Hi all,
If I run NethServer on a Proxmox host directly connected to my DSL modem:
Which server should make the PPPOe request: Proxmox ot NethServer ?
Which server should run the DHCP ?
Which server will be the gateway ?
Thank you in advance,
Michel-André
Hello,
Why do you want to implement pppoe, in my understanding, the isp modem will make the pppoe request to authenticate you to their systems and assign you a public ip,
You Could then, within your proxmox setup deploy a firewall to handle your internal vm dhcp connections.
Nethesec, if you dint mind to test things or opnsense, which a number of communtytmembers so far have experience with.
I am assuming it’s Nethserver 8 you’re using.
Salut @oneitonitram ,
With NethServer-7.9, I used the server to request the PPPOe as it is much easier to configure NethServer with its reverse proxy for redirection of domains, ports, etc.
I also used NethServer-7 to handle the DHCP as I have a router on the LOCAL LAN as a DHCP relay for Wireless devices. If I were using the modem for DHCP then the Wireless router would still have to be on LOCAL LAN to be protected by NethServer-7 and therefore the server would have to be the relay for the DHCP. Much easier to configure the Wireless router to be the relay.
For NS-8, I wanted to replicate the same way and use the Proxmox filrewall option to handle the protection and also host NS-8, so no need for another box for the firewall.
The problem with this approach is that Proxmox can not be the PPPOe requester as it will jeopardise some of its functionality because of some version problem with one of the component of the PPPOe software needing a different version of the one used by Proxmox.
Another problem with NS-8 requesting the PPPOe is that it will be directly connected to the internet and it will have no direct protection while been exposed.
The solution I was thinking was to use another box for the firewall. This solution need two machines to do the job and I wanted to use only one.
Another way will be to host the firewall inside Proxmox. That way, Proxmox can take backups of the VMs and transfer those backups on another machine.
The problem is which firewall to use? NethSecurity is not ready yet and it will take some time to mature to a level of trustability. For the time been, I reopened my studies of OPNsense…
At some point I was even considering using Porxmox hosting ISPconfig with its Fail2ban/Amavis/firewall/web hosting etc… (it has everything, just like NethServer-7).
There is only one problem with ISPconfig; it has no PPPOe possibility for the same reason as Proxmox, i.e some software component version incompatibility related to Debian PPPOe.
Maybe using Rocky to host ISPconfig but now, since the story of CentOS, I only go with Linux distros that I am sure will still be there for many years and won’t change their lisense; Debian is the only one to count on.
Like a very large number of people, I am inconsolable at the loss of the functionality and robustness of NethServer-7.
Every night I wake up to curse CentOS, RedHat and IBM.
Michel-André
@michelandre either way, unless you have a dedicated router or firewall for your network, you would still need a firewall for. Your proxmox vms to. Manage alot. More things. Especially if you’re looking to deploying multiple vms within the same proxmox host, and have a single public ip.
I pose the question again, why do. You want to connect to the isp box using pppoe?
NS8.1 which is. Coming soon I. Hope, will feature a dhcp server.
Since you are. Not. Looking for advanced firewall features, using opnsense honestly will be overkill for. Your setup, and since nethsecurity is based on openwrt, for what you need it for, it should be OK to use, after all. It’s RC.
Don’t complicate your setup.
Is it also. Possible to draw a simple sketch map of your potential setup?
I need to think about your setup…
Just to clarify some points first:
NS8 uses firewalld, all ports except the ones used by apps are filtered. Some high ports are closed only (VoiP?). It can be configured on CLI using firewall-cmd or with cockpit.
Crowdsec is already working and blocking IPs like fail2ban.
DNSmasq is already available as NS8 app.
EDIT:
As regards your setup:
What about a virtual gateway VM that also cares about the pppoe connection?
I’m going to switch from opnsense to NethSecurity because I like the simple fast UI and it’s based on OpenWRT that I use already and consider it stable. pppoe is possible on both as explained in the nethsec docs and in the opnsense docs.
Like everyone else here, I know that, even if I don’t consider myself a genius.
Like the documentation of NS8, not understandable, it’s missing something.
isp box ?
If you mean why using PPPOe, it is because that is the way things work around here to connect to the internet.
Soon ?
Will it have it or not… maybe… maybe not…
Will it be as bug free as NS8 ? 
Maybe, but at least it is stable, not born yesterday and trusted by millions of people.
Reading this forum posts about openwrt, I wonder how it is complete.
My experience with NS8 tells me that “stable” has a different meaning for Nethesis, so imagine RC ?
It is not “complicate”, it is to make sure that the most important component of my network is really secure and doing the works it suppose to be doing.
EOL is very near, I have to be ready like others should,
Michel-André
Salut @mrmarkuz
I should have wrote [… it will have no “full” protection…]
And even then, later on and after opening ports for some reasons, it will still be exposed and will its protection be enough ?
Also, if it’s well protected why I should add a firewall ?
Because I consider you the most knowledgeable and the best advisor regarding NethServer, I see myself obliged to reconsider NethSecurity.
In the worst case scenario, if I ever have a problem with NethSecuty I can be sure that you will always be there to advise me on a solution.
Michel-André
Because firewalld just protects the NS8 but it is not configured as gateway firewall. I just wanted to point out that NS8 is not completely unprotected.
In your setup for sure a gateway firewall is needed as you have clients to route and protect but for example NS8 works as VPS too and therefore it is able to protect itself.
Thank you very much.
