1:1 NAT pfsense or opnsene

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
For the past few months, I been trying to learn how to do 1:1 Nat. Like it's say to do Here https://plexguide.com/wiki/proxmox-pfsense-hetzner/. I have readed each day to learn it. I have been going in circles with it and not able to do it.

By the plexguide link it says to enter your WAN IP address and add a new gateway with the gateway from the Hetzner IP which you can find in Robot. After this, reboot PFSense, and you're able to create VM's. The Pic are Idea I would like to put together. Like to have a subnet go to each VM like i said in PIC at bottom if it.

Do I need to use additonal IP or main IP?

  1. How to do it.
  2. Do I need to do something to the VM in proxmox after I install the VM
  3. Do I need to add a ethnet to the VM or make a vmbr for proxmox with the subnet IP's then at it to VM
  4. Can someone be willing to help me with this.


Here are some other guides I have been reading and they have help me to get to where I'm at now

https://dominicpratt.de/hetzner-proxmox-network-configuration/

https://dominicpratt.de/hetzner-and-proxmox-pfsense-as-gateway/

https://dominicpratt.de/hetzner-and-proxmox-using-ipv6-with-router-vm/



Here is my interfaces file



### Hetzner Online GmbH installimage



source /etc/network/interfaces.d/*



auto lo

iface lo inet loopback

iface lo inet6 loopback





# device: eno1

iface eno1 inet static

address 95.aaa.aa.14

gateway: 95.aaa.aa.1

netmask: 255.255.255.224

broadcast: 95.aaa.aa.63

up route add -net 95.aaa.aa.0 netmask 255.255.255.224 gw 95.aaa.aa.1 eno1



iface eno1 inet6 static

address 2a01:zzz:zz:zzz::2

netmask 128

gateway fe80::1



auto vmbr0

iface vmbr0 inet static

# WAN Interface

address 95.aaa.aa.14

netmask 255.255.255.255

pointopoint 95.aaa.aa.1

gateway 95.aaa.aa.1

broadcast 95.aaa.aa.63

bridge_ports eno1

bridge_stp off

bridge_fd 0

# Route an eventually ipv4 subnet (!NOTE: in hetzner an ipv4 /29 subnet when routed is completely usable)

up route add 95.xxx.xxx.184/32 dev vmbr0

up route add 95.xxx.xxx.185/32 dev vmbr0

up route add 95.xxx.xxx.186/32 dev vmbr0

up route add 95.xxx.xxx.187/32 dev vmbr0

up route add 95.xxx.xxx.188/32 dev vmbr0

up route add 95.xxx.xxx.189/32 dev vmbr0

up route add 95.xxx.xxx.190/32 dev vmbr0

up route add 95.xxx.xxx.191/32 dev vmbr0



# Says the host where the answer for subnet behind pfsense should be routed

#up ip route add 172.xxx.yyy.zzz/24 via 195.xxx.yyy.zz0 dev vmbr0 #(the ip of via have to be the pfsense ipv4 WAN ip)

up ip route add 192.168.0.0/16 via 95.bbb.bb.218 dev vmbr0

up ip route add 172.16.0.0/12 via 95.bbb.bb.218 dev vmbr0

up ip route add 10.0.0.0/8 via 95.217.bb.bb dev vmbr0





iface vmbr0 inet6 static

address 2a01:4f9:4a:1bb0::2

netmask 64

# Metric 1 because kernel set up a ipv6 route send the /64 subnet over :):) no next hop

up ip -6 route add 2a01:zzz:zz:zzzz::/64 via 2a01:zzz:zz:zzzz::3 dev vmbr0 metric 1



auto vmbr1

iface vmbr1 inet manual

# LAN INTERFACE

bridge_ports none

bridge_stp off

bridge_fd 0





Here is all the IP's from Hetzner.

