Hetzner – Proxmox / ESX – Sophos / pfSense additional IP network config – working & solved

Got a root server at Hetzner with 1 extra public IP address (next to the one provided). Wanted to install Debian and Proxmox on it so I can have a cheap Virtual Machine host. You can also install VMware ESX but then you need to ask them to attach a KVM-over-IP unit and didn’t want to bother.

Networking was a bit of a pain but I got it all configured:

– Proxmox is using the first public IP address so you can manage it externally.
– The second public IP address is needed to assign it to Sophos UTM / pfSense or any firewall of your choice.

This firewall will then NAT incoming traffic to your internal VM’s. In this example, 188.45.45.87 is the MAIN public IP address and 188.45.45.81 is the ADDITIONAL one.

Proxmox network config: 

# network interface settings
auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth0 inet6 static
 address 2b01:4g8:140:14d7::2
 netmask 64
 gateway fe80::1
auto vmbr0 ## Public IP address for Proxmox
iface vmbr0 inet static
 address 188.45.45.87
 netmask 255.255.255.192
 gateway 188.45.45.65
 bridge_ports eth0
 bridge_stp off
 bridge_fd 0
auto vmbr1 ## Interface for internal LAN networking
iface vmbr1 inet static
 address 192.168.0.254
 netmask 255.255.255.0
 gateway 192.168.0.1
 bridge_ports none
 bridge_stp off
 bridge_fd 0

Check if you can reach your Proxmox server on your public IP address. Now, get an additional IP address using Hetzner’s Robot control panel. Once assigned, make sure you request a separate MAC address for the new IP address !!! In this example, 188.45.45.81 has a separate MAC address of 00:50:xx:00:xx:EE

Screen Shot 2015-03-18 at 14.15.12

In Proxmox, create a new VM and assign 2 network cards. One will be used for the LAN (vmbr1) and the other one for the WAN (vmbr0). Screen Shot 2015-03-18 at 14.15.03   The MAC address of the WAN address needs to match the MAC address you’ve requested previously using Hetzner’s Robot ! Screen Shot 2015-03-18 at 14.16.56       To configure your Sophos or pfSense firewall, you’ll need to create a SSH tunnel to the internal IP address of the firewall, as it won’t yet have the additional public IP address configured and probably need to finish the configuration using SSH or a browser. So, use this command (please adjust for your IP settings):

sudo ssh -L 4444:192.168.0.1:4444 root@188.45.45.87

In your browser, navigate to https://localhost:4444/ and finish configuring your firewall. Important: your WAN IP address is the additional IP address. Gateway and netmask are the same as the MAIN IP address.

Enable a DHCP server on your LAN and that’s it! Now you can install your VM’s and get an internal private IP address (as long as you assign vmbr01 in Proxmox to the VM) and use your firewall to NAT outside traffic to the inside.

Sophos / Astaro UTM – Limit and separate SMTP Proxy IP addresses

As a default, Sophos / Astaro UTM’s SMTP Proxy listens on all external IP addresses. Quite annoying if you have an internal mail server that you want to let your external users use for sending (authenticated) emails, since UTM will intercept all SMTP traffic.

Here’s how I solved that (only works if you have at least 2 public IP addresses).

– NAT one external public IP address to your internal mail server (so forward at least ports 25, 465, 587; use the IP address that you use for (example) mail.yourdomain.com. In this example I use 23.37.149.232 (WAN – FW2)
NAT to mailserver

– enable SMTP proxy on your UTM (your UTM will now listen on all your external public IP addresses)

– configure SMTP routing to forward MX emails to your internal server
SMTP proxy routing

– SSH to your UTM and become root

– with vi, edit this file: /var/storage/chroot-smtp/etc/exim.conf

– edit this line, remove the # and enter your public IP address to reflect your MX record (like mx.yourdomain.com):
local_interfaces = 23.37.149.233:81.37.153.126:59.94.132.164
(I have 3 SDSL lines on my Sophos UTM box, separate each entry with semicolons)

– restart your EXIM service:
/var/mdw/scripts/smtp restart

Check you SMTP Proxy log file, something like this should appear:
listening for SMTP on [23.37.149.233]:25 [23.37.149.233]:587 [81.37.153.126]:25 [81.37.153.126]:587 [59.94.132.164]:25 [59.94.132.164:587]

Done. Now, Sophos UTM will intercept your incoming MX traffic (and if setup right, forward non-junk emails to your internal mail server) while the other IP address is useable for your users as an authenticated relay-server. 23.37.149.232 is used directly by the mail server, 23.37.149.233, 81.37.153.126 and 59.94.132.164 by Sophos as incoming MX server.