Method 2 — Extra Subnet Routed to Host
Overview
This is the setup I run in my own lab — the one documented throughout this book with the example subnet. A /29 gives you 6 usable IPs which is enough for PfSense WAN, a jumpbox, and 3–4 service VMs without needing to subnet further. If you think you'll want more than 6 public IPs down the road, order a /28 from the start. Expanding a routed subnet later means a brief network interruption and a config change on every affected VM.
Instead of a single IP bound to a MAC, Hetzner routes an entire subnet (e.g. /29 — 8 IPs, 6 usable) to your host's main public IP. The subnet arrives at the public-bridge and all IPs in it are reachable through the bridge. PfSense WAN takes one of those IPs; the remaining IPs can be assigned to other VMs directly or port-forwarded through PfSense.
This is the setup used in this lab: the 198.51.100.48/29 subnet is routed to the host, .49 sits on the bridge, PfSense WAN is .50, and Jumpbox is .54.
Follow Method 1 in full, then apply only the changes documented in this chapter.
What Changes vs Method 1
Hetzner Robot
- Go to Servers → your server → IPs → Order additional IP
- Select Subnet instead of Single IPv4 — choose
/29(6 usable IPs) or larger - No MAC reservation needed — the subnet is routed to the host's main IP, not to a specific MAC
- Note the subnet, usable range, and gateway Hetzner assigns
Proxmox — Bridge Configuration
Full /etc/network/interfaces
Complete file for reference — the only addition vs the baseline is the up ip addr add line on public-bridge:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto enp195s0
iface enp195s0 inet manual
auto public-bridge
iface public-bridge inet static
address YOUR_HOST_IP/26
gateway YOUR_GATEWAY
bridge-ports enp195s0
bridge-stp off
bridge-fd 0
up ip addr add 198.51.100.49/29 dev public-bridge
auto private-bridge
iface private-bridge inet static
address 10.100.100.254/24
bridge-ports none
bridge-stp off
bridge-fd 0Replace 198.51.100.49/29 with the first usable IP of your actual subnet and its prefix length as shown in Hetzner Robot.
The subnet gateway IP must be added to the public-bridge so the host knows it owns that range. Edit /etc/network/interfaces and add an up ip addr add line under the bridge:
auto public-bridge
iface public-bridge inet static
address YOUR_HOST_IP/26
gateway YOUR_HOST_GW
bridge-ports enp195s0
bridge-stp off
bridge-fd 0
up ip addr add SUBNET_GATEWAY_IP/SUBNET_PREFIX dev public-bridgeExample (matching this lab):
up ip addr add 198.51.100.49/29 dev public-bridgeApply without reboot:
ifreload -a
ip addr show public-bridgeThe bridge should now show both the host IP and the subnet gateway IP.
PfSense VM — No MAC Required
When creating the PfSense VM (Method 1 Step 3), omit the macaddr parameter — Proxmox assigns a random MAC and it works fine because the subnet is routed at the IP layer, not tied to a MAC:
qm create 104 --name PfSense \
--memory 2048 --cores 2 --cpu host \
--bios ovmf --machine q35 \
--net0 virtio,bridge=public-bridge \
--net1 virtio,bridge=private-bridge \
...PfSense WAN — Subnet IP, Not /32
In Method 1 Step 6, the WAN config changes as follows:
| Setting | Method 1 (single IP) | Method 2 (subnet) |
|---|---|---|
| WAN IPv4 address | The reserved extra IP | Any usable IP from the subnet (e.g. 198.51.100.50) |
| Subnet bit count | 32 | The subnet prefix (e.g. 29 for a /29) |
| Upstream gateway | Host default gateway | The subnet gateway IP you added to the bridge (e.g. 198.51.100.49) |
The gateway is now within the subnet, so PfSense accepts it without any warning.
Additional IPs in the Subnet
With a /29 you have 6 usable IPs. Distribute them as:
| IP | Assignment |
|---|---|
Subnet + 1 (e.g. .49) | Bridge gateway — assigned to public-bridge on the host |
Subnet + 2 (e.g. .50) | PfSense WAN |
| Subnet + 3 to + 6 | Available — assign to other VMs on public-bridge or port-forward through PfSense |
Subnet + 7 (e.g. .55) | Broadcast — reserved |
Everything else in Method 1 (PfSense install, LAN config, firewall rules, verification) applies unchanged.
VM Network Configuration
With a routed subnet, VMs have two options: sit on the private bridge behind PfSense NAT, or take a public IP from the subnet directly on the public bridge. Both can coexist.
Private VMs (private-bridge, behind PfSense NAT)
| Setting | Value |
|---|---|
| IP address | 10.100.100.X/24 — any unused address in the range |
| Subnet mask | 255.255.255.0 (/24) |
| Gateway | 10.100.100.1 (PfSense LAN) |
| DNS | 10.100.100.1 (PfSense) or 1.1.1.1 / 8.8.8.8 |
Cloud-init:
ipconfig0: ip=10.100.100.X/24,gw=10.100.100.1Public VMs (public-bridge, direct subnet IP)
VMs placed on public-bridge can use the remaining IPs from the routed subnet. The gateway is the subnet gateway IP assigned to the bridge on the Proxmox host (the up ip addr add address).
| Setting | Value |
|---|---|
| IP address | Any usable subnet IP not already taken (e.g. 198.51.100.51, .52, .53) |
| Subnet mask | Match the subnet prefix — e.g. 255.255.255.248 for /29 |
| Gateway | The subnet gateway IP on the Proxmox bridge (e.g. 198.51.100.49) |
| DNS | 1.1.1.1 / 8.8.8.8 |
Cloud-init (VM on public-bridge, example with a /29):
ipconfig0: ip=198.51.100.51/29,gw=198.51.100.49Or via CLI:
qm set VMID --ipconfig0 ip=198.51.100.51/29,gw=198.51.100.49Public VMs on public-bridge are directly internet-facing with no firewall between them and the uplink. Ensure each VM runs its own firewall (e.g. UFW) or place them behind PfSense on the private bridge instead.
Subnet IP Allocation Reference (/29 example)
| IP | Assignment |
|---|---|
| 198.51.100.48 | Network address — reserved |
| 198.51.100.49 | Proxmox host bridge gateway |
| 198.51.100.50 | PfSense WAN |
| 198.51.100.51 – .53 | Available for public VMs |
| 198.51.100.54 | Last usable — available for public VMs |
| 198.51.100.55 | Broadcast — reserved |
No comments to display
No comments to display