{"id":2328,"date":"2015-03-18T14:26:09","date_gmt":"2015-03-18T13:26:09","guid":{"rendered":"http:\/\/blog.campodoro.org\/?p=2328"},"modified":"2015-03-18T14:29:06","modified_gmt":"2015-03-18T13:29:06","slug":"hetzner-proxmox-esx-sophos-pfsense-additional-ip-network-config-working-solved","status":"publish","type":"post","link":"https:\/\/blog.campodoro.org\/?p=2328","title":{"rendered":"Hetzner – Proxmox \/ ESX – Sophos \/ pfSense additional IP network config – working & solved"},"content":{"rendered":"

Got a root server at Hetzner with 1 extra public IP address (next to the one provided). Wanted to install Debian and Proxmox on it so I can have a cheap Virtual Machine host. You can also install VMware ESX but then you need to ask them to attach a KVM-over-IP unit and didn’t want to bother.<\/p>\n

Networking was a bit of a pain but I got it all configured:<\/p>\n

– Proxmox is using the first public IP address so you can manage it externally.
\n– The second public IP address is needed to assign it to Sophos UTM \/ pfSense or any firewall of your choice.<\/p>\n

This firewall will then NAT incoming traffic to your internal VM’s. In this example,\u00c2\u00a0188.45.45.87 is the MAIN <\/strong>public IP address and\u00c2\u00a0188.45.45.81 is the ADDITIONAL<\/strong> one.<\/p>\n

Proxmox network config:\u00c2\u00a0<\/strong><\/p>\n

# network interface settings\r\nauto lo\r\niface lo inet loopback<\/pre>\n
iface eth0 inet manual<\/pre>\n
iface eth0 inet6 static\r\n address 2b01:4g8:140:14d7::2\r\n netmask 64\r\n gateway fe80::1<\/pre>\n
auto vmbr0 ## Public IP address for Proxmox\r\niface vmbr0 inet static\r\n address 188.45.45.87\r\n netmask 255.255.255.192\r\n gateway 188.45.45.65\r\n bridge_ports eth0\r\n bridge_stp off\r\n bridge_fd 0<\/pre>\n
auto vmbr1 ## Interface for internal LAN networking\r\niface vmbr1 inet static\r\n address 192.168.0.254\r\n netmask 255.255.255.0\r\n gateway 192.168.0.1\r\n bridge_ports none\r\n bridge_stp off\r\n bridge_fd 0<\/pre>\n
Check if you can reach your Proxmox server on your public IP address. Now, get an additional IP address using Hetzner’s Robot control panel. Once assigned, make sure you request a separate MAC address for the new IP address<\/strong> !!! In this example, 188.45.45.81 has a separate MAC address of 00:50:xx:00:xx:EE<\/p>\n
\"Screen<\/a><\/p>\n
In Proxmox, create a new VM and assign 2 network cards. One will be used for the LAN (vmbr1)<\/strong> and the other one for the WAN (vmbr0).<\/strong> \"Screen<\/a> \u00c2\u00a0 The MAC address of the WAN address needs to match the MAC address you’ve requested previously using Hetzner’s Robot !<\/strong> \"Screen<\/a> \u00c2\u00a0 \u00c2\u00a0 \u00c2\u00a0 To configure your Sophos or pfSense firewall, you’ll need to create a SSH tunnel to the internal IP address of the firewall, as it won’t yet have the additional public IP address configured and probably need to finish the configuration using SSH or a browser. So, use this command (please adjust for your IP settings):<\/p>\n
sudo ssh -L 4444:192.168.0.1:4444 root@188.45.45.87<\/pre>\n
In your browser, navigate to https:\/\/localhost:4444\/ and finish configuring your firewall. Important: your WAN IP address is the additional IP address.<\/strong> Gateway and netmask are the same as the MAIN IP address.<\/p>\n
Enable a DHCP server on your LAN and that’s it! Now you can install your VM’s and get an internal private IP address (as long as you assign vmbr01 in Proxmox to the VM) and use your firewall to NAT outside traffic to the inside.<\/p>\n
 \"Post<\/a> Tweet<\/a> \"Post<\/a> Post to Delicious<\/a> \"Post<\/a> Post to Facebook<\/a><\/p><\/div>","protected":false},"excerpt":{"rendered":"
Got a root server at Hetzner with 1 extra public IP address (next to the one provided). Wanted to install Debian and Proxmox on it so I can have a cheap Virtual Machine host. You can also install VMware ESX … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,231,10],"tags":[232,236,233],"class_list":["post-2328","post","type-post","status-publish","format-standard","hentry","category-firewall","category-hosting","category-linux","tag-hetzner","tag-hosting","tag-root-server"],"_links":{"self":[{"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=\/wp\/v2\/posts\/2328"}],"collection":[{"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2328"}],"version-history":[{"count":5,"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=\/wp\/v2\/posts\/2328\/revisions"}],"predecessor-version":[{"id":2342,"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=\/wp\/v2\/posts\/2328\/revisions\/2342"}],"wp:attachment":[{"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.campodoro.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}