[PVE-User] How to add a second router to same Proxmox server?

Bruce B bruceb444 at gmail.com
Thu Jun 14 19:44:41 CEST 2012


Oh WOW. It does work. The /27 block was previously statically routed to our
/29 IP block. We asked them to change that to a routable range so I thought
we have to obtain the /27 IP statically like we pick the /29 now on the WAN
port.

This is amazing. It works fine.

I think, now I should think of putting all this in redundant using the 2nd
pfSense. I don't think CARP is the way to go for us as we have many
Asterisk servers and so IP changes won't be easily manageable. Maybe
something like 2nd pfSense take over with exact same settings once the 1st
pfSense fails...

Thanks a lot again Guy. You saved me a 70km trip and at least 5 hours of
work :-)



On Thu, Jun 14, 2012 at 1:16 PM, Guy <guy at britewhite.net> wrote:

> unless you have a real burning desire the have a second PFSense firewall
> you do not need it here.
>
> login to your current pfsense system and go to virtual IPs and create a
> new virtual IP for one of the IPs in the second routable block.  Then go to
> NAT and rules and add rules and NATs to an already existing system, eg
> WWW.. And see that it works! :)
>
> In fact if you do have the second pfsense firewall I would be inclined to
> put the two together to make a failover cluster that way you get redundancy
> should one fail :D  again I do that here.
>
> btw I only send one attachment the list of all my vmbrs.  And no you do
> not need to give them all IP addresses.. just one which you use for
> administration purposes.   The rest are given to the KVM or openVZ systems
> which then have their own IP address for them inside.
>
>
> --Guy
>
>
> On 14 Jun 2012, at 17:56, Bruce B wrote:
>
> Amazing info Guy. Thanks. I read your notes and saw the last picture. The
> first picture you attached didn't come through.
>
> So, here is my situation (You will have to use big screen to see this):
>
> pfSense-1 - First routable IP block:   65.65.65.66/*29*
> pfSense-2 - Second routable IP block: 189.189.189.189/*27*
>
> They are totally different ranges but here is a diagram of my equipment:
>
> ISP  ====>   Dumb Switch
>                        |             |
>                 pfSense1    pfSense-2
>
>            ____|______________|____
>            |   eth0                     eth1  |
>            |                                       |
>            |_______ProxMox _______|
>
> I have vmbr0 just like yours and it got it's private IP of 192.168.5.5 and
> all containers through that bridge can obtain DHCP IP of range
> 192.168.5.0/24. I don't need to assign public IP addresses directly to
> containers. I can use pfSense to do the NAT forward.
>
>
> So, how come your vmbr2 or vmbr3 have IPs assigned to them? Shouldn't they
> have IPs? Not that I care as my vmbr0 already gives me GUI access to
> Proxmox but I am wondering how it works.
>
> So, I don't want to loose GUI access (that can be nightmare to me given
> it's a production server and no test servers here). Would I be safe if I
> just go ahead to GUI and create vmbr1 and then attach the 2nd pfSense to it?
>
> ****Given the two very different public IP ranges I receive from my ISP,
> can I still use VLANs?
>
> Thanks again for all your patience. I am learning a lot.
>
>
>
> On Wed, Jun 13, 2012 at 2:14 PM, Guy <guy at britewhite.net> wrote:
>
>> ok let see if I can be clearer now that I'm reading this on a bigger
>> screen :)
>>
>>
>> Your ISP has given you a second routable block of IPs correct?  The next
>> hope for both these network segments is the same correct (the Gateway that
>> the pfsense points to on the WAN interface)?  In which case I'm not really
>> sure why you feel the need for another interface on your router.
>>
>> Are you using NAT, or bridging the WAN interface?  If NAT, ie the
>> firewall is holding the IPs and your using private addresses internally
