There’s an old saying in IT: «If your data doesn’t exist in three places, it doesn’t exist at all.» In a virtualized environment, where your entire servers are just files on a disk, this rule is more critical than ever. Fortunately, Proxmox VE provides powerful, integrated tools to ensure your virtual machines and containers are safe and recoverable.

This guide will cover the two primary methods for backing up your data in Proxmox: the built-in VZDump utility for local backups and the enterprise-grade, standalone Proxmox Backup Server (PBS) for advanced, efficient, and centralized backups.

Method 1: The Built-in Backup (VZDump)

Every Proxmox VE installation comes with vzdump, a reliable tool that can create full backups of your running VMs and containers.

How it Works: VZDump essentially creates a «snapshot» of the running guest, then archives its configuration file and all of its disk data into a single compressed file (e.g., .vma.gz). These backups can be stored on any storage you’ve configured in Proxmox, such as a local directory or an NFS share from a NAS.

Key Features:

• Three Backup Modes:
  • Snapshot: (Recommended) Creates a temporary snapshot for consistency, minimizing downtime. The VM never stops running.
  • Suspend: Briefly suspends the VM to ensure perfect data consistency, then resumes it after the backup starts. Causes a short downtime.
  • Stop: Completely stops the VM for the duration of the backup. Guarantees consistency but causes significant downtime.
• Scheduling: The most powerful feature. You can set up automated backup jobs to run daily or weekly for specific VMs, ensuring you always have recent recovery points.
• Compression: Backups can be compressed (GZIP, ZSTD) to save space.

How to Create a Scheduled Backup Job:

1. Navigate to Datacenter -> Backup.
2. Click Add.
3. In the dialog, you will configure:
   • Node: Which Proxmox server to run the job on.
   • Storage: Where to save the backup files.
   • Schedule: When to run the job (e.g., «every day at 02:00»).
   • Selection: Which VMs to include (you can select them manually, by resource pool, or back up all guests).
   • Mode/Compression: Choose «Snapshot» and your preferred compression.
4. Click Create. That’s it! Your data is now protected automatically.

Method 2: Proxmox Backup Server (The Professional Choice)

For more advanced needs, Proxmox offers a completely separate, free, and open-source product: Proxmox Backup Server (PBS). You install PBS on a separate physical or virtual machine.

Why use PBS? The Magic of Deduplication. Imagine you back up a 100GB VM today. Tomorrow, you change a 1GB file and run the backup again.

• VZDump will create a whole new ~100GB backup file.
• PBS will intelligently see that 99GB of data is identical. It will only transfer and store the new 1GB of changed data.

This «deduplication» is incredibly efficient, resulting in:

• Massive Space Savings: Your backup storage will grow much, much slower.
• Faster Backups: Subsequent backups are lightning-fast as only changed data is sent over the network.
• Centralization: Manage backups for multiple Proxmox VE hosts from a single PBS interface.

How to Set It Up (High-Level Overview):

1. Install Proxmox Backup Server on a dedicated machine.
2. In the PBS interface, create a «datastore» – this is the storage location for your backups.
3. In your Proxmox VE interface, go to Datacenter -> Storage -> Add.
4. Select Proxmox Backup Server.
5. Enter the IP address and login details for your PBS instance.
6. Now, when you create a backup job, you can select this new PBS storage as the destination.

How to Restore a VM or Container

Restoring is simple and can be done from either a VZDump or PBS backup.

1. Navigate to your backup storage location (e.g., local -> Backups or your PBS storage).
2. You will see a list of all your backup files.
3. Click on the backup you want to restore.
4. Click the Restore button.
5. You can choose to restore it over the original VM or create a new one with a new VM ID.
6. Click Restore and Proxmox will handle the rest.

Conclusion: Don’t Wait for Disaster

Data protection is not optional. Whether you use the simple and reliable built-in VZDump for a small setup or deploy the powerful Proxmox Backup Server for a larger environment, setting up regular, automated backups is the most important task for any system administrator.

To understand how data protection fits within the broader Proxmox ecosystem, be sure to check out our Ultimate Guide to Proxmox VE.

