Hetzner’s services are great, but their networking topology and setup is … not ideal.
In this article you will learn how to properly setup your Proxmox server in order for the Proxmox VMs to be able to use IPs from a Public IP class that’s assigned to a vSwitch. Because Hetzner’s vSwitches have a 1 TB monthly traffic limit we will also create a secondary vSwitch for internal use/traffic.
Prerequisites and examples:
- Your Proxmox server (named here as “Host”) has a Public IP, initially assigned by Hetzner. In this example we’ll use
1.1.1.1and name it “Host IP”; - You’ve created a vSwitch with VLAN ID
4000. This vSwitch will be used by VMs for Public/internet traffic. VMs will be able to use this vSwitch in order to access the Internet. We’ll name it “Public vSwitch”; - You’ve purchased an extra IP Class for the “Public vSwitch”. In this example we will use
2.2.2.1/27and name it “Public IPs”; - You’ve created a vSwitch with VLAN ID
4001. This vSwitch will be used for LAN traffic exclusively. VMs will be able to use this vSwitch in order to connect to each other but will not be able to access the internet via this vSwitch. We’ll name this “Private vSwitch”; - Your Proxmox Host’s NIC is named
eth0. - We’re having a VM that has two NICs.
eno1is used for Public access (internet) andeno2is used for Private access (LAN).
Before continuing please make sure that you have your Host IP noted down, your vSwitches are created and that the “Public IPs” class is assigned to the “Public vSwitch” (4000).
Setting up the Proxmox Host
First we’re going to add the Host IP address (1.1.1.1) to the Proxmox Host. Remember that this is the IP provided by Hetzner upon deployment. This is not the IP that’s assigned to the Public vSwitch.
We’re going to assign the Host IP address to a bridge (vmbr0), not directly to the NIC (eth0), as this is recommended by Proxmox. Please note that the mtu is not optional and imposed by Hetzner.
auto lo
iface lo inet loopback
iface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
address 1.1.1.1
netmask 255.255.255.0
gateway 1.1.1.0
bridge_ports eth0
bridge_stp off
bridge_fd 0
# Proxmox HostNext we’re going to create the “Public IP” interface (eth0.4000) and link it to a bridge (vmbr4000). This bridge will be used by VMs in order to access the Internet. VM IPs will be assigned from the “Public IPs” class via “Public vSwitch” (4000).
iface eth0.4000 inet manual
auto vmbr4000
iface vmbr4000 inet manual
bridge_ports eth0.4000
bridge_stp off
bridge_fd 0
mtu 1400
#Public vSwitchLastly we’re going to create the Private IP interface (eth0.4001) and link it to a bridge (vmbr4001). This bridge will be used by VMs in order to connect to each other exclusively, via “Private vSwitch” (4001). VM IPs will be assigned manually from a LAN IP class.
iface eth0.4001 inet manual
auto vmbr4001
iface vmbr4001 inet manual
bridge_ports eth0.4001
bridge_stp off
bridge_fd 0
mtu 1400
#Private vSwitchSetting up the VM
When creating the VM you should add two NICs. Set NIC1 (eno1) to use the Host’s vmbr4000 bridge and NIC2 (eno2) to use the Host’s vmbr4001 bridge. As a result VM NIC1 will be connected to the “Public vSwitch” and VM NIC2 will be connected to the “Private vSwitch”.
Now we’re going to add a Public IP (2.2.2.2) to NIC1/eno1 and a Private IP (192.168.1.10) to NIC2/eno2. Please note that the mtu is not optional and imposed by Hetzner.
Example – CentOS / RHEL
Public IP settings:
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eno1
DEVICE=eno1
ONBOOT=yes
IPADDR=2.2.2.2
PREFIX=27
GATEWAY=2.2.2.1
DNS1=213.133.98.98
DNS2=213.133.99.99
DNS3=213.133.100.100
MTU=1400Private IP settings:
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eno2
DEVICE=eno2
ONBOOT=yes
IPADDR=192.168.1.10
PREFIX=24
MTU=1400Example – Ubuntu / Debian
Public IP settings:
auto eno1
iface eno1 inet static
address 2.2.2.2
netmask 255.255.255.224
gateway 2.2.2.1
mtu 1400
# Public NICPrivate IP settings:
auto eno2
iface eno2 inet static
address 192.168.1.10
netmask 255.255.255.0
mtu 1400
# Private NICThat’s it! Congratulations, you’ve successfully configured both your Proxmox Node and your Proxmox VMs!
Was this tutorial useful? Buy me a drink by using the “Donate” button below. :)
It is quite odd how you publish this post as I am searching the internet looking for even a small hint how to set it up 🙂
it works perfectly, you are a lifesaver!
Thank you! 🙂
Nice tutorial.. Was usefull.
I apreciate it!
There are two factual errors.
1. Gateway defined in vmbr0 can not be 1.1.1.0
2. Centos and Ubuntu you are giving same ip address.
Hey Ravi, thank you for your comment!
This tutorial implies that you have the necessary knowledge and understanding in order to replace the necessary items. The IP addresses that I specified here are just used as an example.
If you feel that it can be improved I would really apreciate if you could provide some better copy/paste examples and I will be thrilled to replace.
Thank you!
Very glad I found your simple guide, sadly in my case something goes wrong and didn’t work…
Hi, Razva, and thanks for your tutorial.
I am trying to set up a very similar scenario, but with one big difference: both my servers only have one network card, eno1 (each with its own public IP address at the moment).
My guests will all have an IP address in the private network and some of them will also have a public IP address (e.g. web server). I have already created two vSwitches (4001 for the public IP addresses and 4002 for the private network) and I have already created two bridges in my hosts’ network configuration (vmbr0 for the public IP address of the host, with its gateway, and vmbr1 with a private IP address and no gateway).
Should I set up eno1 three times?
iface eno1 inet manual
iface eno1.4001 inet manual (used in the bridge-ports option of the vmbr0)
iface eno1.4002 inet manual (used in the bridge-ports option of the vmbr1)
Just thought that maybe my problem is that I need to use the vlan-raw-device option. Or, even more, I may need to use the proper syntax on bring the devices up:
iface eno1.4001:0 inet manual
iface eno1.4002:1 inet manual