Debian network configuration for Proxmox VE server running on a Hetzner host

msys_hetzner-etc_network_interfaces

# /etc/network/interfaces
#
auto lo
iface lo inet loopback

# device: eth0
iface eth0 inet manual

# IPv4 bridge
# (connect ONLY your firewall/router KVM instance here, this is the WAN device!)
auto vmbr0
iface vmbr0 inet static
        # Hetzner primary WAN IP
        address   176.9.xxx.xxx

        # Hetzner primary WAN IP broadcast address
        broadcast 176.9.xxx.xyz

        # This netmask needs to have all bits set
        netmask   255.255.255.255

        # Our gateway is reachable via Point-to-Point tunneling
        # put the Hetzner gateway IP address here twice
        pointopoint 176.9.xxx.yyy
        gateway   176.9.xxx.yyy

        # Virtual bridge settings
        # this one is bridging physical eth0 interface
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

        # add a static route through the Hetzner gateway IP
        # for the subnet our primary IP belongs to
        up route add -net 176.9.xxx.zyx netmask 255.255.255.224 gw 176.9.xxx.yyy vmbr0

        # Add routing for up to 4 dedicated IP's we get from Hetzner
        # You need to 
        up ip route add 176.9.xxx.xx1/32 dev vmbr0
        up ip route add 176.9.xxx.xx2/32 dev vmbr0
        up ip route add 176.9.xxx.xx3/32 dev vmbr0
        up ip route add 176.9.xxx.xx4/32 dev vmbr0

        # Assure local routing of private IPv4 IP's from our
        # Proxmox host via our firewall's WAN port
        up ip route add 192.168.0.0/16 via 176.9.xxx.xx1 dev vmbr0
        up ip route add 172.16.0.0/12 via 176.9.xxx.xx1 dev vmbr0
        up ip route add 10.0.0.0/8 via 176.9.xxx.xx1 dev vmbr0

# IPv6 bridge
# (connect ONLY your firewall/router KVM instance here, this is the WAN device!)
iface vmbr0 inet6 static
        address 2a01:4f8:151:XXX::3
        netmask 64
        up ip -6 route add 2a01:4f8:151:XXX::1 dev vmbr0
        up ip -6 route add default via 2a01:4f8:151:XXX::1

# Virtual switch for DMZ
# (connect your firewall/router KVM instance and private DMZ hosts here)
auto vmbr1
iface vmbr1 inet manual
        bridge_ports none
        bridge_stp off
        bridge_fd 0

# Virtual switch for Private LAN
# (connect your firewall/router KVM instance and private hosts here)
auto vmbr2
iface vmbr2 inet manual
        bridge_ports none
        bridge_stp off
        bridge_fd 0

# Virtual switch for Test Data Center
# (connect your firewall/router KVM instance and private hosts here)
auto vmbr3
iface vmbr3 inet manual
        bridge_ports none
        bridge_stp off
        bridge_fd 0

msys_hetzner-etc_pve_qemu-server_100.conf

# /etc/pve/qemu-server/100.conf
#
# This is an example KVM host configuration I use for my
# Vyatta router instance.
# It was created with the Proxmox web interface and should
# just introduce you to the used network configuration
# (see the 5 network interfaces and their bridge connections).
# That means you won't need to hack the configuration file yourself,
# just keep settings here in mind when creating your virtual host
# in the Proxmox interface.
#
# net0 - WAN interface used for dedicated IPv4 connection handling
# net1 - WAN interface used for dedicated IPv6 connection handling
# net2 - DMZ interface for the majority of my virtual OpenVZ and KVM hosts
# net3 - Private hosts only accessible via VPN
# net4 - Private hosts only accessible via VPN
#
# Of course you could use less interfaces (net0+net1 could be combined
# in a normal dual-stack configuration and net2/3/4 could be one
# interface only if you don't want/need such a complex configuration).
#
# IMPORTANT: net0 uses the MAC address that was assigned by Hetzner to one
# of my additional IPv4 addresses. This is essential to have a working connection.
# I also requested MAC addresses for the other IP's but it's sufficient to have only one of the MAC's
# in your configuration.
#
# Now go and have your firewall instance listening to all your additional
# IPv4 addresses and setup destination NAT to your private IPv4 addressed
# hosts connected to net2.


