Proxmox Networking

edited January 8 in Help

I'm absolutely terrible when it comes to networking but I know a bunch of you guys are savants, so hopefully you'll be able to lend a hand!

I was lucky enough to win a free dedicated server (courtesy of @fiberstate ) and to utilize it to the fullest, decided to install proxmox. I haven't used Proxmox in a good while and when I did, I had a /29 assigned to me, so didn't run into this issue.

I was assigned 1 IP address. For convenience sake, I went ahead and purchased an additional IP address.

What I'd like to do is have the additional IP address assigned to (1) VM (reverse proxy) that would be able to communicate with each VM but I'd like to keep the other VMs from being able to communicate with each other.

I'm sure this is probably stupid simple but I'm simply stupid when it comes to networking...so I'd really appreciate any help!

Thanks!

Comments

  • Do you also want the other VMs to connect to the internet? For that you would either need to make the nginx vm a router vm (could use any old linux distro but I would recomend something like pfSense if you are not that familiar with networking) or route traffic through the host. If you already route traffic through the hist you dont even need a separate ip for the reverse proxy since you can just forward a port to it.
    To prevent VMs from talking with each other you can use Security groups

  • Asked similar here.

  • @Voigon said:
    Do you also want the other VMs to connect to the internet? For that you would either need to make the nginx vm a router vm (could use any old linux distro but I would recomend something like pfSense if you are not that familiar with networking) or route traffic through the host. If you already route traffic through the hist you dont even need a separate ip for the reverse proxy since you can just forward a port to it.
    To prevent VMs from talking with each other you can use Security groups

    Yes (I forgot to mention that key tidbit!)

    So PFSense+Nginx - got it! I think they're both very well documented so that shouldn't be an issue. A learning experience, yes, but not a total black hole!

    Appreciate it man!

    @msatt said:
    Asked similar here.

    That guy has the problem I wish I had (too many IP addresses.) That's actually the only thing I'm familiar with getting set up :(

  • imokimok OG
    edited January 8

    I would create a vmbr0 with the 10.0.0.0/8 subnet, enable port forwarding just in case, and install nginx in the host to act as a reverse proxy. This way you don't need an extra (probably expensive) IP.

    For specific steps, I tried with ChatGPT.

    Thanked by (1)don_keedic
  • @don_keedic said:

    @Voigon said:
    Do you also want the other VMs to connect to the internet? For that you would either need to make the nginx vm a router vm (could use any old linux distro but I would recomend something like pfSense if you are not that familiar with networking) or route traffic through the host. If you already route traffic through the hist you dont even need a separate ip for the reverse proxy since you can just forward a port to it.
    To prevent VMs from talking with each other you can use Security groups

    Yes (I forgot to mention that key tidbit!)

    So PFSense+Nginx - got it! I think they're both very well documented so that shouldn't be an issue. A learning experience, yes, but not a total black hole!

    Appreciate it man!

    @msatt said:
    Asked similar here.

    That guy has the problem I wish I had (too many IP addresses.) That's actually the only thing I'm familiar with getting set up :(

    Glad to help :)
    pfSense is relatively straightforward and you can find a lot of YT tutorials. I don't know if I would recommend nginx if you are just getting started, just because it has other solid alternatives which are much easier to set up, although nginx is definitely my personal favorite.
    Just so you know you don't actually have to use pfSense, I would use it if you are looking to do something like outbound traffic filtering (for example preventing your vms from accessing certain websites) and other more "advanced" use cases

    Thanked by (1)don_keedic
  • This is how I typically do networking on dedicated servers with Proxmox:

    1. Create a new Linux Bridge in addition to the one Proxmox created for you. Do not assign an IP address or any Bridge Ports. Tick VLAN Aware if you wish to run VLAN traffic over it at some point, otherwise leave unchecked. This creates a kind of virtual switch where VMs can pass traffic between each other without it leaving the hypervisor.
    2. Create a new VM and mount an OPNsense ISO (or whatever software router you like the most, pfSense is acceptable too)
    • Configure two NICs for it, one plugged into vmbr0 and the other on vmbr1. Basically WAN/LAN
    • Pick VirtIO as the NIC model as it may default to an emulated NIC
    • It has drivers for paravirtualized SCSI, so you can use the VirtIO SCSI Controller for the disk
    1. When it boots, just login as installer/opnsense as it'll start in a live environment first. Follow the prompts to install it to disk
    2. On first boot, it'll go through a wizard to assign the LAN and WAN interfaces.
    3. Once the wizard is complete, you should have basic IPv4 connectivity to guests plugged into vmbr1 as it'll run a DHCP server and configure outbound NAT rules by default.

    For getting your reverse proxy up and running, you can either use the HAProxy or nginx plugin to run a server on the router itself, or create an inbound NAT rule (aka port forwarding) to your reverse proxy.

    The OPNsense Web GUI isn't accessible on the WAN IP by default. You can temporarily disable packet filtering using pfctl -d in the shell and browse to it remotely so you can create a rule, or you can live boot a desktop environment on a guest that's attached to the LAN bridge and access the management page on the LAN IP through VNC.

    What I do is setup a WireGuard tunnel between my home network and the dedicated server. Basically you create a pair of matching instances/peers on each side so it acts as a site-to-site VPN. That's not the easiest thing to setup as it depends a lot on your home networking setup, but it's the most convenient once established as you can then access your dedicated server as though it was an extension of your home network. There's a guide on their website for how to do this between two OPNsense routers https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

    A site-to-site VPN has security benefits too, since you can then release your public IP address from vmbr0 and assign an IP address to vmbr1, which makes your Proxmox management interface only accessible to VMs attached to vmbr1 or over the WireGuard tunnel.

  • You can route the traffic through the host or set up a VYOs/Linux/Mikrotik CHR/PFSense/OPNSense etc. VM for doing that using 2 bridges.

    Thanked by (1)don_keedic
  • @voigon - I had every intention in the world to just use NGINX but figured shoot, got a dedicated server 100% at my disposal, I should try something I wouldn't typically be able to do on a VPS.

    Went the @whoami route with OPNSense and that was surprisingly easy. I had OPNSense all built up in my head to be way above my level of networking skills but in reality, it was the opposite. I love command line, but not so much for networking. Having a networking GUI is exactly what I needed.

    Really wish I would have looked into OPNSense long before now!

    @imok , @voigon, @whoami , @lakenetworks - you guys are awesome. Thank you so much for your help!!!

    Thanked by (3)hobofl wankel whoami
Sign In or Register to comment.