Skip to main content

Hetzner Robot — vSwitch Setup

All Robot, No SSH

Everything in this chapter happens in the Hetzner Robot web UI. You're not touching the servers yet — just provisioning the two vSwitches and wiring up the subnet.

vSwitches themselves are free. The cost is the additional public subnet you'll order in Step 3. Check current Hetzner pricing before confirming that order.

Step 1 — Create the Private vSwitch

  1. Log in to Hetzner Robot and go to vSwitch in the left sidebar.
  2. Click Order vSwitch.
  3. Name it something like priv-cluster.
  4. A VLAN ID gets auto-assigned (typically somewhere in the 4000s). You can set a custom one if you have a preference. Write this VLAN ID down — you'll need it in Chapter 3 when configuring the bridges.
  5. Don't attach any subnet to this one. It's a private layer-2 only — the nodes will assign their own IPs.
  6. Confirm.

Step 2 — Create the Public vSwitch

  1. Order another vSwitch, name it something like pub-vms.
  2. Write down its VLAN ID too. You need both VLAN IDs in the next chapter.
  3. Confirm — don't attach anything yet, that's Step 3.

Step 3 — Order an Additional Subnet and Route It to the Public vSwitch

This is the step that trips people up the first time. The instinct is to order an IP and assign it to a server. Don't do that here. The subnet gets routed to the vSwitch — not to any server, not to a VM. Once it's routed to the vSwitch, every server that's a member of that vSwitch can bridge to those IPs through a VM. In our case that VM is PfSense, which will claim one of those IPs as its WAN address.

  1. In Robot, go to IP addressesOrder additional IP addresses.
  2. Select Additional subnet. A /29 gives you 6 usable IPs — enough for PfSense and a handful of future public services. Go bigger if you know you'll need more.
  3. When asked where to route it: select vSwitch and pick pub-vms.
  4. Confirm. The subnet shows up in the vSwitch detail page once Hetzner provisions it — usually a few minutes.

Once it's provisioned, Hetzner's network routes that subnet to the vSwitch at their edge. Nothing on any server needs to hold that route. PfSense picks up an IP from it in Chapter 5.

Step 4 — Add All Three Servers to Both vSwitches

  1. Open priv-cluster, go to Servers, add all three nodes.
  2. Do the same for pub-vms.

Before Moving On

Confirm in Robot:

  • Private vSwitch: 3 servers listed, no subnet, VLAN ID noted
  • Public vSwitch: 3 servers listed, your subnet visible, VLAN ID noted

You can't verify anything server-side until the bridges are up in the next chapter.

No comments to display

Back to top