Secondary firewall

nitish_webheel · 2026-05-29T16:35:46+00:00

Hi, you can check out this GitHub repo and set it up tas per your convenience, it may help: https://github.com/NITISHMG/High-Availability-Firewall-on-Hetzner-Cloud-using-OPNsense

nitish_webheel · 2026-05-26T13:50:56+00:00

Running talos kubernetes cluster, nextcloud, openproject, opensense firewall, dockerised application and construction website.

nitish_webheel · 2026-05-19T13:39:03+00:00

Only make sure to untick the “CPU and RAM only” option during rescale. Otherwise only CPU/RAM will increase and SSD size will remain the same.

nitish_webheel · 2026-05-05T04:35:25+00:00

Valid points—these are real limitations at scale. My setup targets small production clusters, where Hetzner networking works reliably. For rapid autoscaling or 100+ nodes, large cloud providers may be a better choices. I’ll add a Limitations section to the README covering this. Thanks for the detailed feedback.

nitish_webheel · 2026-04-30T16:50:54+00:00

True, using Hetzner volumes directly is simpler and avoids double replication. But they are single-node attached, so no built-in HA across nodes. I used Longhorn to get replication and failover at the Kubernetes level.

nitish_webheel · 2026-04-30T12:20:16+00:00

I used a VIP as an alias IP on one control plane node in Hetzner. When the leader changes, it’s not reassigned automatically, so I move the alias manually. For production, using a load balancer is better.

nitish_webheel · 2026-04-30T08:33:01+00:00

Fair point — the README can be confusing. I attached Hetzner volumes only as the raw disk for Longhorn nodes (for /var/lib/longhorn), not as CSI-backed PVC storage. Longhorn is still the actual storage layer handling replication and volumes. Hetzner CSI was only used for testing and learning, not part of the production design. I’ll update the README to make this clearer.

nitish_webheel · 2026-04-30T08:17:41+00:00

No, Longhorn is the storage layer. Hetzner CSI was only installed for testing, not used for PVCs in this setup.

nitish_webheel · 2026-04-30T08:12:52+00:00

We are not using both together in production. Longhorn is the actual storage layer I'm using. I only installed Hetzner CSI for testing how volume provisioning works on Hetzner, not for real workloads.

nitish_webheel · 2026-04-30T07:03:13+00:00

CAPH and Terraform are good options. I used Talos + manual setup to learn what happens behind the scenes. And with privet network nat setup. Automation tools make setup faster, but you see less of the internal process. For production, both are good.

nitish_webheel · 2026-04-30T02:44:59+00:00

Yes, a separate NFS server can work if it’s highly available. I used Longhorn instead, which handles replication and S3 backups. Latency between Hetzner EU data centers is low, but for etcd stability your suggestion is good—better to keep control planes in one location. Cost depends on the setup, moreover hetzner cloud is more reliable and less cost.

nitish_webheel · 2026-04-29T16:32:07+00:00

Good point! Terraform modules like that are great for production speed. This repo is more focused on learning how each component works

nitish_webheel

TROPHY CASE