Hi all.
I'm about 2 weeks out from deploying a single server, running Proxmox, to a colo. My first experience with colocation, and if all goes well, I will be expanding. But with a single server, I'm pretty limited, security wise.
Diagram:
Explanation:
I have a total of 4 WAN IP's available, so my plan is to run a HA pair of pfSense QEMU/KVM instances (CARP failover). Each pfSense instance would have a WAN IP assigned, and also have a VIP with a third WAN IP (the forth WAN IP would be unused). So essentially eth0 and eth1 on the host would be connected to my uplink, each would have a OVS bridge attached (vmbr0 to eth0, vmbr1 to eth1), and no IP's assigned on either of those 4 ports. vmbr0 would be attached to pfSense01 as the WAN port, and my WAN IP #1 would be assigned there. vmbr1 would be attached to pfSense02 as the WAN port, and my WAN IP #2 would be assigned there.
I would then have vmbr4 (no IP assigned on Proxmox), with no physical interface attached, which would be connected to each pfSense instance as a sync/replication port. Lastly, I would have vmbr5 attached on the LAN side of each pfSense instance. Each pfSense LAN port would have a LAN IP assigned (i.e., 10.10.10.251 and 10.10.10.252) and they'd share a LAN VIP that I would use as my gateway for all LAN devices (i.e., 10.10.10.254).
vmbr5 on the Proxmox host would have a LAN IP assigned as well (i.e., 10.10.10.250), so that from the LAN I could access Proxmox webUI.
The goal here would be to have only ports HTTP/80 and HTTPS/443 open through the pfSense instances, which forward to a Nginx reverse proxy instance. That instance would proxy all backend webservers, so really only that Nginx reverse proxy instance would allow inbound connections from my WAN. I would also configure the pfSense instances to run OpenVPN, so that I could connect via VPN from whatever other device, and that would put me on my colo LAN where I could access Proxmox webUI (so I don't have to expose Proxmox webUI to the WAN directly).
Even though I am only show 8 LXC containers, I will likely have closer to 20. I just wanted to put some in there for help aide the visualization.
Does this make sense? Do I understand OVS networking with Proxmox correctly? Any issues or possible improvements?
Thanks!
I'm about 2 weeks out from deploying a single server, running Proxmox, to a colo. My first experience with colocation, and if all goes well, I will be expanding. But with a single server, I'm pretty limited, security wise.
Diagram:
Explanation:
I have a total of 4 WAN IP's available, so my plan is to run a HA pair of pfSense QEMU/KVM instances (CARP failover). Each pfSense instance would have a WAN IP assigned, and also have a VIP with a third WAN IP (the forth WAN IP would be unused). So essentially eth0 and eth1 on the host would be connected to my uplink, each would have a OVS bridge attached (vmbr0 to eth0, vmbr1 to eth1), and no IP's assigned on either of those 4 ports. vmbr0 would be attached to pfSense01 as the WAN port, and my WAN IP #1 would be assigned there. vmbr1 would be attached to pfSense02 as the WAN port, and my WAN IP #2 would be assigned there.
I would then have vmbr4 (no IP assigned on Proxmox), with no physical interface attached, which would be connected to each pfSense instance as a sync/replication port. Lastly, I would have vmbr5 attached on the LAN side of each pfSense instance. Each pfSense LAN port would have a LAN IP assigned (i.e., 10.10.10.251 and 10.10.10.252) and they'd share a LAN VIP that I would use as my gateway for all LAN devices (i.e., 10.10.10.254).
vmbr5 on the Proxmox host would have a LAN IP assigned as well (i.e., 10.10.10.250), so that from the LAN I could access Proxmox webUI.
The goal here would be to have only ports HTTP/80 and HTTPS/443 open through the pfSense instances, which forward to a Nginx reverse proxy instance. That instance would proxy all backend webservers, so really only that Nginx reverse proxy instance would allow inbound connections from my WAN. I would also configure the pfSense instances to run OpenVPN, so that I could connect via VPN from whatever other device, and that would put me on my colo LAN where I could access Proxmox webUI (so I don't have to expose Proxmox webUI to the WAN directly).
Even though I am only show 8 LXC containers, I will likely have closer to 20. I just wanted to put some in there for help aide the visualization.
Does this make sense? Do I understand OVS networking with Proxmox correctly? Any issues or possible improvements?
Thanks!