Proxmox + pfSense on Hetzner bare metal server. Questions on setup…
Posted this over on reddit but figured I'd post it here as well.
I just recently got a Hetzner bare metal server at auction and working on setting up my environments. I know very little about setting up stuff on linux and my head gets a little confused with all this networking stuff, but I'm slowly figuring it out.
First of all, Hetzner gives you a single IPv4 address to start off with. I've went ahead and got an additional /29 block of IPv4 addresses as well (I'm not doing anything with IPv6 at the moment not that I'd know what to do with it anyways) The bare metal server has a single Intel Gigabit NIC (82574L), which I don't think it matters in this case that I dont have an additional NIC since all the VMs will be running inside Proxmox and nothing physical (ie switch, other hardware) is going to be sitting behind pfSense.
I've got it set up right now so that Proxmox (4.1-33) is on the main Hetzner IP and I have 2 VMs running on the subnet block (I think this terminology is correct…) and all are accessible publicly. For example, proxmox is running on the main IP AA.BB.CC.241 and two VMs are running and accessible publicly at DD.EE.FF.249 and .250
Here's what my /etc/network/interfaces file looks like (Debian 8 install running Proxmox)
I have net.ipv4.ip_forward=1 set in /etc/sysctl.conf and net.ipv4.conf.all.send_redirects=0 in /etc/sysctl.d/10-no-icmp-redirects.conf as well. The VMs have a static IP with the subnetted IP (ie DD.EE.FF.249) and gateway as the main IP (AA.BB.CC.241). I just followed the directions in this guide since it was the simplest to understand
I was looking into setting up the firewall on Proxmox but it seems like pfSense would be easier to configure and give me more control. Right now I have the Proxmox Datacenter firewall Input Policy set to DROP (Output set to Accept) and the same subsequently for each VM. Right now I'm only allowing SSH, Ping, and port 8006 at the Datacenter level for Proxmox and SSH for one VM (Ubuntu VM) and RDP for the other (Windows VM). It seems like disallowing the vast majority of traffic is overkill and likely to cause issues in the future for what I want to set up.
Anyways, here is my end goal - one linux VM to set up rTorrent/ruTorrent (or some other client) and FTP on, plus have a Samba (SMB) share that is accessible by the other VMs internally and a Windows VM that is able to access that SMB share. For simplicity sake, lets just say I'm setting up only those 2 VMs (plus a VM for pfSense). I'd like all traffic routed through pfSense, with Proxmox and the VMs all behind its firewall, while still being able to publicly access the VMs on their respective assigned IP address from my subnet block if that makes sense.
So, yea, I'm just generally confused on how to go about setting up Proxmox and pfSense to do this. Any help would be greatly appreciated. If anything was confusing on what I'm trying to accomplish and you need more info, I'd be happy to clarify or give you additional info.
As an aside, how can I just disable IPv6 stuff if I'm not doing anything with it?
Here is what I have right now vs what I'm looking for. The Main IP which is assigned to Proxmox becomes the IP of pfSense within Proxmox, and Proxmox gets one of the subnet IPs (ie traffic is routed through pfSense to proxmox). Then the other VMs get their traffic routed through pfSense via their various subnet IPs