Сообщение The Complete Guide to Proxmox Backups: VZDump and Proxmox Backup Server появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Once you have Proxmox installed, you’ll quickly realize that networking is the backbone of your entire virtualization setup. It’s how your virtual machines (VMs) and containers connect to each other, to your local network, and to the internet. While it may seem complex at first, Proxmox’s networking model is incredibly powerful and flexible.

This guide will demystify the core components of Proxmox networking. We’ll break down Linux Bridges, explain how to use VLANs to segment your traffic, and touch on NIC Bonding for advanced setups.

The Core Concept: The Linux Bridge

The simplest way to think of a Linux Bridge (like the default vmbr0 created during installation) is as a virtual network switch.

Imagine a physical switch in your office. You plug your computer into it, you plug the printer into it, and you plug the internet router into it. Now they can all talk to each other.

A Linux Bridge in Proxmox does the exact same thing, but virtually:

• Your server’s physical network card (e.g., eth0) is «plugged into» the bridge.
• The virtual network cards of all your VMs and containers are also «plugged into» this same bridge.

The result? All your VMs can talk to each other and access your physical LAN (and the internet) through the server’s physical NIC.

Practical Guide: Creating a New Isolated Network

What if you want a separate, isolated network just for your VMs that can’t access the internet? This is easy to do by creating a new bridge that is not connected to a physical NIC.

1. In your Proxmox UI, navigate to your Node -> System -> Network.
2. Click Create -> Linux Bridge.
3. Give it a name (e.g., vmbr1).
4. Do not add any «Bridge ports». Leave this field blank.
5. You can give it an IP address (e.g., 10.10.10.1/24) if you want your Proxmox host to be able to communicate on this network.
6. Click Create.

Now, when you create a new VM, you can choose vmbr1 as its network bridge. All VMs on vmbr1 will be able to talk to each other, but they will be completely isolated from your main LAN.

Advanced Topic 1: Using VLANs in Proxmox

VLANs (Virtual LANs) are a professional way to segment a single physical network into multiple logical networks. This is essential for security and organization. For example, you might want your security cameras on a separate network from your personal computers.

Proxmox has first-class VLAN support. The key is to have a «VLAN-aware» switch in your physical network.

Here’s how it works:

1. Your physical switch is configured to handle tagged VLAN traffic (e.g., VLAN 10 for users, VLAN 20 for cameras).
2. In Proxmox, your main Linux Bridge (vmbr0) must have the «VLAN aware» checkbox ticked.
3. Now, for each individual VM or container, you can go to its Hardware tab, select the Network Device, and enter a VLAN Tag (e.g., 20).

That’s it! Proxmox will now automatically «tag» all traffic from that VM with the VLAN 20 ID. Your physical switch will then ensure this traffic can only go to other devices on VLAN 20.

Advanced Topic 2: An Introduction to NIC Bonding

A Linux Bond (also known as link aggregation) is a way to combine two or more physical network cards into a single, virtual one. This provides two main benefits:

• Redundancy: If one network card or cable fails, the connection remains active through the other one (failover).
• Increased Throughput: Depending on the mode, you can aggregate the bandwidth of multiple cards, for example, turning two 1Gbps NICs into a 2Gbps connection.

You can create a Bond directly in the Proxmox Network menu. You’ll need to choose a mode (e.g., balance-rr for load balancing, active-backup for failover) and select the physical NICs you want to include in the bond. You then create your main bridge (vmbr0) on top of this new bond0 interface instead of a single physical NIC.

Conclusion: You Are in Control

Understanding these three components—Bridges, VLANs, and Bonds—gives you complete control over your virtual network. You can create simple, flat networks or complex, segmented environments to match any need.

To see how this powerful networking fits into the bigger picture of managing a complete homelab, be sure to read our Ultimate Guide to Proxmox VE.

Сообщение Configuring Proxmox Networking: Bridges, VLANs, and Bonds Explained появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

So, you’ve decided to build your own powerful server with Proxmox VE? Excellent choice! You’re on your way to creating an amazing homelab or small business environment. This guide is designed for absolute beginners and will walk you through every single step of the installation process. Don’t worry, it’s easier than you think!

