• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Assign virtual public IP directly onto an interface on Proxmox container.

Scheduled Pinned Locked Moved Virtualization
6 Posts 2 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sp1
    last edited by Sep 4, 2015, 3:17 PM

    I have a pfSense router which has multiple subnets of IPs routed to it. My Proxmox is a client to pfSense and has obtained IP of 192.168.4.3 - all containers made by Proxmox have Bridgemode so they obtain IPs like 192.168.4.5, 192.168.4.6 and so on. I use Outbound Manual NAT on pfSense to send request from container through a specific public IP to outside. I use NAT forward to send inbound request through pfSense to Proxmox containers.

    This gives the illusion as if container has the public IP assigned to it. But it doesn't. And that is my problem now. I want to be able to assign the virtual public IP that is now on pfSense directly onto an interface on Proxmox container. I like to avoid vlans on all ends. I am not able to connect more physical ports either (run out of it). I am open to use the public IP address through bridge mode. Is this possible? If yes, how? Thanks

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 4, 2015, 3:28 PM

      So these IPs subnets are routed to pfsense.  So why not just put that network on the lan side of pfsense.. Sure don't want or need to "bridge" anything.

      Or just create vips on pfsense wan and then use 1:1 natting.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • S
        sp1
        last edited by Sep 4, 2015, 6:29 PM

        @johnpoz:

        So these IPs subnets are routed to pfsense.  So why not just put that network on the lan side of pfsense.. Sure don't want or need to "bridge" anything.

        Or just create vips on pfsense wan and then use 1:1 natting.

        Thanks for the reply. Yes, they are subnets routed to pfSense. pfSense main WAN is a small subnet (3 ips) so these are all Virtual IPs. Does 1-to-1 NAT allow for public IP to be assigned to container NIC port? ***that is the most important thing here. I want the  container to think and feel that it picked up the public IP directly. If 1-to-1 NAT does that is this a straight up setup? where is 1-to-1 nat setup?

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Sep 4, 2015, 9:01 PM

          So routed!!! then just create lan or vlan behind pfsense and put the routed network on there!!  If the network is routed then you don't need any vips.

          If you doing VIP and 1 to 1 nat, no your device behind the nat would have a private IP.  But all traffic would get sent to it if you allow it on your firewall with a any any.

          so lets say this.. you have 1.2.3.0/30 as your transit network.  Then your isp has given you 5.6.7.0/28 that is routed to you.

          Then you have this setup

          isp 1.2.3.1/30 – 1.2.3.2/30 pfsense 5.6.7.1/28 ---- 5.6.7.2-15 for devices directly on their interface

          You just need to put in firewall rules to allow for this traffic and do not NAT it.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • S
            sp1
            last edited by Sep 4, 2015, 9:23 PM

            @johnpoz:

            So routed!!! then just create lan or vlan behind pfsense and put the routed network on there!!  If the network is routed then you don't need any vips.

            If you doing VIP and 1 to 1 nat, no your device behind the nat would have a private IP.  But all traffic would get sent to it if you allow it on your firewall with a any any.

            so lets say this.. you have 1.2.3.0/30 as your transit network.  Then your isp has given you 5.6.7.0/28 that is routed to you.

            Then you have this setup

            isp 1.2.3.1/30 – 1.2.3.2/30 pfsense 5.6.7.1/28 ---- 5.6.7.2-15 for devices directly on their interface

            You just need to put in firewall rules to allow for this traffic and do not NAT it.

            Thanks for the feedback again. Yes, they are routed just exactly like you mentioned. This is a /27 and I won't be able to disturb the system as all my client devices work fine with Virtual IPs as is. I only need one public IP to be on one client device. Now, I hate VLANs and unless I am forced I won't want to use them because then I have to probably do tagging on Proxmox and then on client. I don't even know if I can grab one of the VIPs and put it on a VLAN. I definitely can't touch Proxmox interfaces to do the VLAN stuff because it might mess up 60 other production clients. So, based on what you are saying I should give up on the idea of VIP and having the public on client?

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Sep 5, 2015, 6:24 AM

              Dude I have no idea what you should or shouldn't do.. I have no clue why you think you need to put public IP your proxmox interface..  Why as it not setup before?  Why would creating a vlan disturb anything?

              Your statement that you "hate" vlans tells me your in the wrong field of work or play…

              Just giving you your options.. But the IP on the device behind pfsense directly, use a port forward or do a 1:1 - why you think you actually need a public on your server behind pfsense I have no idea.  But if the segments are routed to you it takes 2 seconds to set that up.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received