Assign virtual public IP directly onto an interface on Proxmox container.
-
I have a pfSense router which has multiple subnets of IPs routed to it. My Proxmox is a client to pfSense and has obtained IP of 192.168.4.3 - all containers made by Proxmox have Bridgemode so they obtain IPs like 192.168.4.5, 192.168.4.6 and so on. I use Outbound Manual NAT on pfSense to send request from container through a specific public IP to outside. I use NAT forward to send inbound request through pfSense to Proxmox containers.
This gives the illusion as if container has the public IP assigned to it. But it doesn't. And that is my problem now. I want to be able to assign the virtual public IP that is now on pfSense directly onto an interface on Proxmox container. I like to avoid vlans on all ends. I am not able to connect more physical ports either (run out of it). I am open to use the public IP address through bridge mode. Is this possible? If yes, how? Thanks
-
So these IPs subnets are routed to pfsense. So why not just put that network on the lan side of pfsense.. Sure don't want or need to "bridge" anything.
Or just create vips on pfsense wan and then use 1:1 natting.
-
So these IPs subnets are routed to pfsense. So why not just put that network on the lan side of pfsense.. Sure don't want or need to "bridge" anything.
Or just create vips on pfsense wan and then use 1:1 natting.
Thanks for the reply. Yes, they are subnets routed to pfSense. pfSense main WAN is a small subnet (3 ips) so these are all Virtual IPs. Does 1-to-1 NAT allow for public IP to be assigned to container NIC port? ***that is the most important thing here. I want the container to think and feel that it picked up the public IP directly. If 1-to-1 NAT does that is this a straight up setup? where is 1-to-1 nat setup?
-
So routed!!! then just create lan or vlan behind pfsense and put the routed network on there!! If the network is routed then you don't need any vips.
If you doing VIP and 1 to 1 nat, no your device behind the nat would have a private IP. But all traffic would get sent to it if you allow it on your firewall with a any any.
so lets say this.. you have 1.2.3.0/30 as your transit network. Then your isp has given you 5.6.7.0/28 that is routed to you.
Then you have this setup
isp 1.2.3.1/30 – 1.2.3.2/30 pfsense 5.6.7.1/28 ---- 5.6.7.2-15 for devices directly on their interface
You just need to put in firewall rules to allow for this traffic and do not NAT it.
-
So routed!!! then just create lan or vlan behind pfsense and put the routed network on there!! If the network is routed then you don't need any vips.
If you doing VIP and 1 to 1 nat, no your device behind the nat would have a private IP. But all traffic would get sent to it if you allow it on your firewall with a any any.
so lets say this.. you have 1.2.3.0/30 as your transit network. Then your isp has given you 5.6.7.0/28 that is routed to you.
Then you have this setup
isp 1.2.3.1/30 – 1.2.3.2/30 pfsense 5.6.7.1/28 ---- 5.6.7.2-15 for devices directly on their interface
You just need to put in firewall rules to allow for this traffic and do not NAT it.
Thanks for the feedback again. Yes, they are routed just exactly like you mentioned. This is a /27 and I won't be able to disturb the system as all my client devices work fine with Virtual IPs as is. I only need one public IP to be on one client device. Now, I hate VLANs and unless I am forced I won't want to use them because then I have to probably do tagging on Proxmox and then on client. I don't even know if I can grab one of the VIPs and put it on a VLAN. I definitely can't touch Proxmox interfaces to do the VLAN stuff because it might mess up 60 other production clients. So, based on what you are saying I should give up on the idea of VIP and having the public on client?
-
Dude I have no idea what you should or shouldn't do.. I have no clue why you think you need to put public IP your proxmox interface.. Why as it not setup before? Why would creating a vlan disturb anything?
Your statement that you "hate" vlans tells me your in the wrong field of work or play…
Just giving you your options.. But the IP on the device behind pfsense directly, use a port forward or do a 1:1 - why you think you actually need a public on your server behind pfsense I have no idea. But if the segments are routed to you it takes 2 seconds to set that up.