boot: cd
bootdisk: virtio0
cores: 2
cpu: host
ide2: none,media=cdrom
memory: 2048
name: msys-firewall-instance
# IMPORTANT: net0 has set the MAC address assigned by Hetzner
net0: virtio=00:50:56:00:XX:YY,bridge=vmbr0
net1: virtio=56:4A:05:76:D6:F8,bridge=vmbr0
net2: virtio=76:EE:88:BA:17:DF,bridge=vmbr1
net3: virtio=EE:10:82:D7:3C:14,bridge=vmbr2
net4: virtio=DA:18:23:03:D0:C7,bridge=vmbr3
onboot: 1
ostype: l26
sockets: 2
startup: order=1
virtio0: local:100/vm-100-disk-1.qcow2,cache=writeback

Two years later this is still the only source for the setup with proxmox and a firewall/router as vm.
But now with a firewall build in proxmox 3.4 and new ways to configure the networt in proxmox:
Is this still the best solution? Is this the solution you still use?

Thanks for share this!

This configuration still working, I have use a bit different configuration, but I'm started from this!

What I do with the hetzner root server is use the single ipv4 for management in the physical server and restrict it to be accessed from certain ip, and the ipv6 /64 complete subnet to the pfsense; below the configuration I have use to be done with my porpouse:

auto lo
iface lo inet loopback
iface lo inet6 loopback


auto eth0
iface eth0 inet static
        address 195.xxx.yyy.zzz
        netmask 255.255.255.255 # netmask have to be .255 (/32) unless you want the server talk to neighbors 
        gateway 195.xxx.yyy.zzz # this is the gateway you find just after image restored
        pointopoint 195.xxx.yyy.zzz # insert gateway here! (yes, twice) 

iface eth0 inet6 static
        address aaaa:bbbb:cccc:dddd::2
        netmask 128 # change this to /128 (same reason of before and like this we can assign entire /64 ipv6 to the bridge)
        gateway fe80::1

auto vmbr0
iface vmbr0 inet manual
        # WAN Interface
#      address 195.xxx.yyy.zzz # Same address of physical interface
#      netmask 255.255.255.255 # same reason of before
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        # Route an eventually ipv4 subnet (!NOTE: in hetzner an ipv4 /29 subnet when routed is completely usable)
#        up route add -host 195.xxx.yyy.zz0 dev vmbr0
#        up route add -host 195.xxx.yyy.zz1 dev vmbr0
#        up route add -host 195.xxx.yyy.zz2 dev vmbr0
#        up route add -host 195.xxx.yyy.zz3 dev vmbr0
#        up route add -host 195.xxx.yyy.zz4 dev vmbr0
#        up route add -host 195.xxx.yyy.zz5 dev vmbr0
#        up route add -host 195.xxx.yyy.zz6 dev vmbr0
#        up route add -host 195.xxx.yyy.zz7 dev vmbr0

        # Says the host where the answer for subnet behind pfsense should be routed
        #up ip route add 172.xxx.yyy.zzz/24 via 195.xxx.yyy.zz0 dev vmbr0 #(the ip of via have to be the pfsense ipv4 WAN ip)

iface vmbr0 inet6 static
        address aaa:bbb:ccc:ddd::2
        netmask 126
        # Metric 1 because kernel set up a ipv6 route send the /64 subnet over (::) no next hop
        up ip -6 route add aaa:bbb:ccc:ddd::/64 via aaa:bbb:ccc:ddd::3 dev vmbr0 metric 1 #(the ip of via have to be the pfsense ipv6 WAN ip)

auto vmbr1
iface vmbr1 inet manual
        # LAN INTERFACE 
        bridge_ports none
        bridge_stp off
        bridge_fd 0

In the routed configuration do not need any additional subnet and/or second mac address, if you want to have "just!" the /64 subenet 💃

Thank you so much ... it helped me understand a lot with those two files! 🎁