Proxmox Virtualization Environment

The Architecture Rationale

This infrastructure idea was born out of the limitations of traditional shared hosting and cPanel environments. When dealing with strict budget constraints but requiring high-speed, isolated, and granularly controllable environments on the same network, standard shared hosting falls short.

The precursor to this setup involved leveraging the AWS Free Tier (t3.micro). Building on AWS provided a crucial sandbox for mastering security groups, IAM policies, and VPC firewalls. That knowledge was then ported to a more cost-effective, high-resource VPS provider. By installing a custom Proxmox VE ISO, setting up cloud-level firewalls, and managing native Proxmox firewalls, this architecture achieves enterprise-grade routing and isolation on a fraction of the budget.


Phase 1: Bare Metal Foundation & Initial Setup

The foundation relies on a robust VPS with a fresh installation of the latest Proxmox VE using a custom ISO.

  • Network Configuration: During setup, bind the public IP using the provider’s assigned CIDR block (e.g., /21) and set DNS to a reliable public resolver like Cloudflare (1.1.1.1).
  • Post-Install Optimization: Utilize community-vetted post-installation scripts (like the Proxmox VE Helper-Scripts) to strip out enterprise nag screens, update repositories, and optimize the host.

Time & Host Resolution

Infrastructure hygiene requires a unified timezone and internal resolution.

  1. Navigate to DataCenter > PVE (Node) > System > Time, and set the system to UTC.
  2. Navigate to DataCenter > PVE (Node) > System > Hosts and map the local environment:
127.0.0.1 localhost.localdomain localhost
[PUBLIC_IP] pve.server.net pve proxmox.[YOUR_DOMAIN].com
192.168.100.52 stalwart.[YOUR_DOMAIN].com

# IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Phase 2: Software-Defined Networking (SDN) & DHCP

To provide VMs and LXC containers with automatic IP assignment via DHCP and allow them to reach the internet (passing WAN to LAN via SNAT), Proxmox’s SDN core must be enabled.

1. Install Routing Dependencies

Access the PVE shell and install the necessary routing daemon and DNS forwarder:

apt update
apt install dnsmasq frr-pythontools
systemctl disable --now dnsmasq
systemctl enable frr.service

2. Configure the SDN Interface

  • Zone: Create a Simple Zone (DataCenter > SDN > Zones). Enable automatic DHCP.
  • VNet: Create a VNet within this zone. Note: There is no need to make this VLAN aware or isolate ports on the default vmbr0 bridge.
  • Subnet: Attach a subnet to the VNet with the following parameters:
  • Subnet: 192.168.100.0/24
  • Gateway: 192.168.100.1
  • SNAT: Enabled
  • DHCP Ranges: 192.168.100.50 - 192.168.100.100

3. NAT Routing & Port Forwarding

To route external web traffic (80/443) to the internal Nginx/Deployment server at 192.168.100.50, append iptables rules directly to the network interfaces file.

nano /etc/network/interfaces
auto lo
iface lo inet loopback
iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
        address [PUBLIC_IP]/21
        gateway [PUBLIC_GATEWAY]
        bridge-ports ens18
        bridge-stp off
        bridge-fd 0

# Route HTTP/HTTPS to internal proxy/LXC (.50)
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.100.50:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.100.50:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.100.50:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.100.50:443

source /etc/network/interfaces.d/*

Phase 3: Secure GUI Access & Reverse Proxy

Exposing the native Proxmox GUI (port 8006) directly to the public internet is a security liability. To solve this, access is routed through a secure internal channel.

  • Nginx LXC Reverse Proxy: The Proxmox GUI is placed behind an internal Nginx proxy container.
  • Domain Access: This allows secure access via a “custom-domain-or-subdomain.com" instead of typing IPs and ports.
    Due to security protocols and the production-grade nature of this infrastructure, the live management interface is restricted. Architecture diagrams and system logs are available upon request for verification purposes.
  • Basic Authentication: As a secondary defense layer, the Nginx reverse proxy enforces strict Basic Auth (Admin/Password prompt) before the traffic even reaches the Proxmox login screen, dropping unauthorized scans at the edge.

Phase 4: External Storage Integrations

Rather than paying for expensive block storage, this setup mounts external legacy hosting accounts and cloud drives directly into Proxmox for backups and ISO storage.

SSHFS (Legacy cPanel Storage)

Mounting an external cPanel account via secure SSHFS:

  1. Generate/import SSH keys in ~/.ssh/.
  2. Configure the SSH client ~/.ssh/config:
Host gd
  HostName [CPANEL_SERVER_HOSTNAME]
  User [CPANEL_USERNAME]
  IdentityFile ~/.ssh/bftech_gd
  1. Install SSHFS, create the mount point (/mnt/pve/ftp/sharedhosting), and add it to /etc/fstab for persistence across reboots:
gd:/home/[CPANEL_USERNAME]/storage /mnt/pve/ftp/sharedhostingfuse.sshfs _netdev,users,idmap=user,IdentityFile=/root/.ssh/bftech_gd,allow_other,reconnect 0 0

Rclone (Google Drive / Mega)

To mount cloud providers natively using Rclone:

  1. Install Rclone: curl https://rclone.org/install.sh | bash
  2. Configure headless OAuth via a local Windows machine.
  3. Create systemd service templates (/etc/systemd/system/[email protected]) to ensure cloud drives auto-mount on boot:
[Unit]
Description=RClone mount for %i
After=network-online.target
Wants=network-online.target
AssertPathIsDirectory=/mnt/pve/%i

[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/bin/rclone mount %i:storage /mnt/pve/%i \
          --vfs-cache-mode writes \
          --allow-non-empty \
          --allow-other
ExecStop=/bin/fusermount -uz /mnt/pve/%i
Restart=always
RestartSec=10
TimeoutSec=60
  1. Enable the mounts: systemctl enable --now rclone@gdrive_user (repeat for all configured drives).
  2. Finally, add these directories as Storage resources in the Proxmox GUI (DataCenter > Storage > Add Directory).

Phase 5: Security & Alerts

Fail2Ban Hardening

Protect the Proxmox GUI and SSH ports from brute-force attacks by integrating Fail2Ban.

apt install fail2ban -y
systemctl enable --now fail2ban

Create a custom Proxmox filter (/etc/fail2ban/filter.d/proxmox.conf):

[Definition]
failregex = ^.*pvedaemon.*authentication failure; rhost=<HOST> user=.*$
            ^.*pam_unix\(proxmox-ve-auth:auth\).*rhost=<HOST>.*$
ignoreregex =

Define the jails (/etc/fail2ban/jail.d/proxmox.local):

[proxmox]
enabled = true
backend = systemd
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
port = 8006
maxretry = 3
findtime = 10m
bantime = 31536000

Note: Ensure firewall rules allow UDP 67/68 for DHCP, ICMP for ping, UDP 53 for DNS, and required TCP ports.

Slack Webhook Notifications

Route system alerts directly to Slack via DataCenter > Notifications > Notification Targets.
Webhook Body:

{
  "text": "``` {{escape message}}```",
  "type": "mrkdwn"
}