By the end of this tutorial, you will have a fully functional Proxmox VE 8 host up and running. Let’s begin!

What You’ll Need

• A dedicated physical computer or server that meets the minimum hardware requirements.
• A USB flash drive (at least 4GB).
• Access to another computer to download the software and create the bootable drive.

Step 1: Download the Proxmox VE ISO Image

First, we need to get the installation file.

1. Open your web browser and go to the official Proxmox downloads page.
2. Look for Proxmox Virtual Environment.
3. Download the latest ISO Installer (e.g., version 8.x). It will be a large file, so be patient.

Step 2: Create a Bootable USB Drive

Now we need to write that ISO file to a USB drive so your server can boot from it.

1. Download and install a free tool called BalenaEtcher. It’s available for Windows, macOS, and Linux and is very user-friendly.
2. Plug your USB drive into your computer.
3. Open BalenaEtcher.
4. Click «Flash from file» and select the Proxmox ISO file you just downloaded.
5. Click «Select target» and choose your USB drive. Warning: This will erase everything on the drive, so make sure it doesn’t contain important data!
6. Click «Flash!» and wait for the process to complete.

Step 3: Boot Your Server from the USB Drive

This is the most hands-on part.

1. Plug the newly created bootable USB drive into your destination server.
2. Power on the server.
3. You need to enter the Boot Menu to tell the server to boot from the USB drive instead of its internal hard drive. This is usually done by pressing a specific key right after you power it on, such as F11, F12, F2, or Del. The correct key is often displayed on the screen briefly.
4. From the Boot Menu, select your USB drive and press Enter.

Step 4: The Proxmox VE Installation Wizard

If all went well, you’ll see the Proxmox VE boot menu.

1. Select «Install Proxmox VE (Graphical)» and press Enter.
2. EULA: The first screen is the End User License Agreement. Click «I agree».
3. Target Harddisk: Choose the hard drive where you want to install Proxmox. For most users with one drive, there will only be one option. Click «Next».
4. Location and Time Zone: Set your country, time zone, and keyboard layout.
5. Administration Password and Email: Enter a very strong password for the root (administrator) user. You will use this to log in. Enter your email address for system notifications.
6. Network Configuration: This step is crucial. The installer will try to guess your network settings, but you should verify them.
   • Management Interface: This will be your server’s main network card (e.g., ens18).
   • Hostname: Choose a name for your server, like pve.mydomain.local.
   • IP Address: Set a static IP address. Do not use DHCP. This should be an address on your local network that is not used by any other device.
   • Gateway: This is the IP address of your home router.
   • DNS Server: You can often use your router’s IP address here as well, or a public DNS like 8.8.8.8.
7. Summary: The final screen will show you a summary of all your choices. Double-check everything. When you’re ready, click «Install».

The installation process will now begin and take several minutes. Once it’s finished, the server will automatically reboot. Don’t forget to remove the USB drive!

Step 5: Your First Login!

After the reboot, your Proxmox server is live!

1. On another computer on the same network, open a web browser.
2. Navigate to the IP address you configured: https://Your-Static-IP:8006
3. You’ll see a security warning because Proxmox uses a self-signed certificate. This is normal. Click «Advanced» and «Proceed».
4. At the login screen, enter the username root and the password you created.
5. Congratulations! You are now in the Proxmox VE web interface.

Now that you have Proxmox installed, it’s time to explore its full potential. Check out our Ultimate Guide to Proxmox VE to learn how to create VMs, configure networking, set up backups, and much more!

Сообщение How to Install Proxmox VE 8: A Beginner’s Step-by-Step Guide появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Welcome to the definitive guide to Proxmox Virtual Environment (VE). In the ever-evolving world of IT, Proxmox VE has solidified its position as the leading open-source virtualization platform for homelab enthusiasts, small-to-medium businesses (SMBs), and even enterprise users. But what makes it so special?

