I have virtualization hosts (Proxmox) running multiple VMs providing public services. I'm using a firewall appliance (OPNsense) to filter the traffic.
This works fine for a routed subnet, where the public IP is bound directly to the virtual network interface of the VM: I can set firewall rules to filter traffic based on port / source etc.
On one of the servers, I got one single additional public IP address from the hosting provider which is not part of a routed subnet. I got a virtual MAC address (virtual in terms of not bound to a physical NIC) and I can create a virtual network card for a VM with this MAC address which allows me to assign this IP directly to a VM which is attached to the public bridge.
Since I want to filter the traffic with my firewall appliance, I assigned an additional virtual NIC to the firewall VM. The VM that provides the service has a local / not routed IP address and is attached to a local bridge on a LAN port behind the firewall VM.
I can now use destination NAT rules to map specific ports for inbound traffic to the VM.
From my understanding, this would require me to add source NAT rules to make sure that outbound traffic from this VM gets the correct public IP address as its source. Is this correct?
I wonder if this is the best way to do this, or if there is a more transparent way where I don't have to deal with DNAT rules and all traffic facing the additional public IP would be directed 1:1 to the VM. Being able to do rule baed filtering would of course still be a requirement.
