Hetzner: Setting up Proxmox Networking with mutliple IP addresses using MAC addresses

Proxmox is an open-source server management platform for virtualization running a KVM hypervisor and LXC hypervisor. The more services you run, the more likely you want to access those services externally. Proxmox acts as middleware and forwards this packet to the Container/VM.

You could do that forwarding directly with iptables. Anyway, this is not recommended. The more your infrastructure grows, the more complex it gets to manage all this port forwarding. But also from a security perspective, this should be avoided, because even with a simple portscan hackers might detect other services (like the Proxmox Web interface). Therefore I recommend using additional IP addresses to overcome these issues.

Configuring Proxmox

With additional IP addresses, you can forward all packets directly to your Container/VM. There are two ways by doing this:

• Routed Configuration: With this method, a virtual bridge for every additional IP address is set up in the network configuration and can be used later on in a container/VM.
• Bridged Configuration: The guest system behaves independently. By assigning a MAC address to the virtual network card of the guest system, Proxmox automatically routes all packets to the guest system.

Hetzner provides a sample configuration for the routed configuration but also for the bridged configuration with bridged configuration, you specify with the MAC address, which IP address to use. With this option you are flexible with the amount of IP addresses.

Nework Configuration

Open your network configuration under /etc/interfaces

# remove or disable configuration for eth0
#auto eth0
#iface eth0 inet static

auto vmbr0
iface vmbr0 inet static
        address <MainIP>
        broadcast <Broadcast>
        gateway <Gateway>
        bridge-ports eth0
        bridge-stp off
        bridge-fd 1
        bridge-hw eth0
        pointopoint <Gateway>
# Public IP

auto vmbr1
iface vmbr1 inet static
        address 172.22.22.254/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
# Local network

The configuration above is an extension to the recommended configuration from Hetzner. We are using 2 bridges. vmbr0 is a public bridge, where you can later on define over which IP address you want to traffic.

The second interface vmbr1 is a private network used for internal communication between your containers.

OPNsense

With the setup above you are ready to use OPNsense. As you know, OPNsense requires 2 network cards, one for LAN and one for WAN. In order to use your additional IP address now, you must first request a MAC address for your additional IP in your Hetzner Account:

For this, head to your Robots account and select your server. Next to your IP address you should see a network icon, where you can request a MAC address

After you requested the MAC-Address hover over your IP-Address and you should see your Seperate MAC:

Head now to your configuration of your Virtual Machine in Proxmox and add a network card:

Now enter your MAC address you earlier requested there and also select vmbr0 as bridge. Use this network device as WAN.

Now all your traffic with your IP should go over this VM!