Categories
Networking Server SysAdmin Technology Virtualization

Deploying Proxmox 7 behind a firewall VM

How I run Proxmox with a single IP and MAC address.

This article required many late nights spread out over several weeks to write, and cost approximately €100 in order to document every step of the way. If you’d like to buy me a coffee, I’d appreciate it.

Introduction

Behind the scenes, I’ve steadily been working towards an initial release for live video streaming from a ranch where people can watch livestock and even join live video streaming from light equipment such as drones, and heavy equipment such as tractors, broadcast by channel-bonding Starlink and T-Mobile for high bandwidth and low latency in a similar manner as seen on Live PD / On Patrol Live thanks to multipathing.

As a result, I’ve been reorganizing some of the Virtual Private Servers that I use and began consolidating several of them from providers such as Digital Ocean, Linode, and BuyVM to bare-metal servers that run on Proxmox since the costs for multiple virtual servers were balancing out to the cost of dedicated servers at Hetzner:

As I was setting up my servers and their virtual machines, I found that Hetzner’s switches only allow a server’s physical MAC Address on the network and received an e-mail from their abuse department when they saw virtual MAC addresses appear on the network due to an initial configuration where I was running Virtual Machines in bridged mode. So, I’ll also show how I tucked it all behind the required MAC address with a virtualized firewall and got everything working, including using Traefik 2 with Server Name Indication so that I can pile on multiple sites and services running in different Virtual Machines and Containers under a single IP address.

From sifting through documentation, YouTube, forums, and Reddit, it seems that most people set up a dedicated server and use the initial, reciprocal IP address to reach Proxmox, and then purchase an additional IP address that they route to a virtual firewall that’s responsible for all of the virtual machines and register a Virtual MAC address with Hetzner for the additional IP address(es). It is unnecessary and a continuous waste of money due to a recurring monthly charge, but it’s also squandering precious, exhausted IPv4 addresses. I finally found a Proxmox forum post where someone mentioned how they did it with a single IP address but didn’t provide many instructions, and the configuration they posted also didn’t work when I tried it — until I modified it.

In this article, I will cover the following:

  1. Leasing the server
  2. Discovering server network information
  3. Configuring Proxmox
  4. Configuring a virtualized firewall
  5. Configuring Virtual Machines to run behind the virtualized firewall
  6. Configuring Proxmox’s internal firewall to allow intercommunication between Virtual Machines on a bridge
  7. Automating external HTTPS certificates for Proxmox and the firewall
  8. Optional additions
    1. Storage that both the Proxmox host and the Virtual Machines can use.
    2. IP addresses
      • via Hetzner’s data center
      • Wireguard-based site-to-site VPN
    3. Direct subnet routing via Tailscale to VMs and Containers
  9. Recovery when something fails — one misconfiguration in your virtualized firewall can cause everything to fail and fully knock you out of the system!

10 replies on “Deploying Proxmox 7 behind a firewall VM”

Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?

Great post. Thanks!
I’m just in the process to replicate your setup.
Nearly everything is working but I can’t get any DNS servers working on OPT2. The traffic is routed over the WireGuard-VPN, all fine.
But it seems that any UDP traffic is blocked and I can’t figure out where to unblock it. Any hints much appreciated! Thank you.

Hi Andreas,

Off the top of my head, maybe I forgot to document the DNS Resolver section, but will have to go re-read my article and look for anything that I might have missed, but am in the middle of bee season (video of some of it: https://LTG.FYI/YouTube) and helping restore multiple ranches, so it may take me a moment.

I’ll e-mail you and try to figure it out with you. Once you and I figure this out, I’ll make appropriate edits to the article or one of us can write here in the comments about what needed to be changed.

Thanks,
Louis

EDIT: I e-mailed you and the e-mail bounced back as an invalid address. Please feel free to reach out again with a way for me to contact you, so that we can try and figure out what the problem is.

Thank you so much for your tutorial!!!

I can’t access the Ingress server from the VMS_Hetzner network, from external it’s working.
Like in your example: “Now I can access the simple server remotely by visiting http://65.109.71.115:8000
I can access the website from my browser, but not from a browser running with any VM on the VMS_Hetzner network.
Any idea which Firewall rule is blocking the access from VMS_Hetzner to WAN_Hetzner?

Hi Loomer, you are most welcome! 🙂

I used the interface’s address for the VMs to access the firewall interface. Please see https://thad.getterman.org/articles/proxmox-7-behind-firewall-vm/5/#live_desktop for an example of a Virtual Machine accessing the firewall’s GUI via the VM interface address to configure it instead of the WAN address.

Best regards,
Louis

EDIT: I e-mailed you and the e-mail bounced back as an invalid address. Please feel free to reach out again with a way for me to contact you.

I am new to proxmox and your article just blew me away.

I just got the hetzner with 15hdd (no nvme) and I asked for KVM to install proxmox directly on the baremetal

But you do some sort of magic.
you boot into recovery and install proxmox in qemu?
I cannot say I follow
I am not sure I follow (and obviously I already broke my setup trying to change the network settings)

Hi Marcin,

I’ll e-mail you so that we can schedule a time for me to have office hours with you; you screen share with me in observation mode so that I can tell you what to click on and help you get up and running.

I’ll make a YouTube video out of it and then add one or more relevant videos to this article.

Talk soon,
Louis T. Getterman IV

Leave a Reply

Your email address will not be published. Required fields are marked *