoid generating Hetzner Mac abuse warnings via its switches seeing ethernet frames with "wrong" MAC address.. ex Real MAC address: aa:bb:cc:dd:ee pre-up ebtables -t nat -A POSTROUTING -j snat --to-src aa:bb:cc:dd:ee -o enp3s0 # Change the physical cards MAC address to a generated/fake MAC, so it frees up the real MAC address to be passed through to the virtual Firewall. pre-up ifconfig enp3s0 hw ether 00:11:22:33:44:55 auto vmbr0 iface vmbr0 inet manual bridge-ports enp3s0 bridge-stp off bridge-fd 0 bridge_maxwait 0 auto vmbr1 iface vmbr1 inet static address bridge-ports none bridge-stp off bridge-fd 0

And on your firewall, suggest port mapping at the very least 22, and 8006 to your PVE host, via its vmbr1 LAN address.

Public ip is
PVE host vmbr1 LAN is: (like above config)

On your virtual firewall, port forward from your public interface, port 22,8006 to port 22,8006

Again, this is not a full step by step, there are many considerations such as fully understanding the network configuration process, understanding when to reboot and activate/swap configurations, but this config works well for me for many years. I really like having all my traffic forced through my virtualized firewall, including host traffic.
  • Like
Reactions: Xentux


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!