Conclusion
I tried to cover all of the basics that I use for launching a dedicated, bare-metal server. If there’s something that you’d like to see in this article, please comment below so that I can revise this article.
Discussion
Thanks to Reddit user BitterPuddin for their comment and providing a copy of their /etc/network/interfaces file which allows them to skip a virtualized firewall:
# Make a private virtual LAN for your containers/vms,
# nat services though to them from your single ip.
# Here is an example interfaces file where I am running
# a webserver on a proxmox box in azure.
auto lo
iface lo inet loopback
iface enPXXXXs1 inet manual
auto eth0
iface eth0 inet static
address 10.XX.12.5/24
gateway 10.XX.12.1
auto vmbr0
iface vmbr0 inet static
address 10.XX.14.1/24
gateway 10.XX.12.1
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.XX.14.0/24' -o eth0 -j MASQUERADE
post-up iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 10.XX.14.2:443
post-up iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 10.XX.14.2:80
post-down iptables -t nat -D POSTROUTING -s '10.XX.14.0/24' -o eth0 -j MASQUERADE
The reason why a virtualized firewall with a GUI is preferred boils down to:
See also
- Traefik 2.5 quick-start guide
- Simple certs with Docker-Dehydrated
- Moshing in a field
- Shoe horn v1.1 released
External links
- Proxmox
- Hetzner
- Proxmox forum post: [TUTORIAL] Proxmox @ Hetzner, using a single public IPv4 address (+IPv6/64) while all traffic, including host goes through virtualized Firewall (ex. Pfsense)
- GitHub Gist: Install any OS on Hetzner VDS | Proxmox with ZFS on Hetzner VDS
Did this article save you time or money? I'd love a coffee!
Did you find this useful?
Please share with those who you believe would find this useful too!
10 replies on “Deploying Proxmox 7 behind a firewall VM”
Excelente post
Thanks, John!
Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?
Hi Fred,
I try to split complex topics into their own articles. You can find my Traefik 2 guide at https://LTG.FYI/Traefik-2. Please let me know if you have further questions, and I’ll try to answer them here or perhaps write additional articles.
Best regards,
Louis
Great post. Thanks!
I’m just in the process to replicate your setup.
Nearly everything is working but I can’t get any DNS servers working on OPT2. The traffic is routed over the WireGuard-VPN, all fine.
But it seems that any UDP traffic is blocked and I can’t figure out where to unblock it. Any hints much appreciated! Thank you.
Hi Andreas,
Off the top of my head, maybe I forgot to document the DNS Resolver section, but will have to go re-read my article and look for anything that I might have missed, but am in the middle of bee season (video of some of it: https://LTG.FYI/YouTube) and helping restore multiple ranches, so it may take me a moment.
I’ll e-mail you and try to figure it out with you. Once you and I figure this out, I’ll make appropriate edits to the article or one of us can write here in the comments about what needed to be changed.
Thanks,
Louis
EDIT: I e-mailed you and the e-mail bounced back as an invalid address. Please feel free to reach out again with a way for me to contact you, so that we can try and figure out what the problem is.
Thank you so much for your tutorial!!!
I can’t access the Ingress server from the VMS_Hetzner network, from external it’s working.
Like in your example: “Now I can access the simple server remotely by visiting http://65.109.71.115:8000”
I can access the website from my browser, but not from a browser running with any VM on the VMS_Hetzner network.
Any idea which Firewall rule is blocking the access from VMS_Hetzner to WAN_Hetzner?
Hi Loomer, you are most welcome! 🙂
I used the interface’s address for the VMs to access the firewall interface. Please see https://thad.getterman.org/articles/proxmox-7-behind-firewall-vm/5/#live_desktop for an example of a Virtual Machine accessing the firewall’s GUI via the VM interface address to configure it instead of the WAN address.
Best regards,
Louis
EDIT: I e-mailed you and the e-mail bounced back as an invalid address. Please feel free to reach out again with a way for me to contact you.
I am new to proxmox and your article just blew me away.
I just got the hetzner with 15hdd (no nvme) and I asked for KVM to install proxmox directly on the baremetal
But you do some sort of magic.
you boot into recovery and install proxmox in qemu?
I cannot say I follow
I am not sure I follow (and obviously I already broke my setup trying to change the network settings)
Hi Marcin,
I’ll e-mail you so that we can schedule a time for me to have office hours with you; you screen share with me in observation mode so that I can tell you what to click on and help you get up and running.
I’ll make a YouTube video out of it and then add one or more relevant videos to this article.
Talk soon,
Louis T. Getterman IV