chuegel · March 18, 2025 17:45 · Aug 12, 2012 · Aug 12, 2012 · Aug 12, 2012
diff --git a/msys_hetzner-etc_pve_qemu-server_100.conf b/msys_hetzner-etc_pve_qemu-server_100.conf
@@ -24,7 +24,7 @@
 # I also requested MAC addresses for the other IP's but it's sufficient to have only one of the MAC's
 # in your configuration.
 #
-# Now go and have your firewall instance listing to all your additional
+# Now go and have your firewall instance listening to all your additional
 # IPv4 addresses and setup destination NAT to your private IPv4 addressed
 # hosts connected to net2.
 

diff --git a/msys_hetzner-etc_network_interfaces b/msys_hetzner-etc_network_interfaces
@@ -7,7 +7,7 @@ iface lo inet loopback
 iface eth0 inet manual
 
 # IPv4 bridge
-# (connect ONLY your firewall/router KVM instance here, the the WAN device!)
+# (connect ONLY your firewall/router KVM instance here, this is the WAN device!)
 auto vmbr0
 iface vmbr0 inet static
         # Hetzner primary WAN IP
@@ -48,7 +48,7 @@ iface vmbr0 inet static
         up ip route add 10.0.0.0/8 via 176.9.xxx.xx1 dev vmbr0
 
 # IPv6 bridge
-# (connect ONLY your firewall/router KVM instance here, the the WAN device!)
+# (connect ONLY your firewall/router KVM instance here, this is the WAN device!)
 iface vmbr0 inet6 static
         address 2a01:4f8:151:XXX::3
         netmask 64

diff --git a/msys_hetzner-etc_network_interfaces b/msys_hetzner-etc_network_interfaces
@@ -0,0 +1,80 @@
+# /etc/network/interfaces
+#
+auto lo
+iface lo inet loopback
+
+# device: eth0
+iface eth0 inet manual
+
+# IPv4 bridge
+# (connect ONLY your firewall/router KVM instance here, the the WAN device!)
+auto vmbr0
+iface vmbr0 inet static
+        # Hetzner primary WAN IP
+        address   176.9.xxx.xxx
+
+        # Hetzner primary WAN IP broadcast address
+        broadcast 176.9.xxx.xyz
+
+        # This netmask needs to have all bits set
+        netmask   255.255.255.255
+
+        # Our gateway is reachable via Point-to-Point tunneling
+        # put the Hetzner gateway IP address here twice
+        pointopoint 176.9.xxx.yyy
+        gateway   176.9.xxx.yyy
+
+        # Virtual bridge settings
+        # this one is bridging physical eth0 interface
+        bridge_ports eth0
+        bridge_stp off
+        bridge_fd 0
+
+        # add a static route through the Hetzner gateway IP
+        # for the subnet our primary IP belongs to
+        up route add -net 176.9.xxx.zyx netmask 255.255.255.224 gw 176.9.xxx.yyy vmbr0
+
+        # Add routing for up to 4 dedicated IP's we get from Hetzner
+        # You need to 
+        up ip route add 176.9.xxx.xx1/32 dev vmbr0
+        up ip route add 176.9.xxx.xx2/32 dev vmbr0
+        up ip route add 176.9.xxx.xx3/32 dev vmbr0
+        up ip route add 176.9.xxx.xx4/32 dev vmbr0
+
+        # Assure local routing of private IPv4 IP's from our
+        # Proxmox host via our firewall's WAN port
+        up ip route add 192.168.0.0/16 via 176.9.xxx.xx1 dev vmbr0
+        up ip route add 172.16.0.0/12 via 176.9.xxx.xx1 dev vmbr0
+        up ip route add 10.0.0.0/8 via 176.9.xxx.xx1 dev vmbr0
+
+# IPv6 bridge
+# (connect ONLY your firewall/router KVM instance here, the the WAN device!)
+iface vmbr0 inet6 static
+        address 2a01:4f8:151:XXX::3
+        netmask 64
+        up ip -6 route add 2a01:4f8:151:XXX::1 dev vmbr0
+        up ip -6 route add default via 2a01:4f8:151:XXX::1
+
+# Virtual switch for DMZ
+# (connect your firewall/router KVM instance and private DMZ hosts here)
+auto vmbr1
+iface vmbr1 inet manual
+        bridge_ports none
+        bridge_stp off
+        bridge_fd 0
+
+# Virtual switch for Private LAN
+# (connect your firewall/router KVM instance and private hosts here)
+auto vmbr2
+iface vmbr2 inet manual
+        bridge_ports none
+        bridge_stp off
+        bridge_fd 0
+
+# Virtual switch for Test Data Center
+# (connect your firewall/router KVM instance and private hosts here)
+auto vmbr3
+iface vmbr3 inet manual
+        bridge_ports none
+        bridge_stp off
+        bridge_fd 0
diff --git a/msys_hetzner-etc_pve_qemu-server_100.conf b/msys_hetzner-etc_pve_qemu-server_100.conf
@@ -0,0 +1,49 @@
+# /etc/pve/qemu-server/100.conf
+#
+# This is an example KVM host configuration I use for my
+# Vyatta router instance.
+# It was created with the Proxmox web interface and should
+# just introduce you to the used network configuration
+# (see the 5 network interfaces and their bridge connections).
+# That means you won't need to hack the configuration file yourself,
+# just keep settings here in mind when creating your virtual host
+# in the Proxmox interface.
+#
+# net0 - WAN interface used for dedicated IPv4 connection handling
+# net1 - WAN interface used for dedicated IPv6 connection handling
+# net2 - DMZ interface for the majority of my virtual OpenVZ and KVM hosts
+# net3 - Private hosts only accessible via VPN
+# net4 - Private hosts only accessible via VPN
+#
+# Of course you could use less interfaces (net0+net1 could be combined
+# in a normal dual-stack configuration and net2/3/4 could be one
+# interface only if you don't want/need such a complex configuration).
+#
+# IMPORTANT: net0 uses the MAC address that was assigned by Hetzner to one
+# of my additional IPv4 addresses. This is essential to have a working connection.
+# I also requested MAC addresses for the other IP's but it's sufficient to have only one of the MAC's
+# in your configuration.
+#
+# Now go and have your firewall instance listing to all your additional
+# IPv4 addresses and setup destination NAT to your private IPv4 addressed
+# hosts connected to net2.
+
+
+boot: cd
+bootdisk: virtio0
+cores: 2
+cpu: host
+ide2: none,media=cdrom
+memory: 2048
+name: msys-firewall-instance
+# IMPORTANT: net0 has set the MAC address assigned by Hetzner
+net0: virtio=00:50:56:00:XX:YY,bridge=vmbr0
+net1: virtio=56:4A:05:76:D6:F8,bridge=vmbr0
+net2: virtio=76:EE:88:BA:17:DF,bridge=vmbr1
+net3: virtio=EE:10:82:D7:3C:14,bridge=vmbr2
+net4: virtio=DA:18:23:03:D0:C7,bridge=vmbr3
+onboot: 1
+ostype: l26
+sockets: 2
+startup: order=1
+virtio0: local:100/vm-100-disk-1.qcow2,cache=writeback
No results found