Hetzner Root Server > ESXi > PFSense > /29 Subnet
-
Sorry forgot to mention, yes they do provide the MAC Address's they are seeing, all the MAC's relate to VM's on that /29 subnet.
-
@ashton324 said in Hetzner Root Server > ESXi > PFSense > /29 Subnet:
they do provide the MAC Address's they are seeing, all the MAC's relate to VM's on that /29 subnet.
Then it must be bridged somehow and not routed.
Doing this in pfSense should be very straight forward. The only thing you have to do is disable outbound NAT for the routed /29. But even if you didn't, and pfSense NAT'd everything to the WAN IP, the internal MACs would not be visible to the WAN gateway.
You should not have a LAN side gateway defined in pfSense. The internal NIC has an IP from the /29 and other VMs there use that as their gateway.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
Steve
-
Thanks for the info.. the good news is that after following what you mentioned, the OPT1 INT (/29) is working as expected, passing traffic to the WAN with correct IP's and vice versa. Hetzner have also not reported any Unauth'd MAC's.
I have another issue now, I have some IP's that dont fall into that /29 range, these have assigned MAC's already from Hetzner. I just need to place them behind PFSense. So my plan was to use the LAN INT, assign a 10.0.0.0/24 IP to them machines and then use Virtual IP's to utilise the public IP's.
However, for some reason I can ping from the 10.0.0.0/24 to the PFSense gateway of 10.0.0.254, however, I cannot seem to get internet access. Pinging 8.8.8.8 from a VM drops all pings and tracert stops at the PFSense box. I disabled the firewall and still had the same problem, I have checked and have f/wall rules in for LAN to WAN and WAN to LAN (for testing).
Also, as outbound NAT is disabled, would my plan of using Virtual IP's work to utilise the public IP's?
Thanks
-
Ive realised the problem..
With NAT disabled ofcourse the traffic doesnt know where to go.. dumb moment.
Enabling NAT fixed the issue, If I switch to hybrid NAT and create manual rules the MAC of the /29 would not pass through the WAN gateway correct?
-
You can use hybrid outbound NAT mode and add a 'do not NAT' rule for the /29.
Or you can use manual outbound NAT mode and just remove all the rules except those for the LAN subnet.
Either will work. Using hybrid mode means that if you add another internal private subnet at any time it will automatically work still.
Steve
-
@ashton324 I have the same problem, I have no notification for unauthorized use of mac, only /29 can you help me how to introduce it to the pfsense side? I'm glad your issue was resolved.
-
Hey,
Firstly, are you using ESXi?
If you are then I can tell you how I got it to work, it's a bit of a pain but Hetzner are happy with the setup and it works fine for me.
Thanks
-
@ashton324 Yesss, Esxi 6.7 I installed :) I bought 1 additional IP, I wanted the /29 subnet to be forwarded to One additional IP address, apart from the main server IP address. I can give internet to virtual machines with one additional IP address. I don't have a MAC problem, but I couldn't introduce my /29 subnet to the pfSense side.
One additional IP -> pfSense
-
Ahh I did this on ESXi 7.0 but it should still work.
So just to get this straight you have the following setup?
Main IP > ESXi Host
Additonal IP > PFSense VMAnd then a /29 subnet that is routed through the additional IP on Hetzners side?
-
-
S stephenw10 referenced this topic on
