Skip to content

Instantly share code, notes, and snippets.

@NicklasMatzulla

NicklasMatzulla/Hetzner OPNsense network configuration.md

Created April 6, 2023 20:59
Show Gist options
  • Save NicklasMatzulla/c36da489260555ffa7e6f21ce25bae6e to your computer and use it in GitHub Desktop.
Save NicklasMatzulla/c36da489260555ffa7e6f21ce25bae6e to your computer and use it in GitHub Desktop.
Download ZIP
Hetzner network configuration for virtualization with Proxmox and OPNsense.
Raw
Hetzner OPNsense network configuration.md

About

Warning
This network configuration is designed for the network infrastructure of Hetzner servers.

This network configuration is used to use Proxmox as a virtualization platform and OPNsense as a firewall. Both single addresses and subnets can be added without any problems.

Installation

auto lo
iface lo inet static
iface lo inet6 static

auto PHYSICAL_NETWORK_DEVICE
iface PHYSICAL_NETWORK_DEVICE inet manual

auto vmbr0
iface vmbr0 inet static
  address HOST_PUBLIC_IP/26
  gateway HOST_PUBLIC_IP_GATEWAY
  bridge-ports PHYSICAL_NETWORK_DEVICE
  bridge-stp off
  bridge-fd 0
  hwaddress HOST_MAC_ADDRESS
  post-up sysctl -w net.ipv4.ip_forward=1
  post-up sysctl -w net.ipv6.conf.all.forwarding=1
#OPNsense WAN

auto vmbr1
iface vmbr1 inet manual
  bridge-ports none
  bridge-stp off
  bridge-fd 0
  bridge-vlan-aware yes
  bridge-vids 2-4094
#VM NET

Warning
For the configuration to work, the following variables must be adjusted.

VARIABLE VALUE
PHYSICAL_NETWORK_DEVICE The name of your physical network device
HOST_PUBLIC_IP The main address of your server
HOST_PUBLIC_IP_GATEWAY The gateway address of your main address
HOST_MAC_ADDRESS The MAC address of your server

All data about your IP address can be found in the Hetzner-Robot. Install the package net-tools with apt install -y net-tools and run ifconfig. There you will find a list of all network devices, like eno1. The value ether is the MAC address of your server.

Establishment of the networks.

OPNsense requires a single IP address in addition to the host address, this must be assigned a separate MAC address in the Hetzner Robot. When purchasing an additional subnet, make sure that it is routed to the additional IP address of OPNsense. Also keep in mind that the MAC address of the IPv6 subnet must also be changed to that of OPNsense in the Hetzner Robot.

Setup of OPNsense

Make sure in advance that the virtual machine has the MAC address of your additional IP for OPNsense. After the installation, set the WAN interface to vtnet0. Make sure that the WAN interface does not obtain the IP address via DHCP, but must be static. The IP address is the additional address, the subnet mask is 32. The gateway of this IP address can be found in the robot. Then you can configure any IPv6 address, the gateway can also be found in the Hetzner Robot.

To forward an IP address from a subnet to a VM via 1:1 NAT, create a virtual IP address for this IP address with the CIDR /32, then create the NAT forwarding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment