Deployment
Egress

In order to make egress traffic, you’ll want to copy the default “Allow all” rule from the PROXMOX
rules to the VMS_HETZNER
rules. You can do so by clicking on the Copy icon which is in between the Edit and Disable icons. When you have the option to edit your duplicated rule, change the Interface option from PROXMOX
to VMS_HETZNER
and the Source from PROXMOX
net to VMS_HETZNER net
, and then click on the Save button.
Set up a temporary Virtual Machine using the Ubuntu Desktop trial in the same manner that we used it to initially configure the firewall. As you’re creating the Virtual Machine, be sure to set the Network bridge to vmbr2
so that it’s on the first LAN dedicated to the initial Static IP of the firewall (I’ll demonstrate the second LAN in a subsequent section). From there, you can Google “What is my IP?” and you should see your server’s IP address.
Ingress

A DHCP server should be running for your LAN network, but if it’s not, you can enable it by clicking on Services → DHCP Server → VMS_HETZNER → Enable DHCP server on VMS_HETZNER interface.

To discover your Virtual Machine’s IP address with CIDR, run the following command in a terminal:
ip -f inet addr show | awk '/inet / {print $2}' | tail -n1
In my case, my Virtual Machine’s DHCP-assigned IP address is 172.16.0.200
.

On this same Virtual Machine, you can use Python 3’s simple HTTP Server module to serve the contents of the desktop on port 8000 by opening a terminal and running the following command:
python3 -m http.server --directory ~/Desktop/ 8000
You can confirm that it’s working by opening a web browser inside of the Virtual Machine and going to http://localhost:8000 and should see a screen similar to this screenshot.

Remember earlier where we created NAT rules to access Proxmox from the Internet? The same principle applies here. Now that we have a web server running in a Virtual Machine on port 8000, we need to expose the port to the Internet. We’ll set the target IP to the one that we discovered above, 172.16.0.200
.
Aside from a simple demonstration and for a real-world deployment, you would assign a Static DHCP IP Address to the Virtual Machine in the firewall DHCP Server page for the interface or set the Virtual Machine’s IP address manually.
4 replies on “Deploying Proxmox 7 behind a firewall VM”
Excelente post
Thanks, John!
Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?
Hi Fred,
I try to split complex topics into their own articles. You can find my Traefik 2 guide at https://LTG.FYI/Traefik-2. Please let me know if you have further questions, and I’ll try to answer them here or perhaps write additional articles.
Best regards,
Louis