Welcome to r/Proxmox , the main subreddit regarding the Proxmox hypervisor!
Home router (openwrt) in a container. How to set up WAN/LAN NICs?
So, this might be a networking ELI5 post, but I can't wrap my head around the right way to set it up safely/securely.
As background, I bought one of these cool little boxes from aliexpress, with the thinking that it's got lots of headroom to run proxmox, with openwrt and a few other VMs or containers, and as a bonus, I could set it up in a proxmox cluster with my already existing homelab server, and eventually get a third node to provide real HA for my router. I want to dedicate one of the physical NICs as the WAN port to connect to my ISP, so want to pass it through exclusively to the openwrt LXC container[1], and not have it accessible to any other environments. The other three NICs would, I guess, just behave like a dumb switch. So, how do I do this? Do I need to encapsulate the WAN NIC in a virtual bridge on the host, but just don't give it an IP address, then assign that vbr as a NIC on the openwrt container? That seems sketchy, and not particularly secure to my network-n00b brain, but I can't figure out any other way to get it to the container. And what about the other 3 NICs? Should I put them all in a vbr on the host, and just pass one "vbrLAN" interface to openwrt, since I do need an IP address for the host?
[1] I installed openwrt in a LXC container instead of a VM because 1) there's an upstream-maintained openwrt LXC template, and 2) because it looked like by far the easiest way to update/upgrade openwrt in the future. I'd love to hear why it's a bad idea, if it is :)
GoogleCloudOfficial
install openwrt as VM. create linux bridges with lan ports and assign as needed thats really it.
1 nic with IP address for management, other bridges that go to openwrt will be set with IP inside Openwrt
Yeah, I get the general gist, I just don't grok the details. I want to set it up like an integrated router, with one "WAN" port, and three "LAN" ports. Right now, proxmox already created vmbr0 (encapsulating the "enp2s0" NIC). vmbr0 has its own IP address on the proxmox host, and I passed vmbr0 through as my management NIC, but I'm thinking I want to also add enp3s0 and enp4s0 (these correspond to the first three NICs) to the same vmbr0 host bridge, then just have the one "LAN" vNIC in openwrt, so the switch is on the host, not inside openwrt. Is that the right way to deal with the "LAN" ports? And for the "WAN" port (enp5s0 on the host), should I encapsulate it into a vbridge in the host's /etc/network/interfaces file, but don't give it a host IP address? Will that work, and is that a safe/secure way to only expose the openwrt "WAN" NIC to the big-bad-internet, and nothing else?
Don't install it as a VM. Install it as an LXC so you can have zero overhead
Create it using a vm and passthrough the nic if possible, you do not need to install, you need to import the x86 image as a disk, by default everything should work if you have two nics associated with the vm https://i12bretro.github.io/tutorials/0405.html
For the network Create a bridge per port, associate the wan bridge, and a lan bridge to the vm (make sure it's not the same port proxmox is using) not sure about the order, if openwrt does not get a wan IP switch the order of the nics in the vm
the lan should also be connected to a physical switch where you connect the proxmox port lan as well, and other devices like an AP for WiFi
How did you settle with the configuration? Can you share?
Whoah, this was a long time ago :D. I settled on installing openwrt in a LXC container. On the proxmox host, I created two static bridges (mapped to WAN and LAN in openwrt). The LAN, I assigned the proxmox IP, with the netmask matching the netmask I'd set in openwrt, then assigned the three physical ports I'd set aside for LAN to that bridge. The WAN, I only assigned the one port, but did not give it an IP address, passing it directly through to openwrt. So far, it's worked fabulously.