Proxmox VE is a powerful, all-in-one server management platform that seamlessly integrates two virtualization technologies: Kernel-based Virtual Machine (KVM) for heavyweight virtual machines (like Windows or full Linux distros) and Linux Containers (LXC) for lightweight, OS-level virtualization. Built on a rock-solid Debian GNU/Linux distribution and managed through a user-friendly web interface, Proxmox offers enterprise-level features like clustering, high availability, and software-defined storage, all completely for free.

This guide will walk you through every essential step, turning an empty server into a fully operational virtualization powerhouse.

Chapter 1: Planning Your Proxmox Server

Before you begin, proper planning is key. Your hardware choices will directly impact performance.

• CPU: A modern 64-bit CPU with virtualization support (Intel VT-x or AMD-V) is mandatory. More cores are better, as they can be assigned to different VMs.
• RAM: 8GB is the bare minimum for the host and a couple of small VMs. For any serious use, 16GB to 32GB is highly recommended.
• Storage: This is critical.
  • OS Drive: A small, fast SSD (256GB+) is perfect for installing Proxmox itself.
  • VM Storage: For your VMs, you have options. A large capacity SSD (NVMe is ideal) will provide the best performance. For bulk storage, traditional HDDs can be used, ideally in a RAID or ZFS configuration for data redundancy.
• Networking: A stable Gigabit Ethernet connection is a must. A second network card is recommended if you plan on creating a dedicated storage network or complex firewall setups.

Chapter 2: Step-by-Step Installation

Installing Proxmox is a straightforward process.

1. Download: Grab the latest Proxmox VE ISO installer from the official website.
2. Create a Bootable USB: Use a tool like BalenaEtcher or Rufus to create a bootable USB drive from the downloaded ISO file.
3. Boot and Install: Boot your server from the USB drive. The graphical installer will guide you through the process. You’ll need to agree to the EULA, select your target hard drive for the installation, and set your country, time zone, and a strong root password.
4. Network Configuration: The final step is configuring the network. You will set a hostname, a static IP address, gateway, and DNS server. Double-check these settings, as this is how you will access the web interface.
5. Reboot: Once the installation is complete, remove the USB drive and reboot the server.

Chapter 3: A Tour of the Proxmox Web UI

Once your server has rebooted, open a web browser on another computer and navigate to https://Your-Proxmox-IP:8006. You will see a login prompt. Log in with the username root and the password you set during installation.

The interface is divided into several key areas:

• Datacenter View (Left Pane): This tree view shows your entire setup, from the datacenter level down to individual nodes, storage pools, and guest VMs/containers.
• Top Header: Shows search, user controls, and buttons for creating new VMs, containers, and other tasks.
• Content Pane (Center): This is where you’ll spend most of your time. It displays detailed information and configuration options for whatever item you’ve selected in the left pane.

Chapter 4: Proxmox Networking Explained

Proxmox uses a powerful and flexible software-defined networking model. The most common component is the Linux Bridge (vmbr0 by default). Think of it as a virtual network switch. Your server’s physical network card and all your VMs’ virtual network cards are «plugged into» this bridge, allowing them to communicate with each other and your physical network.

For more advanced setups, Proxmox also supports Linux Bonds (combining multiple physical NICs for speed or redundancy) and VLANs (for segmenting network traffic).

Chapter 5: Configuring Storage

Storage is where your VM disks and ISO images live. Proxmox supports numerous types:

• Local Storage: LVM (default for VM disks) and Directory (default for ISOs and templates).
• Network Storage: NFS and iSCSI are popular choices for connecting to a NAS.
• Advanced/Clustered Storage: ZFS (a powerful combined file system and volume manager) and Ceph (for distributed, highly available storage) are integrated directly into the platform.

Chapter 6: Deploying Your First VM and LXC Container

Let’s create our first guest!

