This article required many late nights spread out over several weeks to write, and cost approximately €100 in order to document every step of the way. If you’d like to buy me a coffee, I’d appreciate it.
Behind the scenes, I’ve steadily been working towards an initial release for live video streaming from a ranch where people can watch livestock and even join live video streaming from light equipment such as drones, and heavy equipment such as tractors, broadcast by channel-bonding Starlink and T-Mobile for high bandwidth and low latency in a similar manner as seen on Live PD / On Patrol Live thanks to multipathing.
As a result, I’ve been reorganizing some of the Virtual Private Servers that I use and began consolidating several of them from providers such as Digital Ocean, Linode, and BuyVM to bare-metal servers that run on Proxmox since the costs for multiple virtual servers were balancing out to the cost of dedicated servers at Hetzner:
As I was setting up my servers and their virtual machines, I found that Hetzner’s switches only allow a server’s physical MAC Address on the network and received an e-mail from their abuse department when they saw virtual MAC addresses appear on the network due to an initial configuration where I was running Virtual Machines in bridged mode. So, I’ll also show how I tucked it all behind the required MAC address with a virtualized firewall and got everything working, including using Traefik 2 with Server Name Indication so that I can pile on multiple sites and services running in different Virtual Machines and Containers under a single IP address.
From sifting through documentation, YouTube, forums, and Reddit, it seems that most people set up a dedicated server and use the initial, reciprocal IP address to reach Proxmox, and then purchase an additional IP address that they route to a virtual firewall that’s responsible for all of the virtual machines and register a Virtual MAC address with Hetzner for the additional IP address(es). It is unnecessary and a continuous waste of money due to a recurring monthly charge, but it’s also squandering precious, exhausted IPv4 addresses. I finally found a Proxmox forum post where someone mentioned how they did it with a single IP address but didn’t provide many instructions, and the configuration they posted also didn’t work when I tried it — until I modified it.
In this article, I will cover the following:
- Leasing the server
- Discovering server network information
- Configuring Proxmox
- Configuring a virtualized firewall
- Configuring Virtual Machines to run behind the virtualized firewall
- Configuring Proxmox’s internal firewall to allow intercommunication between Virtual Machines on a bridge
- Automating external HTTPS certificates for Proxmox and the firewall
- Optional additions
- Storage that both the Proxmox host and the Virtual Machines can use.
- IP addresses
- via Hetzner’s data center
- Wireguard-based site-to-site VPN
- Direct subnet routing via Tailscale to VMs and Containers
- Recovery when something fails — one misconfiguration in your virtualized firewall can cause everything to fail and fully knock you out of the system!
Table of Contents