Skip to main content

VM Network Setup

Creating a VM on the Private Network

With the cluster up and PfSense running, adding a VM that can reach the internet is straightforward. The two things to get right at the Proxmox level are the bridge and the MTU — everything else is standard VM setup.

Step 1 — Network Interface in the VM Wizard

In the Proxmox web UI, create a VM on any node. In the Network step:

FieldValue
Bridgevmbr_priv
MTU1400
VLAN tag(leave empty)

The MTU here and the MTU on the bridge in Chapter 3 are two separate settings that both need to be 1400. The bridge MTU caps the frame size leaving the host. The VM NIC MTU tells the guest OS what to advertise to applications. Leave the VM NIC at the default 1500 while the bridge is at 1400 and small packets work fine while large transfers stall — the kind of issue that's annoying to diagnose because "the network works" until it suddenly doesn't.

Step 2 — IP Configuration Inside the VM

If PfSense DHCP is enabled, the VM picks up an address automatically with the right gateway. For static assignment:

IP:      10.100.100.x    (anything in .2 – .254 that's not taken)
Mask:    255.255.254.0   (/23)
Gateway: 10.100.100.1
DNS:     10.100.100.1    (or a public resolver)

Step 3 — Verify

ping -c 4 10.100.100.1   # PfSense LAN — bridge and vSwitch working
ping -c 4 8.8.8.8        # Internet — PfSense NAT working
curl -s ifconfig.me      # Returns PfSense's WAN IP

The 30-VM Limit — Keep Count

Hetzner doesn't tell you when you're near the 32 MAC address limit. You'll add a VM, the network interface will come up clean in Proxmox, and then it just won't pass traffic — no error, nothing obvious in logs. If you're not tracking VM count per node, that failure mode takes a while to connect back to MAC exhaustion.

With the two vSwitch bridges on each node, you have 30 VMs per node. That's 90 across the full 3-node cluster. When any single node approaches 30, move the next VM to a node with headroom or add another node. If you genuinely need more than 30 on one machine, contact Hetzner support — they can raise the limit on a per-server basis.

What About vmbr_pub?

VMs that need a direct public IP — not NATted through PfSense, but their own IP from the Hetzner subnet — would attach to vmbr_pub instead and get an IP from the additional subnet. That configuration, including routing and firewall setup, is covered in a future article.

No comments to display

Back to top