• To Create a KVM (Full VM):
  1. Ensure you have an OS installation ISO uploaded to your local storage.
  2. Click «Create VM» in the top right.
  3. Follow the wizard: give it a name, select the ISO, configure CPU, memory, and hard disk size.
  4. Once created, start the VM and complete the OS installation through the built-in console.
• To Create an LXC (Linux Container):
  1. Download a container template first. Go to local storage -> CT Templates, click Templates, and download a distribution like Ubuntu or Debian.
  2. Click «Create CT».
  3. The wizard is similar but simpler. You’ll set a password, select the template, and configure the network.
  4. Containers are created in seconds and are ready to use immediately.

Chapter 7: Backups & Snapshots — Your Safety Net

Never run a server without a backup plan. Proxmox makes this easy.

• Snapshots: An instant «picture» of a VM’s state. You can roll back to a snapshot in seconds if a change goes wrong. However, a snapshot is not a backup.
• Backups (VZDump): Proxmox’s built-in backup tool. You can create full, compressed backups of your VMs and containers to any configured storage. You can run backups manually or, more importantly, schedule them to run automatically every night.

Conclusion: Your Journey Begins

Congratulations! You’ve gone from a bare metal server to a fully functional virtualization host. You’ve installed Proxmox, explored its interface, and deployed both a VM and a container.

You are now equipped with a powerful platform to build your homelab, run self-hosted applications, or even manage a small business’s IT infrastructure. The next steps in your journey could be exploring advanced topics like Proxmox clustering, high availability, or diving deeper into automation with tools like Terraform and Ansible. The possibilities are endless.

Сообщение The Ultimate Guide to Proxmox VE in 2025: From Zero to a Fully Functional Homelab появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

This guide is for beginners who want a clean, isolated, and repeatable way to run Terraform by setting it up inside a Docker container.

Image 1: Architectural Overview

First, let’s visualize our goal. Our setup will look like this: you run Docker on your machine, which hosts a Terraform container. This container then communicates with your Proxmox server’s API to build, modify, or destroy virtual machines.

• Explanation: This diagram shows a clean workflow. Your workstation instructs a self-contained Docker environment, which in turn manages your Proxmox infrastructure. This prevents clutter on your local machine and ensures a consistent environment.

Part 1: Prerequisites

Before we begin, make sure you have:

1. A running Proxmox VE server.
2. The IP address of your Proxmox server.
3. Docker installed and running on your local workstation.
4. A Proxmox API Token. To create one, go to your Proxmox web UI and navigate to Datacenter -> Permissions -> API Tokens. Click Add, give it a memorable ID (e.g., terraform-user@pve), and save the Token ID and Secret securely.

Part 2: Setting Up the Terraform Docker Environment

We’ll create a dedicated directory for our project and a Dockerfile to define our environment.

First, create a project folder: mkdir proxmox-terraform && cd proxmox-terraform

Now, create a file named Dockerfile inside this directory.

Image 2: The Dockerfile

This Dockerfile is simple. It uses the official Terraform image and adds git, which is required by the Terraform Proxmox provider to download modules.

• Explanation: This file instructs Docker to use the latest official Terraform image and add the git package. The WORKDIR command sets the default directory inside the container, keeping our project files organized.

Build your Docker image with this command: docker build -t terraform-proxmox .

Part 3: Configuring Terraform

Next, create a file named main.tf. This is where you’ll define the Proxmox provider and the virtual machines you want to create.

Terraform

terraform {
  required_providers {
    proxmox = {
      source  = "telmate/proxmox"
      version = "2.9.14"
    }
  }
}

provider "proxmox" {
  pm_api_url = "https://YOUR_PROXMOX_IP:8006/api2/json"
  pm_api_token_id = "YOUR_API_TOKEN_ID"
  pm_api_token_secret = "YOUR_API_TOKEN_SECRET"

  # Set to true if your Proxmox has a self-signed certificate
  pm_tls_insecure = true
}

# --- Define your VM resource here ---
resource "proxmox_vm_qemu" "example_vm" {
  name        = "terraform-vm-01"
  target_node = "pve" # The name of your Proxmox node

