As many of my readers know, I use some Hetzner servers in combination with the virtualization solution Proxmox.
To make the setup a little more secure and not rely on the Hetzner firewall, I recently took care of shielding my virtual machines behind a pfSense VM. The network configuration was not quite trivial and therefore I would like to give my readers a little insight.
Prerequisites
- dedicated Hetzner server (here: EX41-SSD)
- running Proxmox system
- an additional IP for the pfSense VM with MAC address (Hetzner-Robot)
- Subnet, routed to the pfSense VM
As soon as these requirements are met, we can start configuring the system.
Proxmox Configuration
My Proxmox configuration looks like this (/etc/network/interfaces):
auto lo
iface lo inet loopback
iface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
address <SERVER-HAUPT-IP>
netmask 255.255.255.255
gateway <SERVER-HAUPT-GATEWAY>
pointopoint <SERVER-HAUPT-GATEWAY>
bridge_ports eth0
bridge_stp off
bridge_fd 0
up ip route add 192.168.0.0/16 via 138.201.203.59 dev vmbr0
up ip route add 172.16.0.0/12 via 138.201.203.59 dev vmbr0
up ip route add 10.0.0.0/8 via 138.201.203.59 dev vmbr0
up sysctl -w net.ipv4.ip_forward=1
up sysctl -w net.ipv4.conf.eth0.send_redirects=0
# Virtual switch for DMZ
# (connect your firewall/router KVM instance and private DMZ hosts here)
auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
You can read the main server IP and the main server gateway from the Hetzner Robot – there are actually not many sources of error here.
pfSense Configuration
WAN/LAN configuration
The pfSense configuration is not really more complicated. In the Proxmox interface we create the VM with two network devices, one bound to vmbr0 – our WAN interface – and one to vmbr1 – the LAN interface.
After the pfSense installation, we assign the interfaces in pfSense accordingly and configure the WAN interface:
The configuration of the LAN interface should be self-explanatory – private subnet, no gateway.
Virtual IP Address
To be able to use our subnet behind pfSense, we now have to enter each IP to be used under „Firewall -> Virtual IPs“. Here it is possible to enter all IP addresses of the subnet, we do not need a broadcast or host address.
Internal IP addresses
We are now able to distribute their IP addresses to our clients in the LAN. Either you use the DHCP server of pfSense and assign static reservations in the simplest case or you configure the clients manually.
I decided to use the DHCP variant, but I don’t want to go into the configuration here, because it’s quite self-explanatory.
1:1 NAT
In order to be able to reach our internal clients now also from the Internet, we still have to configure the 1:1 NAT.
Firewall configuration
Finally, it is up to the administrator to configure the firewall correctly. There are so many solutions here, I don’t want to go into them any further. which ports are opened where, the operator of the firewall has to decide for himself.
ICMP ping rule
I find it quite pleasant to be able to check the accessibility of a host from the outside with a ping. I always create this rule in the pfSense firewall first:
The internal IP or the internal subnet must of course be specified as the destination.
Bottom line
The configuration of a pfSense VM at Hetzner is not quite trivial, but it can be easily done. A little Trial & Error is included, but that’s always the case with firewalls. As a little tip I would like to give you not to block the access to the Proxmox web interface too early, so that in case of doubt you still have access to the pfSense console when you configure yourself.
I will be happy to answer any questions or to receive information about my setup. It’s certainly not perfect, I know that, but it works reliably for me, which is why I’m actually quite happy about it. If somebody has a good tip for you: please feel free to add it to your comments!
IPv6 configuration
The IPv6 configuration I have a own article.
So is 138.201.203.59 your main IP? Or the added one?
Hello,
I have the same question as above. Can you give a example when having 2 ip ?
Thank you.
Just to confirm, you have the default IP address that came with the Hetzner server for Proxmox Dashboard, one single IP for PFSense and a routed subnet, is that right?
Did you order the extra IP with mac address on the IP page of the vServer or is there a different sport inside of robot I missed?
Same Question As Michel
up ip route add 192.168.0.0/16 via 138.201.203.59 dev vmbr0
up ip route add 172.16.0.0/12 via 138.201.203.59 dev vmbr0
up ip route add 10.0.0.0/8 via 138.201.203.59 dev vmbr0
subnet /29 is routed here ?