Search Results

Assumptions This guide walks you through deploying a production-ready Proxmox VE 9.1 installation on a Hetzner dedicated root server running Debian 13 (Trixie). It covers everything from OS installation through post-install hardening and optimization — no clus...

Overview This chapter installs Proxmox VE 9.1 on top of the Debian 13 system set up in the previous chapter. The installation is done by adding the Proxmox no-subscription repository and installing the packages directly — no ISO, no reinstall. By the end of th...

Diagram

Overview This chapter locks down the two main attack surfaces on a public-facing Proxmox host: the SSH port and the Proxmox web interface on port 8006. UFW handles inbound traffic filtering, and fail2ban sits in front of both services to automatically ban IPs ...

Overview The Proxmox VE Community Scripts project maintains a collection of open-source helper scripts for common Proxmox tasks. This chapter covers the four scripts relevant to a fresh node setup. All scripts are interactive — they use a terminal menu to walk...

Overview This chapter applies a set of low-level host optimisations that improve performance, stability, and resource efficiency on a Proxmox node. All changes are persistent across reboots. A single reboot at the end is sufficient to activate everything. 1 —...

Diagram

OverviewHetzner allows you to order a single additional IPv4 and bind it to a virtual MAC address. When a frame with that MAC arrives on the uplink, Hetzner routes the IP to it — regardless of which server or VM holds the NIC. You assign that MAC to the PfSens...

OverviewThis is the setup I run in my own lab — the one documented throughout this book with the example subnet. A /29 gives you 6 usable IPs which is enough for PfSense WAN, a jumpbox, and 3–4 service VMs without needing to subnet further. If you think you'll...

OverviewBe honest with yourself before setting this up: if you're running one server, you don't need a vSwitch. I've seen people reach for it because it sounds more enterprise-grade, then spend an afternoon debugging VLAN tagging issues they wouldn't have had ...

Diagram

All Robot, No SSH Everything in this chapter happens in the Hetzner Robot web UI. You're not touching the servers yet — just provisioning the two vSwitches and wiring up the subnet. vSwitches themselves are free. The cost is the additional public subnet you'll...

Two Bridges, Three Nodes You're adding vmbr_priv and vmbr_pub to each node. The vmbr0 bridge from the first guide stays exactly as it is — these are additions. The config is identical across all three nodes except for the IP on the private bridge, which is uni...

One Flag That Makes or Breaks This Everything in this chapter is straightforward except one thing: every pvecm command includes --link0 pointing to the private vSwitch IP. That flag is what binds Corosync's heartbeat to the private network instead of defaultin...

Why PfSense Is Part of This Setup The private vSwitch is a flat layer-2 network. VMs can talk to each other and to the cluster nodes, but they have no route out. PfSense is what changes that — it bridges the private vSwitch (LAN side) with the public vSwitch (...

Creating a VM on the Private Network With the cluster up and PfSense running, adding a VM that can reach the internet is straightforward. The two things to get right at the Proxmox level are the bridge and the MTU — everything else is standard VM setup. Step ...

This is a home lab. One Proxmox host, a pile of virtual machines, and a small-but-real platform running on top of them. I built it for two reasons: to have a place to practice the things I do (and want to do) as an infrastructure engineer, and to write down ho...

Everything lives behind one firewall, on one private network. The only things exposed to the outside world are a couple of public IPs on the gateway; every VM sits on a private 10.100.100.0/24 network with no direct route in. In...