  # A pre-prepared template or existing VM to clone
  clone = "ubuntu-2204-cloud-template"
  
  agent       = 1
  os_type     = "cloud-init"
  cores       = 1
  sockets     = 1
  cpu         = "host"
  memory      = 1024
  scsihw      = "virtio-scsi-pci"
  bootdisk    = "scsi0"

  disk {
    size        = "20G"
    type        = "scsi"
    storage     = "local-lvm" # Your target storage
  }

  network {
    model       = "virtio"
    bridge      = "vmbr0"
    firewall    = false
  }
}

Important:

• Replace YOUR_PROXMOX_IP, YOUR_API_TOKEN_ID, and YOUR_API_TOKEN_SECRET with your actual credentials.
• Make sure the clone value points to an existing VM template in your Proxmox server.
• Check that target_node and storage match your Proxmox setup.

Part 4: Running Terraform from Docker

Now for the fun part. We will run the standard Terraform commands, but we’ll execute them through our Docker container.

1. Initialize Terraform: This downloads the Proxmox provider. docker run -it --rm -v $(pwd):/terraform terraform-proxmox init
2. Create an Execution Plan: Terraform will check your configuration and show you what it’s going to do. docker run -it --rm -v $(pwd):/terraform terraform-proxmox plan

Image 3: The Terraform Plan

The output of the plan command is your safety check. It tells you exactly what resources will be created, changed, or destroyed. For our example, it will plan to create one new resource.

• Explanation: This graphic symbolizes the clear and predictable output of the plan command. The + icon indicates that a new virtual machine will be added to your infrastructure, giving you full confidence before you apply any changes.

3. Apply the Plan: If you’re happy with the plan, apply it to create the VM. docker run -it --rm -v $(pwd):/terraform terraform-proxmox apply --auto-approve

That’s it! After a few moments, you should see your new virtual machine, terraform-vm-01, appear in your Proxmox web interface. You have successfully automated VM deployment using Terraform from a clean Docker environment.

Сообщение Deploy Proxmox VMs with Terraform in a Docker Container появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

In modern self-hosted environments, you’re often running multiple services — like a photo gallery (e.g., Immich), media server (e.g., Jellyfin), and dashboards. If all these services expose themselves directly on different ports, things quickly get messy. Enter the reverse proxy.

A reverse proxy routes incoming HTTP/HTTPS traffic to the right container based on domain or path. It allows you to:

• Use pretty domain names like photos.example.com
• Enforce HTTPS with Let’s Encrypt
• Route requests internally by hostname instead of IP and port
• Apply access control, rate limits, or basic authentication centrally

And Traefik does all that, automatically, with minimal config.

Why Traefik Over Nginx?

While Nginx is popular and powerful, it’s static by default. Every new service requires you to edit config files and reload.

Traefik, on the other hand:

• Automatically discovers Docker containers
• Supports dynamic routing using Docker labels
• Comes with built-in Let’s Encrypt integration
• Has a web dashboard to visualize routes
• Requires minimal config

Traefik was designed for containerized environments from the start.

How Traefik Works Internally

Traefik is composed of three key concepts:

1. EntryPoints

These define which ports Traefik listens on (e.g., :80, :443). You can think of these as your public gateways.

2. Routers

Routers match incoming requests (host, path, method) and forward them to services. They also define TLS settings and middleware.

3. Services

These are the actual Docker containers (or upstream backends) that respond to the requests.

4. Middlewares (Optional)

These are like plugins: things that transform requests (e.g., strip path, redirect HTTP to HTTPS, basic auth, etc).

Installing Traefik with Docker Compose

Let’s build a fully functional Traefik setup using Docker Compose.

docker-compose.yml
version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    command:
      - --api.dashboard=true
      - --api.insecure=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.email=you@example.com
      - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    environment:
      - CF_API_EMAIL=you@example.com
      - CF_API_KEY=your_cloudflare_api_key
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$6yLkU..."
      - "traefik.http.routers.traefik.middlewares=traefik-auth"

You also need to create the directory ./letsencrypt and touch acme.json with permissions 600.

mkdir letsencrypt
chmod 600 letsencrypt/acme.json

Securing the Dashboard

Never expose the dashboard to the public without auth. Use basic auth like above or restrict access to specific IPs.

