You were asking about a virtualzed firewall?
Here’s one, the OPNsense Firewall is running inside Proxmox, using a Proxmox Bridge to pass thru the Intenet connection.
This is a friends home network. He’s also a developer, but not a systems guy.
He’s stuck in Africa from his unplanned extended vacation, but he’s not having a bad time down there. Even had him meet someone from the NethServer Forum who lives there. They had a nice Grill / BBQ… 
Hmm you are making me think now and it is true I had a hard time because I installed Active Directory on Nethserver, my NIC was bridged and I couldn’t change anything. So now, I’m thinking, I will just use a LDAP server to create users and that is it. If I need a AD, I will wait until I have my Proxmox box up. Perhaps I’ll just leave my Nethserver running on my Q1900M motherboard with 4 gigs ram, integrated CPU. Hmm or then again just run it off a VM in Proxmox but without using the AD part.
BTW, I did try the Reset Network Configuration I found in the documentation and it worked really well, so there is an easy way out of the bridged NIC after installing AD : nethserver-base — NethServer 7 documentation
Indeed, that is why I opted for 10.168.x.x, to avoid conflicts 
Yes I remember that from yesterday… Another possibility.
See my old 2003 Network:
172.25.63.0 was office
172.25.25.0 was home
172.25.83.0 was Hosted
Each site had actually 8 networks (a whole subnet) - for testing or whatever. Home, the LAN of 2003 shown earlier had 4 Subnets used in that range… The third digits are actually what i think is called ZIP codes over yonder (Here it’s known as PLZ or PostLeitZahl).
Grouping the Networks made firewalling rules simpler, as you could aggrate them by 8-er Subnet.
The 10.x.x.x network was already used by the providers in CG-NAT, so to evade issues with VPN, I evaded using those Networks.
A CIDR chart:
A good friend of mine used VMWare at the time. He had his Synology NAS for the company he was setting up as a member of the Win2008 AD (Also a VM). This saved him the trouble of opening several duplicate accounts, allowing AD users to access Shares on the NAS.
The downside was when he wasted a week trying to find out why he couldn’t save an image of his VM to the NAS - after all, NFS uses no authentification…
I found out for him, that if his AD is down, he couldn’t even log in to the NAS GUI…
Talk about painting yourself into a corner - it’s sometimes too easy, and you don’t see it until weeks later…
Well if every I run into a problem, I’ll just use 20.x.x.x .
A lot of food for thought. I’ll have to decide on my network architecture and decide on something and proceed to make the right hardware purchases.
I’m thinking, leave my Nethserver as is. Build a Proxmox box with 64 gigs of ECC Ram, four 2T drives in RAID10 for Proxmox’s VMs, another four 6T drives in Raid5, a external drive bay for backups, standard ryzen motherboard which I already have (Asus X470 Crosshair Hero), Ryzen 2700X processor. Should be good enough for a start. Ohh yes I’ll need an extra NIC to dedicate directly to the NAS. I was thinking a 10Gbe NIC but then again, I would have to upgrade my entire network so… nah… Just plain old 1Gbe NIC.
Hmm, if ever I run out of space perhaps I’ll create a Class B network, 10.168.0.0/16, if that is possible at all? Nahh, overkill… 10.168.252.0/22 would be enough.
Subnetting is a legit use of IP…
But using 20.x.x.x would get problems, as this is a public, internet routed network.
I have to learn how to do subnetting, something I am not familiar with yet.
If 20.x.x.x is taken and 10.x.x.x is used by some VPN techs, then that leaves 192.168.x.x. I guess I’ll go back to the old home IP scheme… :-/
The RFCs specify:
A-Class 10.x.x.x (/8)
B-Classes 172.16.x.x - 172.31.x.x (/16)
C Classes 192.168.x.x (/24)
as private networks. Not routable to the Internet, indeed, any router involved must just those packets, as they have nothing to do on the internet.
That was a first step in mitigating the limited IPv4 IPs, before IPv6 became reality, but those RFC rules are still valid.
The 172.er range would give you several subnets of each 254 IPs, that would be something.
You could use say 172.22.22.0/24 as LAN 172.22.23.0/24 for Guests in WLan, and say 172.22.24.0/24 for testing or experimenting…
Subnetting has a lot of practical uses…
Carrying on the above example, you’re using 172.22.23.0/24 as your Guest WLan. This means 254 IP adresses.
172.22.23.1 would be the Gateway of that WLan, 172.22.23.10 the WLan AP, and 20-127 reserved (DHCP) for your devices, and the above ones for guests. The firewall rule would allow the lower subnet (The first 128 IPs) thru, so you could say, access your NextCloud with your mobile/cell.
But your guests, getting an IP above 129 couldn’t…
Indeed and it is very interesting. I’m more and more interesting in those things, especially since smart home devices / IoT devices came to be. Like you said there are so many practical use. And well, for me it is a way to learn something new and a challenge I like.
Subnetting is actually quite simple…
Thinking of IP adresses like telephone numbers isn’t too far off, actually the analogy get’s very close. The main difference is the differing length of digits, IPs have 4 groups on numbers from 1-256, whereas telephone numbers, especially with international dialing codes, can get quite long.
The next big difference is the subnet mask - in telephony the invisible divider between the regional or national code, and your individual number.
I agree the concept is very easy to do. But for someone who doesn’t know how to apply that with a given system, the routing, the configuration, at least the first time, it is not so easy to do. For you, piece of cake you’ve been doing that for years!
This might help in planning…
These are IP ranges in a typical 256/er network, as most home users and SME business use…
PM, and I can provide the whole XL file as a sample…
To answer an earlier qustion: my AWR7-PVE-4 is my test lab for VMs…
Thank you! I do split all these already but you go a step above planning for every possible device.
Thanks again for the list! I was wondering, any recommendation on a good AD Server (without a a Microsoft Server)? And if possible, I would avoid Zentyal. I am not sure I want to use Nethserver’s AD with all this binding of the primary NIC card.
Then I looked at the network of your friend and I saw OPNSense and Nethserver. So I’ll guess that OPNSense is the firewall and Nethserver is used for the AD? Am I assuming this correctly? If that is the case, I could spin up a Nethserver to use just as an AD inside Proxmox?
Just avoid using the Firewall on Nethserver, then you have no issues…
I have it at a hotel, trade consulate, doctors, financial treuhands…
20-30 users, all no issues with AD!
All run with daily 7-gen backups, Proxmox and NethServer…
All these Nethservers have AD, File & Print, Zabbix Monitoring, NextCloud and more runing…
Some have 600 GB files…
Andy
When you said avoid using Nethserver firewall do you mean using both the firewall and AD together? Or did you mean
If your intent was option 2, then I’ll just have to learn something new. I am already downloading it just in case. And it looks very modern and it is free!
Alright! That will be a hell of a nice project to do! I’m building a hardware list and, if you don’t mind I’ll run it by you to see what you think. Just getting prepared ahead of time as I hate rushing and not having time to validate.
Fine with me!
You’ll like OPNsense, I can provide you with a pre-fab config for opnsense, with ipsec road warrior running. just adapt to your needs…
Let OPNsense, the specialist, worry about routing, firewalling and such, Proxmox, the virtualization specialist does just that, and let your NethServer do most other stuff, that’s it’s speciality as a generalist!