>> then just carry on with that all will be well no need to do anything
>> special.
>>
>> On the proxmox side... you can create "Bridge" interfaces and not give
>> the proxmox an IP on it.  This is by far the best way.  Just create a bunch
>> of VLANS and then create the bridge interfaces inside proxmox, and push
>> then to the correct VM image.  On my Proxmox system I have this..
>>
>> <PastedGraphic-1.tiff>
>>
>> As you can see the bridge interface vmbr0 is the only one with an IP
>> address.. This is the IP I talk to the proxmox with.. All the others are
>> VLANS on my network, I then select the correct interface for the correct VM
>> depending on where I want it to site in my network.
>>
>> eg..
>>
>> vmbr1 is my DMZ network with NAT IP addresses... 192.168.55.x
>>
>> vmbr10 is my WANBRIDGE interface and thus has public IP address directly
>> on it for systems which I expose to the interface behind the pfsense
>> firewall, which is the just doing ACL security and not NAT.
>>
>>
>> --Guy
>>
>> On 13 Jun 2012, at 18:56, Bruce B wrote:
>>
>> Guy,
>>
>> Thanks for the input.
>>
>> If I create a vmbr1 and then whenever I create a container can't I simply
>> select vmbr1 as the venet or veth? Are you saying I have to change things
>> on the host node (I'd like to stay away from that).
>>
>> What is involved with pfSense vlans? My pfSense has 3 ports. My ISP gives
>> two totally separate blocks of IPs to us (one is a /29 and other is a /27).
>> The /29 right now is using WAN port on pfSense. LAN-1 port is going to
>> Proxmox. I am only left with LAN-2. If I use that as WAN-2 then I don't
>> have a LAN port left to connect to proxmox.
>>
>> Do you see VLANs to be still easier for me to setup the /27 onto and
>> managing overhead would be lower than getting a second router involved?
>>
>> Best,
>>
>> On Wed, Jun 13, 2012 at 1:45 PM, Guy <guy at britewhite.net> wrote:
>>
>>> Why not use VLANs on your pfsense firewall I do this all the time.
>>>
>>> On a side note. You can't have two default routes. You can add routes to
>>> specific networks. As this is standard Debian you can google for details on
>>> setting that up
>>>
>>> ---Guy
>>> (via iPhone)
>>>
>>> On 13 Jun 2012, at 18:37, Bruce B <bruceb444 at gmail.com> wrote:
>>>
>>> Hi Everyone,
>>>
>>> I have a SuperMicro server with two NIC ports on it. Eth0 is connected
>>> to a pfSense router and all the VM and Containers obtain DHCP IP from that
>>> router via Proxmox vmbr0. I want to add another router to the equation for
>>> redundancy and also because we got another block of IP addresses that I
>>> want to use. My current pfSense router doesn't have the ports needed to do
>>> the job so I need a second pfSense router for this. This is what I see in
>>> Network setup now:
>>>
>>> Name: Active: Autostart: Ports/Slaves: Subnet mask: Gateway:
>>> eth0          Yes            No
>>> eth1          No            No
>>> vmbr0 Yes            Yes eth0 192.168.10.5 255.255.255.0 192.168.5.1
>>>
>>>
>>> I have previously lost access to Proxmox GUI when turning on the eth1. I
>>> don't have the luxury of testing now. I have to do this precisely and
>>> correctly. So my questions are:
>>>
>>> 1- What files backup should I do first so that if I loose access to
>>> Proxmox GUI, I can restore them and do a "network restart" and get it all
>>> running to previous working state?
>>> 2- The new router will be supply 192.168.20.0/24 IP ranges. After I
>>> connect it to eth1 port on the server, what should I do to turn it on.
>>> 3- Once it's setup, how do I go about dictating which VM or Container
>>> should obtain IP from which interface? do I need a vmbr1?
>>>
>>> Thanks
>>>
>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user at pve.proxmox.com
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20120614/9652dfb4/attachment-0014.html>


More information about the pve-user mailing list