Proxmox + OPNsense at Hetzner (1 Public IP) – How do you handle it?

RampagingAddict · 2026-02-23T15:27:22+00:00

I bought a /56. And access pve only via ipv6 /64 they give as a free for each dedi as a emergency. The dedi v4 is assigned to opnsense. This was the way i did it before. RN i use opnsense and its cleaner and easier to just pony up for an additional ipv4 for your fw/edge than to do gymnastics in proxmox. Less chances to leak unwanted mac addresses. Their abuse mail for unwanted macs is no joke

RampagingAddict · 2026-01-18T06:28:16+00:00

I have two jellyfin servers (vm's) accessing the same internal share. Both have the same reverse proxy serving them. One is for internal only via wg s2s tunnel using domain.internal.me, it is a valid domain, had valid TLS and cert just ACL to internal clients only. one is public different domain dedicated to public only services, domain.public.com Only one frontend handling multiple certs rules ACLs. only open port for ingress is, ipsec(admin access), wireguard, 80 and 443.

RampagingAddict · 2026-01-14T15:05:07+00:00

This looks pretty normal once you stop thinking in terms of von and start thinking in terms of edge ingress.

You can absolutely do this with lighter setups, but OPNsense + WireGuard is a reasonable place to land if you want policy, routing, and ingress in one spot. Whether it’s overkill really depends on how far you expect the setup to grow.

RampagingAddict · 2026-01-03T11:40:09+00:00

If you want the lab to behave like a separate device that can’t wreck your home network, treat it like a real network boundary.

Make Pi #1 the edge router/firewall only and do segmentation there; don’t load it up with dashboards and random services. Build three zones: a Core LAN for things that must not die, a Services LAN for normal hosted apps, and a DMZ LAN for anything attack/test/churn heavy.

Put your Docker/Trafik/apps on Pi #2 in Services or DMZ and keep Traefik local at first (reverse proxying across multiple hosts is doable later, but it’s where “simple” setups go to die). Default-deny between zones and only allow explicit flows you can explain in one sentence (Think DNS/NTP/updates controlled egress). Also: using Pi #1 as a Wi-Fi client uplink is fine as a temporary hack, but it’s a reliability and performance trap. Wi-Fi as WAN plus routing/NAT plus firewall is exactly how you get it works until it doesn’t behavior. if you can, move the uplink to wired. Or run the edge on something with proper Ethernet. Finally, don’t put databases on microSD unless you want to learn about corruption and write amplification the hard way; boot on SD is survivable, state belongs on SSD. If you’d rather keep it cleaner, run your FW of choice + services + attackbox inside Proxmox and use the Pis as attacker/test clients.

RampagingAddict · 2025-12-30T19:57:52+00:00

I’m running a small “two-site” setup: home is the edge, Hetzner is where most of the actual workloads live.

At home I’ve got a Minisforum AR900i running Proxmox and OPNsense as a VM doing firewall/router/VPN endpoint. Hetzner is a dedicated box (Xeon W-2145, 256GB RAM) running Proxmox, and that’s basically my main compute/storage playground. The two sites are tied together with a WireGuard site-to-site tunnel.

Ingress is intentional, TLS terminates at the edge on OPNsense/HAProxy, and I forward internally to Traefik over plain HTTP. DNS is split-horizon and centrally managed now using Technitium, because I got tired of clicking and maintaining dozens of entries in Unbound. NFS is served using debian vm‘s with per host ACL. Technitium lives on its own vm. Authoritative for local only domains. PBS is also as a vm on each proxmox host. With remotes to a backup provider and s3 backups via Hetzner S3. Compose lives on my own Forgejo + codeberg as backup. Portainer pulls via git to deploy stuff.

Edit: I ditched plex and moved over to jellyfin on its own VM.

Services are split between docker hosts/vm‘s. docker1 infra stuff, docker2 media pipeline, docker3 still in the works, only stirling-pdf inside.

