Skip to content
Hetzner Server Instruction

Setup Network for Priv Container

Configuring Trunks

You will have to add a new trunk each time you want to connect a new VLAN to the Docker CT. For that its simmelar to the OPNSense setup.
Run the Commands in the proxmox-shell. You can edit the config with vim or nano.

nano /etc/pve/lxc/201.conf

We will need to edit the line starting with net0: and add all your VLANS as trunks trunks=202;203...
It should look like this after that

net0: name=vlan0,bridge=vmbr1,firewall=1,hwaddr=BC:24:11:1C:45:19,type=veth,trunks=202;203
  • Safe (STRG+o) and close (STRG+x) the file
  • Reboot the Node1-CT

Create VLAN in OPNsense

Connecting to OPNsense-WebUI

Open and Login to opnsense.yourdomain.com

Create Interface

  • Go to Interfaces > Other Types > VLAN
  • Add VLAN by clicking the plus-button
  • Enter the following values
  • Hit ‘safe’ and then ‘apply’

Interfacesetting

Device - vlan0.203 ( vlan0.<VLAN_ID> )
Parent - vtnet1
VLAN tag - 203
VLAN priority - Default
Description - 203_dcbotpriv ( <VLAN_ID>_<NAME_FOR_THE_VLAN> )

Adding the new interface

  • Go to Interfaces > Assignments
  • Select your new VLAN in “Assign a new interface” you just create
  • Provide a description (Use the same description as above - Example: 203_dcbotpriv)
  • Click the Add-button

Enable of the new interface

  • Go to Interfaces > [Your Interface] (example proxy: 203_dcbotpriv)
  • Enable the Interface
  • Select under Generic configuration the “IPv4 Configuration Type” from “none” to “Static IPv4”
  • Enter the IP address for the Proxmox Gateway under “Static IPv4 configuration” (example dcpriv: 10.2.3.1)
  • Choose your Subnet to 24
  • Hit Safe and Apply changes

Update RFC1918-Rules

  • Go to Firewall > Aliases
  • Edit the RFC1918-rule by clicking the pen
  • Add content __opt7_network (In future all those beginning with __, but the number can be different)
  • Hit Safe and Apply

Add Rule RFC1918 to Interface

We will use RFC1918 to configure firewall rules for internet access. If you want to give internet access to a vlan but still restrict access to all other internal IPs
you can do that with the help of a firewall rule that accepts all connections except if they target RFC1918.

  • Go to “Firewall > Rules”
  • Select the VLAN you want to grant internet access
  • Create a new rule if it doesnt already exist by hitting the plus.

We want to allow everything except if the destination is RFC1918.

  • Enable Destination / Invert.
  • Select RFC1918 as a destination
  • Select the Category (optional)
  • Safe and Apply Changes

Add Alias for proxy

  • Go to Firewall > Aliases
  • Hit the Plus-Symbol
  • Enter the name GDNPMA_203 (yourname for phpMyAdmin)
  • Choose type as host(s)
  • Selected content 10.2.3.5 (your phpMyAdmin-IP in the docker-file)
  • Hit Safe and Apply