Network Setup of Proxmox VE 3.4 on a Debian 8 Hetzner Server

In the second part of the series I'm going to setup routed networking on a root server from Hetzner, for OpenVZ based virtualization and with various UNIX guests. These guests will be web-servers and database-servers, connected by a private LAN with an internal bridge NAT'd to eth0 of the host. Shorewall & Fail2ban will help to get the proper networking and security in place.

In this article you can learn how to setup the host, with Proxmox 2.x VE on Hetzner EX4, with Debian Squeeze 64 bit.

Kernel settings

The target setup requires some deviation from the default kernel settings of Debian: IP forwarding and Proxy ARP should be set. Edit /etc/sysctl.conf as follows:

### Hetzner Online AG installimage
# sysctl config
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.proxy_arp=1
net.ipv4.conf.default.proxy_arp=1

Network settings

Change the following four files accordingly.

/etc/hosts

Add here the public IP of your server and the hostname.

127.0.0.1 localhost
PUBLIC_SERVER_IP myhost.hu myhost

 

/etc/hostname

Once again just the plain hostname goes into here.

myhost

 

/etc/resolv.conf

Here you should list the nameservers of Hetzner, optionally of others, as well.

### Hetzner Online AG installimage
# nameserver config
nameserver 213.133.99.99
nameserver 213.133.100.100
nameserver 213.133.98.98

 

/etc/network/interfaces

First of all, get these three IP addresses from the original /etc/network/interface file, and write it down: PUBLIC_SERVER_IP, SERVER_GATEWAY and BROADCAST_ADDRESS. Then, ADDITIONAL_SERVER_IP is the second public IP address, what I ordered additionally.

I setup three network bridges on the host:

  • vmbr0 will handle the second public IP (ADDITIONAL_SERVER_IP), and the guest on this bridge will appear on on the Internet with this public IP. I'll use it for the guest running the Pound load balancer.
  • vmbr1 will be a private LAN for all the guest, but through vmbr1 the guests will be able to go out to the Internet, it will be NAT-et through the host interface.
  • vmbr2 is also a private LANs to connect the guests with each other, but completely isolated from Internet.

For the final working setup Shorewall must be also up and running. Without Shorewall, you can still test this setup, if you comment out the line below the comment lines "# use only if Shorewall is down:", in both vmbr0 and vmbr1 brigde configs.

### Hetzner Online AG - installimage
# Loopback device:
auto lo
iface lo inet loopback
#
# external interface of the host
auto eth0
iface eth0 inet static
address PUBLIC_SERVER_IP
netmask 255.255.255.255
gateway SERVER_GATEWAY
broadcast BROADCAST_ADDRESS
pointopoint SERVER_GATEWAY
#
# bridge for VMs with public IPs (DMZ)
auto vmbr0
iface vmbr0 inet static
address PUBLIC_SERVER_IP
netmask 255.255.255.255
broadcast BROADCAST_ADDRESS
bridge_ports none
bridge_stp off
bridge_fd 0
# use only if Shorewall is down:
# up ip route add ADDITIONAL_SERVER_IP/32 dev vmbr0
#
# bridge for internal LAN with private IPs
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
# use only if Shorewall is down
# post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE
# post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE
#
# bridge for second internal LAN with private IPs
auto vmbr2
iface vmbr2 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

 

Details
Category: Tutorials
Hits: 3342