Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Assign virtual public IP directly onto an interface on Proxmox container.

    Scheduled Pinned Locked Moved Virtualization
    6 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sp1
      last edited by

      I have a pfSense router which has multiple subnets of IPs routed to it. My Proxmox is a client to pfSense and has obtained IP of 192.168.4.3 - all containers made by Proxmox have Bridgemode so they obtain IPs like 192.168.4.5, 192.168.4.6 and so on. I use Outbound Manual NAT on pfSense to send request from container through a specific public IP to outside. I use NAT forward to send inbound request through pfSense to Proxmox containers.

      This gives the illusion as if container has the public IP assigned to it. But it doesn't. And that is my problem now. I want to be able to assign the virtual public IP that is now on pfSense directly onto an interface on Proxmox container. I like to avoid vlans on all ends. I am not able to connect more physical ports either (run out of it). I am open to use the public IP address through bridge mode. Is this possible? If yes, how? Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So these IPs subnets are routed to pfsense.  So why not just put that network on the lan side of pfsense.. Sure don't want or need to "bridge" anything.

        Or just create vips on pfsense wan and then use 1:1 natting.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          sp1
          last edited by

          @johnpoz:

          So these IPs subnets are routed to pfsense.  So why not just put that network on the lan side of pfsense.. Sure don't want or need to "bridge" anything.

          Or just create vips on pfsense wan and then use 1:1 natting.

          Thanks for the reply. Yes, they are subnets routed to pfSense. pfSense main WAN is a small subnet (3 ips) so these are all Virtual IPs. Does 1-to-1 NAT allow for public IP to be assigned to container NIC port? ***that is the most important thing here. I want the  container to think and feel that it picked up the public IP directly. If 1-to-1 NAT does that is this a straight up setup? where is 1-to-1 nat setup?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So routed!!! then just create lan or vlan behind pfsense and put the routed network on there!!  If the network is routed then you don't need any vips.

            If you doing VIP and 1 to 1 nat, no your device behind the nat would have a private IP.  But all traffic would get sent to it if you allow it on your firewall with a any any.

            so lets say this.. you have 1.2.3.0/30 as your transit network.  Then your isp has given you 5.6.7.0/28 that is routed to you.

            Then you have this setup

            isp 1.2.3.1/30 – 1.2.3.2/30 pfsense 5.6.7.1/28 ---- 5.6.7.2-15 for devices directly on their interface

            You just need to put in firewall rules to allow for this traffic and do not NAT it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              sp1
              last edited by

              @johnpoz:

              So routed!!! then just create lan or vlan behind pfsense and put the routed network on there!!  If the network is routed then you don't need any vips.

              If you doing VIP and 1 to 1 nat, no your device behind the nat would have a private IP.  But all traffic would get sent to it if you allow it on your firewall with a any any.

              so lets say this.. you have 1.2.3.0/30 as your transit network.  Then your isp has given you 5.6.7.0/28 that is routed to you.

              Then you have this setup

              isp 1.2.3.1/30 – 1.2.3.2/30 pfsense 5.6.7.1/28 ---- 5.6.7.2-15 for devices directly on their interface

              You just need to put in firewall rules to allow for this traffic and do not NAT it.

              Thanks for the feedback again. Yes, they are routed just exactly like you mentioned. This is a /27 and I won't be able to disturb the system as all my client devices work fine with Virtual IPs as is. I only need one public IP to be on one client device. Now, I hate VLANs and unless I am forced I won't want to use them because then I have to probably do tagging on Proxmox and then on client. I don't even know if I can grab one of the VIPs and put it on a VLAN. I definitely can't touch Proxmox interfaces to do the VLAN stuff because it might mess up 60 other production clients. So, based on what you are saying I should give up on the idea of VIP and having the public on client?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Dude I have no idea what you should or shouldn't do.. I have no clue why you think you need to put public IP your proxmox interface..  Why as it not setup before?  Why would creating a vlan disturb anything?

                Your statement that you "hate" vlans tells me your in the wrong field of work or play…

                Just giving you your options.. But the IP on the device behind pfsense directly, use a port forward or do a 1:1 - why you think you actually need a public on your server behind pfsense I have no idea.  But if the segments are routed to you it takes 2 seconds to set that up.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.