Debian Bridges and Virtual Machines -> Traffic to Proxy VM

Hey there,

I’ve been along with this problem for a while now and thought someone here can help me.

This is my scenario:

A rented server with a single public IPv4 and an /64 IPv6 Subnet.
Debian 10 with Proxmox 6.0.

Here’s what I want to achieve:

WWW <----> Host GW <-----> NIC <------> vmbr0 <------> haproxy(VM) <-----> vmbr1 <-----> Other VM’s

In a nutshell I want all the traffic to go straight to my proxy.

Why you ask?
-> The proxy is used as a reverse proxy.

For all the scenarios I’ve enable ipv4_forward.

  • I’ve tried configuring the public IPv4 in the networkt adapter of my proxy VM. Doesn’t work.
  • Same as above, but create a route for to my vmbr0.
  • Same as Number 1, but create a route for to the public IPv4 configured on the proxy VM

Now I’m out of ideas.
I’m pretty sure I’ve been missing something with my routing or made something wrong there.

If you need more information please let me know.

Thanks ahead for every answer


I’m not super experienced with haproxy, but I can tell you that you’ve got the bridges and os config pretty much correct.

The only thing I might inquire about is, do you have a host ip on vmbr0?

More to the point, it might be easier to use haproxy in a vm or container to achieve your desired result.

Thanks for your reply.

I’m already using haproxy as a VM.

I’ve tried both scenarios:
Bridge without an IP config
Bridge with IP config

Both does not work.
But in my opinion the second try was just wasted because it doesn’t make sense to me to configure the IP on the bridge and then on the VM again or only on the bridge, but then how would the vm know…

I have a similar setup, and I have found that the best way to handle this, is just to pay for additional public IP addresses. Did you ever get this working?

I did get it working with the same resolution.

I just bought another IP for my hypervisor.
The pro side of this is, that even if you mess up you firewall config, you can still access your hypervisor and repair via console.

What I did to get mine working was to remove the ‘Default Gateway’ setting on my vmbr0 interface (management), and instead assigned it to vmbr1, so then my para-virtualized nic’s on VM’s are assigned under vmbr1 and appear as regular hosts on my network.

If you had another nic you could just assign it either directly to your guest vm or do para-virtualized so long as it connects to your network.

I took it one step further and assigned an active-backup bond to the vmbr1 for redundancy. Then at my pfsense router I forward all web traffic for a specific high-random-port exclusively from my haproxy on linode to my local haproxy on my network which is where I then perform SSL termination.

Then I on my local haproxy I have the config file maintained with salt stack so when I push changes to it my minion updates the config whenever it changes and perform a graceful reload.

So I run tons of shit behind my proxy.

Traffic looks like this:

internet -> haproxy (linode) -> wan -> haproxy (lan) -> services

But all traffic appears to clients as the haproxy on linode so it’s all obfuscated.