I use OpenWRT for a long time now and it just does it’s job.
As regards NethSecurity, there will be UI/configuration bugs but the base is stable.
The firewall migration from NS7 to NethSecurity could be interesting for you too but for sure needs to be tested in a virtualization environment.
You could also use opnsense now and switch to NethSec later. But it depends on how much you need to configure on the gateway.
Usually I recommend to have a separate firewall box because on the one hand it’s more secure because there’s no virtualization layer or other apps and on the other hand you split up a single point of failure. But it always depends on what one wants to achieve and I can understand the need to not have too much devices when they weren’t needed before.
I’ll try to be there. Honestly, I need to learn and get into NethSecurity too. I’m busy developing NS8 apps at the moment but the new hardware firewall for NethSec already arrived.
This is only a part of my network.
Usually, the NethServer-7.9.2009 is connected directly into one of the VDSL modem port.
I test everything on the ODROID H3+ Proxmox and I can verity in real life on APU-4D4 Proxmox.
Presently, all the web sites are on the NethServer-7.9.2009.
Later, I can virtualize them on the APU-4D4 or on the ODROID-H3+.
For more security, I can also make a cluster of the 2 Proxmox nodes (I have to check that because of the CPU difference).
Michel-André
Just to explain why I need a very secure firewall.
An attempt every 7.9 seconds.
Initially, when the SSH port was at 22, the server recorded an SSH attack every 5-10 seconds.
Since I changed the SSH port, these attacks have decreased by 99.99%
Sometimes a good small choice generates big changes, imagine a bad one.
Michel-André
Proxmox is capable of passing thru PPPoE requests, if it does not use that NIC for itself. It can be passed thru as a vmbr. (Bridge on the NIC) to NethServer or OPNsense, whatever you prefer.
Neth or OPN can then do the PPPoE authentification.
This is rock solid.
My 2 cents
Andy
Salut @Andy_Wismer,
Do you mean that if I don’t give any address to vmbr0 and tell OPNsense or whoever else to use vmbr0 to send the PPPOe request, everything will worl ???
Do I have to give an address to the VM OPNsense and link it to vmbr0 or no address at all ?
Or give the enpxsy to OPNsense PPPOe request ?
I think you resolved the problem that have me searching a solution for a few days and ruined my sleep ?
Only a very experienced user knows that kind of answer.
Michel-André
Hi Michelö-André
As you will be using this Proxmox for home use, I would keep the primary NIC for this use (vmbr0).
For PPPoE, use another NIC, and create a second vmbr, eg vmbr1.
Here is a real live case - from your native Canada - and this is live!
If using OPNsense, like in this specific case, OPNsense only needs to be configured with PPPoE, no IP information configured. IP will be allocated by provider using DHCP over PPPoE.
The OPNsense has 2 NICs, these use vmbr0 (LAN) and vmbr1 (WAN):
And here in detail the PPPoE
This should help get you up to speed… 
My 2 cents
Andy
Why are you getting me jealous…
Salut @Andy_Wismer,
That will work for sure as you say so and also I have the same provider.
Then I can go and have a good nap.
You’re in the same category as Markus.
Thank you so much to share your valuable experience,
Michel-André
since my hw firewall died at home, I have a similar setup.
Before all was on nethserver 7 now i have
1 nethsec vm as firewall/dhcp/vpn/etc. (on proxmox with 2 lan) and 1 vm ns8 for the other services.
the only difference is that at the moment I don’t use pppoe but the fritzbox router runs everything on the nethsec wan IP (as exposed host)
both nethsec8 and opnsense support pppoe but I haven’t tried it yet
regardless of the solution you choose, I am quite happy with this configuration, obviously remembering the limits of having a firewall as a vm
sooner or later I will buy the hardware for the firewall again, but at the moment everything is fine and the virtualized firewall also has its advantages (especially if you like to test) 
Salut @dz00te
I was thinking of installing the firewall directly on the hardware machine but with Proxmox and the first firewall rule to ACCEPT SSH from the LAN, you will alway be able to connect and repair the firewall through SSH. If not, then you can always start a Promox console and recover.
Especially if you have a snapshot of the firewall, it is a question of seconds to recover.
Once, Andy recommend me to get an APU-4D4 for OPNsense. It is very small and fanless.
I bought it from Europe somewhere and it took 3 days to have it at my door step; amazing delivery!
In the picture of my network above, you can see the back of the APU-4D4, it has 4 RJ-45 connectors but no video. That is why you have to get a USB2DB9 connector and the software to be able to plug a machine to it for the installation or you have a serial DB9 port on you working station which is not common tthese days.
Michel-André
Salut @mrmarkuz,
I tried OpenWRT.
Quite interesting. Many howtos and lot of doc.
I installed the French language using only one command; it took just a second or two.
# opkg install luci-i18n-base-fr
For @oneitonitram:
NethSec should use their language files, they have a lot of them.
It would be almost all transtated for NethSec. Would just have to add the difference about it.
The most interesting thing, if we choose “auto” as the language, the system displays in the language, if installed, defined in the browser.
They also have locate which is a must to find something.
# opkg install findutils
Next, the hardest part, the firewall rules.
Beside the included rules, there should be some rule files for an home server that I could import?
Michel-André
i think most commands that work in opnewrt could also work in nethsec,
in relation to cpoying the translations from Openwrt, i am not sure it would work ok that way,
this is because nethsec implements their own UI separate from the luci interface used in openwrt
