PROXMOX network routing for additional IP addresses

S

Samantha Smith

Member
Nov 24, 2022
4
1
8
Hoping someone here can help out a PROXMOX newbie....

I have a dedicated server on which PROXMOX is installed.
For VM's, we have only installed PFSense firewall so far, but the intention is to create additional VM's behind PFSense.
My ISP has allocated a public IP address, as well as two additional IP addresses.


Problem:
Public IP: 1.2.3.142/25
Additional IP 1: 7.8.9.137/26
Additional IP 2: 7.8.9.138/26

How do I set up PROXMOX networking so that the PFSense WAN interface is reachable on IP address 1 and/or 2
My network config file is as follows:
Code: 
auto lo
iface lo inet loopback

auto eno1

iface eno1 inet static
        address  1.2.3.142/25
        gateway  1.2.3.254
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address  7.8.9.137/26
        bridge-ports none
        bridge-stp off
        bridge-fd 0


However, using the above configuration, I cannot access the PFSense firewall.
If I try to SSH using address 7.8.9.137, I get the PROXMOX server
 
Last edited:
Samantha Smith said:
Hoping someone here can help out a PROXMOX newbie....

I have a dedicated server on which PROXMOX is installed.
For VM's, we have only installed PFSense firewall so far, but the intention is to create additional VM's behind PFSense.
My ISP has allocated a public IP address, as well as two additional IP addresses.


Problem:
Public IP: 1.2.3.142/25
Additional IP 1: 7.8.9.137/26
Additional IP 2: 7.8.9.138/26

How do I set up PROXMOX networking so that the PFSense WAN interface is reachable on IP address 1 and/or 2
My network config file is as follows:
Code: 
auto lo
iface lo inet loopback

auto eno1

iface eno1 inet static
        address  1.2.3.142/25
        gateway  1.2.3.254
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address  7.8.9.137/26
        bridge-ports none
        bridge-stp off
        bridge-fd 0


However, using the above configuration, I cannot access the PFSense firewall.
If I try to SSH using address 7.8.9.137, I get the PROXMOX server
Click to expand...
Hi, you will have to assign the IP address to the network interface within the VM, not to the bridge on the host.

Edit: Similarly to the routed configuration in the docs https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration
 
Last edited:
Yip, the routed configuration is what I tried (see my original config)
However, using that option I can't see the VM, only the PROXMOX server itself.
So I'm assuming there is something wrong in the configuration.

I have only 3 IP, not whole ranges
What do I assign as the address/range in vmbr0 if I want to create a VM's with 7.8.9.137 and 7.8.9.138?
 
Samantha Smith said:
Yip, the routed configuration is what I tried (see my original config)
However, using that option I can't see the VM, only the PROXMOX server itself.
So I'm assuming there is something wrong in the configuration.

I have only 3 IP, not whole ranges
What do I assign as the address/range in vmbr0 if I want to create a VM's with 7.8.9.137 and 7.8.9.138?
Click to expand...
Have you tried setting static routes for your IPs via ip route add 7.8.9.137 via vmbr0 and ip route add 7.8.9.138 via vmbr0 without public ip for the bridge (just private ones for internal network)? Also, set the gateway to the pve host public ip in the VMs. Check with tcpdump icmp -i <interface> and ping from outside where your packages are being routed/dropped...
 
Last edited:
Samantha Smith said:
Yip, the routed configuration is what I tried (see my original config)
However, using that option I can't see the VM, only the PROXMOX server itself.
So I'm assuming there is something wrong in the configuration.

I have only 3 IP, not whole ranges
What do I assign as the address/range in vmbr0 if I want to create a VM's with 7.8.9.137 and 7.8.9.138?
Click to expand...
I have the same issue, have you solved?
 
In my opinion, good way is to wrap ISP connection into separate VLAN using managed switch.
For example, connect ISP cable to switch port #1 while Proxmox connected to port #2.
Then setup VLAN10, name it "ISP VLAN":
Port #1 will be untagged port. Remove it from default VLAN.
Port #2 will be tagged port. Do not remove it from default VLAN.
Exclude other ports from VLAN10.
You will have tagged traffic from ISP to your Proxmox box.
Then, setup pfSense 1st network interface on bridge vmbr0, set it VLAN tag to 10. Set it as WAN interface in pfSense with public IP.
Additional IPs can be as aliases or Virtual IPs on WAN.
Next, setup 2st network interface on bridge vmbr0 with no tag. Set it as LAN interface in pfSense.
Setup appropriate firewall and nat rules in pfSense.
As a result, you will have ISP traffic directly to pfSense, no need to setup public IP and routing on Proxmox.
Your pfSense will be as a default gateway to Proxmox, VMs and other network devices on your network.
ISP traffic will pass Proxmox on L2 only, not L3.
This is, in my opinion, more secure than set up public IP on Proxmox.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back