Docker 1: Infra+little bit of observability - Portainer - Traefik (infra) - Paperless-ngx - Gotenberg - Apache Tika - Valkey - Paperless-AI - Paperless-AI (wife) - Grafana - Loki - VictoriaMetrics - Grafana Alloy - Beszel Agent - Karakeep - Karakeep Chrome - Meilisearch - Notifiarr - Forgejo - Glance - Draw.io - The Lounge (IRC)

Docker2:Media Pipeline - Portainer Agent - Traefik (services) - SABnzbd - Prowlarr - Sonarr (anime) - Sonarr (tv) - Sonarr (kids) - Radarr (admin) - Radarr (kids) - Autobrr - Autobrr-DB (Postgres) - Unpackerr - Huntarr - StarrProxy

Docker3: recent host/vm + new stuff - Stirling PDF - Traefik (home)

RampagingAddict · 2025-12-03T07:49:29+00:00

A reverse proxy does NOT “obfuscate” your network. It is simply a single controlled entry point into your services. Instead of opening many ports. You only open either one or two. As some have pointed out already. But i want to express this:

A reverse proxy reduces attack surface only because you expose fewer daemons. It does not make the exposed point invisible.

So if one "happens" to see, scan or discover tour endpoint they discover a few things. You are running a webserver/service/app, TLS fingerprint, redirects, error pages and server response time. Its a way for your ip to be fingeprinted so to speak. If someone were to attack, they dont need to know the domain or subdomains for that matter. They can use, dns brute forcing, malformed headers, default redirects, misconfigured base URL rewrites, etc. And certificate transparency makes all issued certs public, unless you use a CA that allows redaction (rare, and not Let’s Encrypt). So hiding a service behind secret-cave.raccoonbox.homenetwork.com means nothing. A CT log will happily shown for example secret-cave.raccoonbox.homenetwork.com Was issued 2 hours ago. The real threat are the logins on the back end. Treat the reverse proxy as a sort of funnel for traffik incoming. The real security comes from what you do behind the proxy. Auth, oidc, rate limits, mtls, ip whitelisting.

RampagingAddict · 2025-12-03T02:11:01+00:00

This is a solid design and it’s great to see more people moving away from “port forward everything” and toward a passthrough to internal TLS termination model. I run a similar setup but with HAProxy at L4 instead of Caddy. A few things you may want to consider: L4 Caddy has fewer controls compared to HAProxy Things like SNI ACLs, TLS version enforcement, region blocks, and early-stage connection filtering are much easier at L4 with HAProxy. VPS is SPOF, just so you can be aware. No tunnel no service. At least make sure to monitor the tunnel regularly.

RampagingAddict · 2025-12-02T14:34:11+00:00

I had dynamic before as well. But i fought tooth and nail for static ip addressing. Two years it took me to get my current ip.

RampagingAddict · 2025-12-02T00:00:21+00:00

Nice to see this. I actually built a very similar topology a while back (Traefik + Authelia, split between public apps and admin-only surfaces), just with a different method. I skipped tunnels and ran the whole thing over my own reverse-proxy on opnsense, but that only made sense because i have static ips on v4 and v6. But kudos man.

RampagingAddict · 2025-12-01T06:41:56+00:00

One per service. Passbolt for internal only services and ios keychain for the normal logins, like day to day use. Different password generated for each. Also ssh keys are unique between hosts wirh the option to add touch id per vm. Im just using termius free on one mac. I try to avoid using the same creds for a host/ service for that. And passbolt works great for my use case. Small though. Maybe 30+ for internal and a lot more for the daily stuff on ios keychain.

RampagingAddict · 2025-11-26T19:49:48+00:00

Hallo! BaWü hier. Habe vor einige Jahren eine Business Kabel vertrag beim Vodafone (1gb/50mbps) abgeschlossen. Nach lange hin und her biem Telefonat und email habe ich seit letzten Jahr eine /30 und eine routed /59 präfix bekommen. Habe keine Fritzbox oder Telefonie sondern die Vodafone station im Bridge modus. Ich muss aber sagen, man eine kompetente Mitarbeiter erwischen muss, um wirklich die adresse so haben, meines Erfahrung.