95.217.76.14 <------------Main IP <------proxmox

Gateway: 95.aaa.aa.1

Netmask: 255.255.255.192

Broadcast: 95.aaa.aa.63



95.bbb.bb.218 <--------additonal IP <---pfsense

Gateway: 95.bbb.bb.217

Netmask: 255.255.255.248

Broadcast: 95.bbb.bb.223

Separate MAC: 00:00:00:00:00:7F



2a01:zzzz:zz:zzzz:: / 64 <--Main ipv6

Gateway: fe80::1

Netmask: ffff:ffff:ffff:ffff::



Subnet IP:

95.xxx.xxx.184

95.xxx.xxx.185

95.xxx.xxx.186

95.xxx.xxx.187

95.xxx.xxx.188

95.xxx.xxx.189

95.xxx.xxx.190

95.xxx.xxx.191

Gateway: 95.aaa.aa.14

Netmask: 255.255.255.248

Broadcast: 95.xxx.xxx.191

r/PFSENSE - 1:1 NAT
 
Joined
Nov 16, 2008
Messages
246
NAT can be done in pfsense directly already, I am not sure why you need to go through Hetzner for it. Even if you want to configure multiple 1:1 NAT, if you purchase multiple static IPs from your ISP, you can just configure them on pfSense. What are trying to achieve in this case?
 

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
1:1 NAT

In order to be able to reach our internal clients now also from the Internet, we still have to configure the 1:1 NAT.
 

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
as soon as i set outbound there is no outbonud on VM and i can not ssh into or ping the VM from my home
 
Joined
Nov 16, 2008
Messages
246
yes you can just configure the NAT on pfsense. I wouldn't use the Hetzner server. Since i havent used it it, i can't comment on its config as well. You be review the link below for nat config in pfsense. Also, VPN is also an option for remote computers to reach your internal hosts. depending on what you need to achieve.

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
 

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
Hetzner here is Hetzner setup. at the min I doing cause at this time I have port forwarding wan on one port like 55155 to ssh into lan on 22. With subnet they will have there own ip with 22 and have DHCP for network. If it's done right if i do a what my ip it will have the subnet ip on VM. VPN I still have to go thou pfsense ip to get to vpn less im doing something wrong. The link u gave I tryed it and its still no go
 
Joined
Nov 16, 2008
Messages
246
it will be easier if you can post your pfsense settings to explain more...

did you mean you were able to SSH to your WAN IP:55155 and got into one of your VM at Port 22? But you also want to do the same for other VM at Port 22 and not sure how to do it for the other VM?
 

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
have 2 main ip's one is for proxmox and other is for pfsense 95.bbb.bb.218 i do port forwarding on 55155 redirect to 192.168.x.x port: 22 this how i get to VM now with subnet will give it ip with out port forwarding.less this idea with subnet. at this time reinstall pfsense. but do have virtual ip put in.
 
Joined
Nov 16, 2008
Messages
246
KKLC here a better look at idea going for but it has pfsense or opnsense
Proxmox on Debian at Hetzner with multiple IP addresses
i am unable to help since you still don't provide what you are trying to set up, and how your infrastructure is like. your diagram is also consufing. i assume that firewall is pfsense, but it is behind a server? The pfsense should be the frontline device facing the internet. and what's it he device bewtween the firewall and Hetzner server? Again, if you can configure all the NAT, Port forwarding and fw rules in pfsense, i dont know why you still need to use Hetzner.
 

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
https://plexguide.com/wiki/proxmox-pfsense-hetzner/
Hetzner server debian OS with proxmox on top ----> VM 101=pfsense then have two vmbr with mac of the other ip then other vmbr is set to lan. and when i make VM I set netcard to lan vmbr and give it a address of 192.168.1.x.x. yes your right but like this link said The configuration of a pfSense VM at Hetzner is not quite trivial, but it can be easily done. A little Trial & Error is included, but that’s always the case with firewalls. As a little tip I would like to give you not to block the access to the Proxmox web interface too early, so that in case of doubt you still have access to the pfSense console when you configure yourself. that why Im asking for help keep from redoing install redoing whole server 50x.
 

altoyda

Thread Starter
Joined
Oct 17, 2020
Messages
9
kk have it so what working with OPT1 gre tunnel
now to be able to kick these off at boot to start the process OPT1 gre0
but do not know how

[email protected] ~ # ip tunnel add tun0 mode gre remote 95.xxx.xx.218 local 95.xxx.xx.14 ttl 255
[email protected] ~ # ip link set tun0 up
[email protected] ~ # ip link set gre0 up
[email protected] ~ # ip addr add 10.10.10.2/30 dev tun0

I seen that i could do a modprobe ip_gre but it did not work
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top