Hetzner Dedicated Server - pfSense in Proxmox with a single IPv4, How to
I've been eyeing Hetzner's EX44 for some time, but the €39 setup fee put me off until now. I finally pulled the trigger when Hetzner offered it with no setup fees on Cyber Monday. It was a sweet deal - 13500, 64G of DDR5, 2x512GB NVMe, 1 IPv4 & a routed /64 IPv6 at €39/month. I decided to go with proxmox as host with a virtualized pfSense firewall in front, facing the internet.
The only problem I encountered is that all guides on the internet use two IPv4 addresses - one for proxmox and another for pfSense. I don't really see the need for proxmox to have a public v4 address as we can just port forward the WebUI/SSH, if necessary from the firewall. It also costs €1.70 extra a month along with a €4.90 setup fee. So let's see how we can get this done.
Install Proxmox #
Nothing fancy, install it with KVM, VNC or whatever works for you. Leave the networking bits as we'll configure them in the following steps.
Setup network bridges #
We need to create two virtual bridge interfaces, one for WAN and another for LAN. The WAN interface would be created automatically when you install proxmox. So you'd only need to create a LAN interface, make sure not to select any bridge ports while doing this. In the IPv4/CIDR field insert a local static IP for proxmox and leave the gateway empty as the WAN interface has it. For reference, it should look similar to the pic below.
Install pfSense #
Create a VM in proxmox and set it to start at boot. Install pfSense using the console on proxmox and select appropriate interfaces for WAN and LAN. Leave the WAN interface on DHCP and set up a local network on the LAN interface, remember to use the same subnet entered in the proxmox to make sure that it has connectivity. By default, it will configure a 192.168.1.1/24 network. The WAN interface won't get an IP now, as it's still assigned to the proxmox hosts. We'll fix that in the next step.
Enter the shell pfSense shell (usually option 8 in the console) and set up a firewall rule to allow us to access the pfSense web GUI later. Use the following command to allow traffic on port 443. Replace xx.xx.xx.xx with your IP or use 'any' to allow access from any IP address.
easyrule pass wan tcp XX.XX.XX.XX any 443
Reconfigure Proxmox networking #
Hetzner binds the MAC address of the interface to the assigned IP address which is why the pfSense didn't get any IP address in the WAN interface. We can fix it by spoofing the MAC address of the physical interface in pfSense and setting a random MAC address in the host(proxmox).
First, find and copy the MAC address of the interface to which the public IP address is assigned using
ip a
Now, shutdown the pfSense VM, go to the hardware tab, click edit on WAN interface and paste the MAC address copied earlier. Also make sure that the pfSense VM is set to start at boot as we'll be restarting proxmox later.
Now, let's edit the proxmox \etc\network\interfaces
file and remove the public IP from proxmox. Also, change the MAC address of the interface to a random address so that it doesn't conflict with pfSense. Add the gateway IP to the LAN interface as all the traffic will be sent through pfSense from now. After editing it should look like this.
auto lo
iface lo inet loopback
iface enp5s0 inet manual
hwaddress ether 00:11:22:33:44:55
auto vmbr0
iface vmbr0 inet static
bridge-ports enp5s0
bridge-stp off
bridge-fd 0
#WAN
auto vmbr1
iface vmbr1 inet static
address 192.168.1.10/24
gateway 192.168.1.1
bridge-ports none
bridge-stp off
bridge-fd 0
#LAN
source /etc/network/interfaces.d/*
It's all setup and now we can reboot proxmox. Wait for a few mins for it to come back up. Now we can access the pfSense web portal on WAN-IP:443
. Default credentials are admin:pfsense
. We can set up NAT rules in pfSense to access the proxmox web portal (port 8006)/SSH (port 22).