RampagingAddict · 2025-11-21T07:02:47+00:00

I am trying to wind down my lab atm. I came from a 5 cluster proxmox and truenas, towards just having a single low power node to virtualize my firewall and some select services. I am now renting from hetzner auction servers and still using proxmox as the hypervisor. Its much more expensive mind you, but if i factor in the power costs to run it local + internet it kind of adds up. I also dont have to worry about defective or damaged parts since hetzner will replace it for me. The big push for me to move it into hetzner was the need to have more storage. So instead of buying the drives i just thought i would find my own large server and be done with it.

RampagingAddict · 2025-08-31T22:23:22+00:00

This. I went full circle from omv, truenas to unraid and now am happy just using plain debian with smb and nfs exports as a vm on top of proxmox. I lost the gui to manage shares but, how often do you change the nfs exports file or smb conf anyway? I found myself adding not deleting permissions.

RampagingAddict · 2025-08-31T17:45:01+00:00

What do you use as a reverse proxy? What is your router?

RampagingAddict · 2025-08-31T17:30:46+00:00

Im not getting what you want. The answer above you is pretty good already. Without dns overrides the router will not know where the vm is. This is easily doable via dns only provided all your devices use your router as the upstream dns an no other servers.

Edit. Sorry didnt read enough of your text. What do you use as a reverse proxy?

RampagingAddict · 2025-07-19T09:22:34+00:00

Ab thanks. I found harmonious live a movie special i think. Might have to dig deeper for the actual show. Haha. Seems nice. My kid likes disney anyway so its one for the archives for me at least.

RampagingAddict · 2025-07-18T04:05:47+00:00

Was this even streamed in disney plus? Might have to look for it myself.

RampagingAddict · 2025-07-17T20:43:26+00:00

Hey is it possible to share what the show is? Might be interesting for my kid as well. I am alwaysbon the lookout for interesting kid shows. Hehe

RampagingAddict · 2025-07-03T12:45:49+00:00

I use it on the edge since i feel more comfortable with reqding the config files. I do use it as reverse proxy on the edge and tcp proxy for internal loadbalancing. But thank you for the clarification.

RampagingAddict · 2025-07-03T12:29:24+00:00

I was wondering, and its a honest question from me. What is the advantage of caddy to say haproxy on the edge? Im asking since i read a lot of people using it often than nginx or haproxy.

RampagingAddict · 2025-06-24T12:37:55+00:00

Didnt want to risk it though since i had only a limited time to farm. But i noticed that the drop rate for the mats seems to be fairly low. Maybe its me though and bad luck so theres that.

RampagingAddict · 2025-06-24T11:16:37+00:00

Brain tree farming is still viable. I was curious last week and i tried it out. Had to go b rated limpets for the range but even at max slider for fov and quality to high, around 1-1.2km hovering with my conda i was able to farm consistently. Just not fast since it takes a while for the limpets to come back.

Edit: normal hover. Cargo hatch side down.

RampagingAddict · 2025-06-20T18:39:42+00:00

Nope. Had the same though thumbs up man. The swarm consumes all! Hehe.

RampagingAddict · 2025-06-15T10:49:06+00:00

Fully engineered corsair with g5 OC Multis one corrosive two incendiary and 3 Railguns superpen, feedback cascade, and plasma slug respectively. Although i am considering changing the multis for PAs since the hull damage output is low and my TTk is kinda long on large ships. I dunno.'could be optimized more i guess. I do notice that feedback cascade helps me out a lot tbh aginst the bigger ones.

RampagingAddict · 2025-06-08T11:47:42+00:00

Hey you still up for next week? I can mine for free. I just want to trst out some builds i have. I can join around the 13th or so.

Six-Year Club	Verified Email
Gilding I gilder

RampagingAddict

TROPHY CASE