[PVE-User] How to add a second router to same Proxmox server?

Guy guy at britewhite.net
Thu Jun 14 19:16:39 CEST 2012 

unless you have a real burning desire the have a second PFSense firewall you do not need it here.

login to your current pfsense system and go to virtual IPs and create a new virtual IP for one of the IPs in the second routable block.  Then go to NAT and rules and add rules and NATs to an already existing system, eg WWW.. And see that it works! :)

In fact if you do have the second pfsense firewall I would be inclined to put the two together to make a failover cluster that way you get redundancy should one fail :D  again I do that here.

btw I only send one attachment the list of all my vmbrs.  And no you do not need to give them all IP addresses.. just one which you use for administration purposes.   The rest are given to the KVM or openVZ systems which then have their own IP address for them inside.


--Guy


On 14 Jun 2012, at 17:56, Bruce B wrote:

> Amazing info Guy. Thanks. I read your notes and saw the last picture. The first picture you attached didn't come through.
> 
> So, here is my situation (You will have to use big screen to see this):
> 
> pfSense-1 - First routable IP block:   65.65.65.66/29
> pfSense-2 - Second routable IP block: 189.189.189.189/27
> 
> They are totally different ranges but here is a diagram of my equipment:
> 
> ISP  ====>   Dumb Switch
>                        |             |
>                 pfSense1    pfSense-2  
> 
>            ____|______________|____
>            |   eth0                     eth1  |
>            |                                       |
>            |_______ProxMox _______|
> 
> I have vmbr0 just like yours and it got it's private IP of 192.168.5.5 and all containers through that bridge can obtain DHCP IP of range 192.168.5.0/24. I don't need to assign public IP addresses directly to containers. I can use pfSense to do the NAT forward.
> 
> 
> So, how come your vmbr2 or vmbr3 have IPs assigned to them? Shouldn't they have IPs? Not that I care as my vmbr0 already gives me GUI access to Proxmox but I am wondering how it works.
> 
> So, I don't want to loose GUI access (that can be nightmare to me given it's a production server and no test servers here). Would I be safe if I just go ahead to GUI and create vmbr1 and then attach the 2nd pfSense to it?
> 
> ****Given the two very different public IP ranges I receive from my ISP, can I still use VLANs? 
> 
> Thanks again for all your patience. I am learning a lot.
> 
> 
> 
> On Wed, Jun 13, 2012 at 2:14 PM, Guy <guy at britewhite.net> wrote:
> ok let see if I can be clearer now that I'm reading this on a bigger screen :)
> 
> 
> Your ISP has given you a second routable block of IPs correct?  The next hope for both these network segments is the same correct (the Gateway that the pfsense points to on the WAN interface)?  In which case I'm not really sure why you feel the need for another interface on your router.  
> 
> Are you using NAT, or bridging the WAN interface?  If NAT, ie the firewall is holding the IPs and your using private addresses internally then just carry on with that all will be well no need to do anything special.
> 
> On the proxmox side... you can create "Bridge" interfaces and not give the proxmox an IP on it.  This is by far the best way.  Just create a bunch of VLANS and then create the bridge interfaces inside proxmox, and push then to the correct VM image.  On my Proxmox system I have this..
> 
> <PastedGraphic-1.tiff>
> 
> As you can see the bridge interface vmbr0 is the only one with an IP address.. This is the IP I talk to the proxmox with.. All the others are VLANS on my network, I then select the correct interface for the correct VM depending on where I want it to site in my network.
> 
> eg..
>  
> vmbr1 is my DMZ network with NAT IP addresses... 192.168.55.x
> 
> vmbr10 is my WANBRIDGE interface and thus has public IP address directly on it for systems which I expose to the interface behind the pfsense firewall, which is the just doing ACL security and not NAT.
> 
> 
> --Guy
> 
> On 13 Jun 2012, at 18:56, Bruce B wrote:
> 
>> Guy,
>> 
>> Thanks for the input.
>> 
>> If I create a vmbr1 and then whenever I create a container can't I simply select vmbr1 as the venet or veth? Are you saying I have to change things on the host node (I'd like to stay away from that).
>> 
>> What is involved with pfSense vlans? My pfSense has 3 ports. My ISP gives two totally separate blocks of IPs to us (one is a /29 and other is a /27). The /29 right now is using WAN port on pfSense. LAN-1 port is going to Proxmox. I am only left with LAN-2. If I use that as WAN-2 then I don't have a LAN port left to connect to proxmox.
>> 
>> Do you see VLANs to be still easier for me to setup the /27 onto and managing overhead would be lower than getting a second router involved?
>> 
>> Best,
>> 
>> On Wed, Jun 13, 2012 at 1:45 PM, Guy <guy at britewhite.net> wrote:
>> Why not use VLANs on your pfsense firewall I do this all the time. 
>> 
>> On a side note. You can't have two default routes. You can add routes to specific networks. As this is standard Debian you can google for details on setting that up
>> 
>> ---Guy
>> (via iPhone)
>> 
>> On 13 Jun 2012, at 18:37, Bruce B <bruceb444 at gmail.com> wrote:
>> 
>>> Hi Everyone,
>>> 
>>> I have a SuperMicro server with two NIC ports on it. Eth0 is connected to a pfSense router and all the VM and Containers obtain DHCP IP from that router via Proxmox vmbr0. I want to add another router to the equation for redundancy and also because we got another block of IP addresses that I want to use. My current pfSense router doesn't have the ports needed to do the job so I need a second pfSense router for this. This is what I see in Network setup now:
>>> 
>>> Name:	Active:		Autostart:	Ports/Slaves:	Subnet 		mask:		Gateway:
>>> eth0	         Yes		           No
>>> eth1	         No		           No
>>> vmbr0	Yes		           Yes		eth0		192.168.10.5	255.255.255.0	192.168.5.1
>>> 
>>> 
>>> I have previously lost access to Proxmox GUI when turning on the eth1. I don't have the luxury of testing now. I have to do this precisely and correctly. So my questions are:
>>> 
>>> 1- What files backup should I do first so that if I loose access to Proxmox GUI, I can restore them and do a "network restart" and get it all running to previous working state?
>>> 2- The new router will be supply 192.168.20.0/24 IP ranges. After I connect it to eth1 port on the server, what should I do to turn it on.
>>> 3- Once it's setup, how do I go about dictating which VM or Container should obtain IP from which interface? do I need a vmbr1?
>>> 
>>> Thanks
>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user at pve.proxmox.com
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20120614/940cbba6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4885 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20120614/940cbba6/attachment.bin>

More information about the pve-user mailing list