Networking Server SysAdmin Technology Virtualization

Deploying Proxmox 7 behind a firewall VM

How I run Proxmox with a single IP and MAC address.


Behind the scenes, I’ve steadily been working towards an initial release for live video streaming from a ranch where people can watch livestock and even join live video streaming from light equipment such as drones, and heavy equipment such as tractors, broadcast by channel-bonding Starlink and T-Mobile for high bandwidth and low latency in a similar manner as seen on Live PD / On Patrol Live thanks to multipathing.

As a result, I’ve been reorganizing some of the Virtual Private Servers that I use and began consolidating several of them from providers such as Digital Ocean, Linode, and BuyVM to bare-metal servers that run on Proxmox since the costs for multiple virtual servers were balancing out to the cost of dedicated servers at Hetzner:

As I was setting up my servers and their virtual machines, I found that Hetzner’s switches only allow a server’s physical MAC Address on the network and received an e-mail from their abuse department when they saw virtual MAC addresses appear on the network due to an initial configuration where I was running Virtual Machines in bridged mode. So, I’ll also show how I tucked it all behind the required MAC address with a virtualized firewall and got everything working, including using Traefik 2 with Server Name Indication so that I can pile on multiple sites and services running in different Virtual Machines and Containers under a single IP address.

From sifting through documentation, YouTube, forums, and Reddit, it seems that most people set up a dedicated server and use the initial, reciprocal IP address to reach Proxmox, and then purchase an additional IP address that they route to a virtual firewall that’s responsible for all of the virtual machines and register a Virtual MAC address with Hetzner for the additional IP address(es). It is unnecessary and a continuous waste of money due to a recurring monthly charge, but it’s also squandering precious, exhausted IPv4 addresses. I finally found a Proxmox forum post where someone mentioned how they did it with a single IP address but didn’t provide many instructions, and the configuration they posted also didn’t work when I tried it — until I modified it.

In this article, I will cover the following:

  1. Leasing the server
  2. Discovering server network information
  3. Configuring Proxmox
  4. Configuring a virtualized firewall
  5. Configuring Virtual Machines to run behind the virtualized firewall
  6. Configuring Proxmox’s internal firewall to allow intercommunication between Virtual Machines on a bridge
  7. Automating external HTTPS certificates for Proxmox and the firewall
  8. Optional additions
    1. Storage that both the Proxmox host and the Virtual Machines can use.
    2. IP addresses
      • via Hetzner’s data center
      • Wireguard-based site-to-site VPN
    3. Direct subnet routing via Tailscale to VMs and Containers
  9. Recovery when something fails — one misconfiguration in your virtualized firewall can cause everything to fail and fully knock you out of the system!

This article required many late nights spread out over several weeks to write, and cost approximately €100 in order to document every step of the way. If you’d like to buy me a coffee, I’d appreciate it.

4 replies on “Deploying Proxmox 7 behind a firewall VM”

Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?

Leave a Reply

Your email address will not be published. Required fields are marked *