Alternative example:

- "traefik.http.routers.traefik.middlewares=dashboard-auth"
- "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/users.htpasswd"

Generate passwords with:

htpasswd -nb admin strongpassword

Deploying a Sample Service Behind Traefik

services:
  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=cloudflare"

Start both containers:

docker compose up -d

Now visit https://whoami.yourdomain.com — you’ll see the container response.

Additional Features to Explore

• Middleware: redirect, stripPrefix, basicAuth
• Rate-limiting
• Retry and load balancing
• Redirect HTTP to HTTPS automatically
• Wildcard TLS certificates
• Forward headers to preserve real IP

Conclusion

Traefik makes deploying, securing, and managing multiple services in Docker easy and dynamic. With a few Docker labels and one compose file, you get:

• Auto-routing by domain
• HTTPS with Let’s Encrypt
• Centralized auth and middleware
• Visibility via dashboard

Traefik replaces hours of nginx tinkering with a declarative, scalable, and elegant solution.

Сообщение Ultimate Guide: Setting Up Traefik as a Reverse Proxy in Docker (with Let’s Encrypt, Cloudflare, and Secure Services) появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Why This Matters

A solid firewall config can take hours to build — but minutes to lose.

Whether it’s:

• A reboot gone wrong
• A bad rule blocking your access
• An upgrade that resets the config
• Or simply forgetting what each rule does…

You need a system to keep your firewall alive, readable, and resilient.

1. Regular Backups and Exports

Difference Between Backup and Export:

How to Backup:

/system backup save name=firewall_config

You’ll get a file like firewall_config.backup in Files — download it to your PC!

How to Export Firewall Only:

/export file=firewall_export

You’ll get firewall_export.rsc.
You can edit, version in Git, or apply on other routers.

2. Use Comments Everywhere

Every rule, every address list, every NAT line — must have a comment.

Example:

/ip firewall filter
add chain=input src-address-list=TRUSTED_IPS action=accept comment="Allow remote Winbox"
/ip firewall nat
add chain=dstnat dst-port=443 action=dst-nat to-addresses=192.168.88.100 comment="HTTPS to NAS"

It’s not optional — future you will thank you.

3. Group Rules Logically

Use grouping by chain and purpose, for example:

• Section 1: Input chain
• Section 2: Forward chain (LAN access)
• Section 3: Forward chain (guest/VPN)
• Section 4: NAT rules
• Section 5: Special protections (DoS, brute-force)
• Section 6: Logging and drops

You can even add empty comment rules as section headers:

/ip firewall filter
add comment="=== INPUT CHAIN START ==="

4. Monitor With Logging (But Not Too Much)

Logging is great — until it crashes your CPU.

Tips:

• Only log important drops, like SSH brute-force or port scans
• Use log-prefix= to easily grep or filter
• Use log limits to reduce spam:

add chain=input src-address-list=SSH_BRUTE action=drop log=yes log-prefix="SSH_BRUTE " log-disabled=no

5. Lock Yourself Out? Here’s the Rescue Plan

If you apply a bad rule and lose access — do one of the following:

Option 1: MAC Winbox

• Connect directly via Winbox using MAC address
• It bypasses IP settings
• Only works in L2

Option 2: Netinstall Reset

• Use MikroTik’s Netinstall to reflash router
• You’ll need physical access and boot from Netinstall server

6. Pro Tips From the Field

Use Address Lists for everything — even internal networks
Document every rule in a .md or .rsc file
Export rules monthly and save in Git or cloud
Use scheduled scripts to check config or notify you
Disable unused services in /ip service

Final Summary

You’ve now built a fully functional, professional-grade MikroTik firewall with:

• Clear input/forward logic
• Dynamic protection against attacks
• NAT and Hairpin NAT
• Scalable address lists
• Clean, well-commented rules
• Backups, logging, and recovery plans

Сообщение Firewall Logging, Backups & Best Practices появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

What is NAT?

