Skip to main content

Method 3 — Hetzner vSwitch

Overview

Be honest with yourself before setting this up: if you're running one server, you don't need a vSwitch. I've seen people reach for it because it sounds more enterprise-grade, then spend an afternoon debugging VLAN tagging issues they wouldn't have had with Method 2. The vSwitch earns its complexity when you actually have a second Hetzner server that needs to share the same VM network. Until then, Method 2 gives you the same result with less moving parts.

A Hetzner vSwitch is a managed Layer 2 switch service that connects multiple dedicated servers within the same Hetzner location. You can route a public IP subnet to the vSwitch rather than to a specific server — any server attached to the vSwitch can reach that subnet. On Proxmox, you create a dedicated bridge backed by the vSwitch VLAN and attach PfSense WAN to it.

This method is best when you have two or more Hetzner servers that need to share the same public VM network, or when you want the public subnet to be independent of any single server's main IP.

Follow Method 1 in full, then apply only the changes documented in this chapter.

What Changes vs Method 1

Hetzner Robot — Create and Configure the vSwitch

  1. Go to NetworkingvSwitchCreate vSwitch
  2. Give it a name, select the same location as your server, and create it
  3. Note the VLAN ID — Hetzner assigns IDs in the range 4000–4091
  4. Under the vSwitch, click ServersAdd server → select your Proxmox host
  5. Under SubnetsOrder subnet → select a size (e.g. /29)
  6. The subnet is now routed to the vSwitch — no MAC reservation needed
  7. Note the subnet, usable range, and gateway

Proxmox — Create the vSwitch Bridge

Full /etc/network/interfaces

Complete file for reference — the existing public-bridge is unchanged; the two new blocks are the VLAN sub-interface and vswitch-bridge:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp195s0
iface enp195s0 inet manual

auto public-bridge
iface public-bridge inet static
    address YOUR_HOST_IP/26
    gateway YOUR_GATEWAY
    bridge-ports enp195s0
    bridge-stp off
    bridge-fd 0

# vSwitch VLAN sub-interface (replace 4001 with your VLAN ID from Robot)
auto enp195s0.4001
iface enp195s0.4001 inet manual

# vSwitch bridge — no IP on the host, passthrough only
auto vswitch-bridge
iface vswitch-bridge inet manual
    bridge-ports enp195s0.4001
    bridge-stp off
    bridge-fd 0

auto private-bridge
iface private-bridge inet static
    address 10.100.100.254/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

Key points:

  • public-bridge is untouched — the host main IP and routing are unaffected
  • The VLAN sub-interface (enp195s0.4001) tags outbound frames with the vSwitch VLAN ID
  • vswitch-bridge holds no IP on the host — PfSense WAN is the only interface in this bridge that carries an IP
  • Replace 4001 with your actual vSwitch VLAN ID and enp195s0 with your physical NIC name

The vSwitch uses a VLAN tag on the physical NIC. You need a VLAN sub-interface and a bridge on top of it. Edit /etc/network/interfaces and add:

auto enp195s0.VLAN_ID
iface enp195s0.VLAN_ID inet manual

auto vswitch-bridge
iface vswitch-bridge inet manual
    bridge-ports enp195s0.VLAN_ID
    bridge-stp off
    bridge-fd 0

Replace VLAN_ID with the vSwitch VLAN ID from Robot (e.g. 4001) and enp195s0 with your physical NIC name. Example:

auto enp195s0.4001
iface enp195s0.4001 inet manual

auto vswitch-bridge
iface vswitch-bridge inet manual
    bridge-ports enp195s0.4001
    bridge-stp off
    bridge-fd 0

Apply:

ifreload -a
bridge link show

The vswitch-bridge should appear with enp195s0.4001 as a port.

Do not assign an IP to vswitch-bridge on the Proxmox host itself — the bridge is purely a passthrough. The subnet gateway IP lives on PfSense WAN only.

PfSense VM — WAN on the vSwitch Bridge

When creating the PfSense VM (Method 1 Step 3), point net0 to vswitch-bridge instead of public-bridge:

qm create 104 --name PfSense \
  --memory 2048 --cores 2 --cpu host \
  --bios ovmf --machine q35 \
  --net0 virtio,bridge=vswitch-bridge \
  --net1 virtio,bridge=private-bridge \
  ...

PfSense WAN — Subnet IP from the vSwitch Subnet

In Method 1 Step 6, the WAN config changes as follows:

SettingMethod 1 (single IP)Method 3 (vSwitch subnet)
WAN IPv4 addressThe reserved extra IPFirst usable IP from the vSwitch subnet
Subnet bit count32The subnet prefix (e.g. 29)
Upstream gatewayHost default gatewayThe gateway Hetzner assigned to the vSwitch subnet

Unlike Method 2, the gateway here is the one Hetzner provisions specifically for the vSwitch subnet — it is NOT the host's main gateway. Hetzner shows it in the Robot vSwitch subnet details.

Multi-Server Benefit

With the vSwitch in place, a second Hetzner server in the same location can attach to the same vSwitch and create its own vswitch-bridge with the same VLAN ID. PfSense on either server can then serve as the gateway for VMs across both hosts — the public subnet is shared at the switch level, not locked to one server's main IP.

Everything Else Is Identical

PfSense installation (Method 1 Steps 4–5), LAN configuration (Step 7), web UI setup (Step 8), and verification (Step 9) are unchanged. The only differences are the bridge name on the Proxmox side and the WAN IP/gateway source.

VM Network Configuration

The vSwitch subnet is routed to the vSwitch itself, not to the Proxmox host's main IP. The gateway for VMs on the vSwitch bridge is the gateway Hetzner assigns to the vSwitch subnet — shown in Robot under the vSwitch subnet details. It is different from the host's main gateway.

Private VMs (private-bridge, behind PfSense NAT)

SettingValue
IP address10.100.100.X/24 — any unused address in the range
Subnet mask255.255.255.0 (/24)
Gateway10.100.100.1 (PfSense LAN)
DNS10.100.100.1 (PfSense) or 1.1.1.1 / 8.8.8.8

Cloud-init:

ipconfig0: ip=10.100.100.X/24,gw=10.100.100.1

Public VMs (vswitch-bridge, direct subnet IP)

VMs placed on vswitch-bridge receive IPs from the vSwitch subnet. The gateway is the one Hetzner assigns to the vSwitch subnet — not the host's main gateway and not PfSense WAN.

SettingValue
IP addressAny usable IP from the vSwitch subnet
Subnet maskMatch the vSwitch subnet prefix from Robot
GatewayThe vSwitch subnet gateway from Robot (separate from host gateway)
DNS1.1.1.1 / 8.8.8.8

Cloud-init (replace with your actual vSwitch subnet values):

ipconfig0: ip=VSWITCH_VM_IP/VSWITCH_PREFIX,gw=VSWITCH_GATEWAY

Public VMs on vswitch-bridge are directly internet-facing. Apply host-level firewall rules (UFW) on each VM or place workloads behind PfSense on the private bridge.

Multi-Server Note

Because the vSwitch operates at Layer 2 across servers, VMs on vswitch-bridge on any attached Hetzner server share the same subnet and gateway. A VM on Server A and a VM on Server B in the same vSwitch subnet communicate directly and share the same PfSense gateway — no additional routing configuration needed.

No comments to display

Back to top