Proxmox VE 3 - FW-VM as Gateway

[Dockay]

Hi,

i'm new to Proxmox VE and have a simple layout question.

I wanted to realize this:


Internet <-> Host (Proxmox) First-Public-IP <-> (Second-Public-IP) VM Firewall (pfsense) <-> all other VMs with private LAN (192.168.x.x)

I read tons of wikis and websites and I still don't get the clue how to setup the interfaces in Proxmox.

I have eth0 / eth1

I tried different configurations but they didn't seem to work. I have always acces to my first Public-IP, but the second is alway not reachable/connection denied

In pfsense I added two vmbr0/vmbr1 for WAN/LAN, but pfsense didn't get connection to the internet nor can ping the FirstPublic-IP.

Could anyone give me a clue how to setup these bridges?

 

[m.ardito]

hi

i would do

on pve host:
- eth0 and eth1 should be not configured directly
- a vmbr0 ("external") bridge should be created, with the first public ip, bound to the unconfigured eth0
- a vmbr1 ("internal") bridge should be created, with an internal LAN ip, bound to the unconfigured eth1

your pfsense vm:
- should have two virtual network cards (nics), the external bound to vmbr0, the internal to vmbr1
then it should be able to work as expected

there could be other setups, though...

Marco

 

[Dockay]

Hi marco,

thanks for your response.

i just got the information, eth1 is not connected, thus, not usable.

I added vmbr0 for external with my FirstPublicIP bridged to eth0
and vmbr1 with internal IP bridged to none

I added two nics to the VM for vmbr0/vmbr1 and set the IP-Address for WAN/LAN.

still don't get any connection from pfsensevm to internet/or firstpublic-ip.

have you any other hint?

eth0 has .139 as first-public-ip
additionally I have .140 as second-public-ip

current setup:

thanks in advance!

 

[m.ardito]

i just got the information, eth1 is not connected, thus, not usable.

current setup:

thanks in advance!

eth0 should have enabled yes but autostart no if I remember well now I'm far from my pve
other than that if ip/mask/gateway are correct, it should work...
but in this setup your vm eth0/vmbr0 should have an ip public too, routable by pve (say, vmbr0 .139 and pfsense eth0 .140)

...but you should also consider that in this way pve is directly exposed to the internet through .139

i use only private ip on pve and vms, behind a firewall appliance doing nat, and ove ip is not reachable directly from the internet

Marco

 

[Raymond Burns]

Could you still have a publicly accessibly firewall appliance, and private pve and vms?

 

[m.ardito]

yes, like:

internet 
  <--> router (by ISP, own public IP) 
    <--> fw appliance (own external public IP, internal private IP, doing NAT and address mapping of other public IPs to selected pm/vm private IPs, not pve!) 
      <--> pm (ethx with private IP)
      <--> pm (ethx with private IP) (eg: address mapped to public IP)
      <--> pve (vmbr0 with private IP) 
         <--> vm (ethx on vmbr0, private IP) 
         <--> vm (ethx on vmbr0, private IP) (eg: address mapped to public IP)

[where pm = physical machine]

the fw appliance is just my setup, it could be a dedicated server with two network cards (external, internal) or even pve itself, but i don't know the right setup for that.
I suppose that you can range from iptables rules, to shorewall or others.

see pages like
http://myatus.com/p/guide-firewall-and-router-with-proxmox/

Marco