Howto proxmox
install proxmox
download proxmox iso:
https://enterprise.proxmox.com/iso/proxmox-ve_8.1-2.iso
openwrt
download openwrt image:
cd /var/lib/vz/images wget https://mirror-03.infra.openwrt.org/releases/23.05.3/targets/x86/64/openwrt-23.05.3-x86-64-rootfs.tar.gz
create container in proxmox using pct:
ptc create 102 ./openwrt-23.05.3-x86-64-rootfs.tar.gz --unprivileged 1 --ostype unmanaged --hostname openwrt --net0 name=eth0 --net1 name=eth1 --storage local-lvm
edit container config /etc/pve/lxc/102.conf:
lxc.cgroup2.devices.allow: c10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir
configure network:
config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdb5:603d:27d8::/48' config device 'lan_br' option name 'br-lan' option type 'bridge' list ports 'eth1' config device 'eth1' option name 'eth1' config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.99.254' option netmask '255.255.255.0' option ip6assign '60' config interface 'wan' option device 'eth0' option proto 'static' option ipaddr '192.168.24.44' option netmask '255.255.255.0' option gateway '192.168.24.254' option ip6assign '60' config interface 'wan1' option device 'eth0' option proto 'static' option ipaddr '192.168.24.45' option netmask '255.255.255.0'
configure dns and dhcp:
config dnsmasq option domainneeded '1' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option domain 'ovoxcloud.com' option expandhosts '1' option cachesize '1000' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' option localservice '1' option ednspacket_max '1232' list server '4.2.2.1' list server '4.2.2.2' list interface 'lan' list notinterface 'wan' option port '53' config dhcp 'lan' option interface 'lan' option start '100' option limit '150' option leasetime '12h' option dhcpv4 'server' option dhcpv6 'server' option ra 'server' option ra_slaac '1' list ra_flags 'managed-config' list ra_flags 'other-config' config dhcp 'wan' option interface 'wan' option ignore '1' config odhcpd 'odhcpd' option maindhcp '0' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' option loglevel '4'
configure firewall:
config defaults option syn_flood '1' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan6' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-SSH-WAN' option src 'wan' option proto 'tcp' option dest_port '22' option target 'ACCEPT' config rule option name 'Allow-HTTP-WAN' option src 'wan' option proto 'tcp' option dest_port '443' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-IPSec-ESP' option src 'wan' option dest 'lan' option proto 'esp' option target 'ACCEPT' config rule option name 'Allow-ISAKMP' option src 'wan' option dest 'lan' option dest_port '500' option proto 'udp' option target 'ACCEPT' config redirect option src wan option dest lan option src_dip 192.168.24.45 option dest_ip 192.168.99.208 option target DNAT option name DNAT-IP-WAN-LAN option enabled config redirect option src lan option dest wan option src_ip 192.168.99.208 option src_dip 192.168.24.45 option target SNAT
option name SNAT-IP-LAN-WAN
option enabled 1