NAT (Network Address Translation) lets multiple devices on your internal network (usually private IPs like 192.168.x.x) share a single public IP to communicate with the internet.

MikroTik uses source NAT (src-nat) with masquerade by default to make this happen.

Basic Outbound NAT — Internet Access for LAN

Let’s make sure devices in your LAN can access the internet.

/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade comment="LAN to internet"

This tells MikroTik:
“All packets leaving the WAN interface should have their source IP replaced with the router’s public IP.”

What About Incoming Connections?

Suppose you want to host something like:

• A website on your NAS
• An Immich gallery on your home server
• A game server on your PC

You’ll need to port-forward incoming traffic from your public IP to the correct internal IP.

Step-by-Step: Create a Destination NAT (Port Forward)

Let’s say your NAS is at 192.168.88.100 and you want to expose HTTPS (TCP port 443):

/ip firewall nat
add chain=dstnat dst-address=YOUR_PUBLIC_IP protocol=tcp dst-port=443 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=443 comment="Forward HTTPS to NAS"

If you have a dynamic IP, you can use interface lists instead:

/ip firewall nat
add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=443 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=443 comment="Forward HTTPS"

What Is Hairpin NAT?

Imagine this:

• Your DNS (e.g., Unbound or Pi-hole) resolves nas.yourdomain.com to your public IP
• You’re inside your home network
• You open https://nas.yourdomain.com

Now your request leaves the LAN → goes to the router’s public IP → hits the port forward… and fails

That’s because by default, MikroTik doesn’t know how to reflect this back to LAN — it’s confused because the destination is “external,” but the source is internal.

That’s where Hairpin NAT comes in.

How to Enable Hairpin NAT

You’ll need two extra rules to make it work:

1. Accept Internal Reflection in Firewall

/ip firewall filter
add chain=forward src-address=192.168.88.0/24 dst-address=192.168.88.100 action=accept \
    comment="Allow hairpin access to NAS"

Adjust IPs accordingly.

2. Add NAT Reflection Rule

This rule rewrites the source address so the internal server sees it as coming from the router:

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.100 \
    out-interface=bridge action=masquerade comment="Hairpin NAT"

Replace bridge with your LAN bridge or interface if different.

Now you can access https://yourdomain.com inside your LAN, and it will hit the internal server without issues.

Troubleshooting Tips

• Make sure your port forward is above the general masquerade rule in NAT
• Check that your firewall forward chain allows the internal access
• If using VLANs, match the correct interfaces/subnets in Hairpin NAT rule
• Test from a real client, not the router itself

Full Example: HTTPS to NAS With Hairpin

# Port forward
/ip firewall nat
add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=443 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=443 comment="HTTPS to NAS"

# Hairpin NAT
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.100 \
    out-interface=bridge action=masquerade comment="Hairpin NAT"

# Allow forward
/ip firewall filter
add chain=forward src-address=192.168.88.0/24 dst-address=192.168.88.100 action=accept

Summary

You understand what NAT and port forwarding are
You can expose internal services to the public safely
You added Hairpin NAT to make them accessible locally
You troubleshooted common issues like DNS and interfaces

Сообщение Understanding NAT & Hairpin NAT in MikroTik появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Why MikroTik Routers Get Targeted

If your router has a public IP — it will be scanned.
Thousands of bots around the world constantly:

• Look for open Winbox, SSH, Telnet, or API ports
• Try brute-force logins
• Launch SYN floods and DoS attacks
• Abuse open DNS for reflection attacks

Even a home router gets hit dozens of times a day.

So let’s build rules that:

• Drop malicious traffic
• Rate-limit brute-force attempts
• Detect scanners
• Log suspicious activity

Step 1: Detect and Drop Port Scanners

MikroTik has a neat feature to detect port scanning automatically.

Add this rule near the top of your input chain:

bashКопироватьРедактировать/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
    address-list=PORT_SCANNERS address-list-timeout=1d comment="Detect TCP port scan"

Explanation:

• Detects if 21 different TCP ports are probed in 3 seconds
• Adds the source IP to PORT_SCANNERS list
• Keeps it blocked for 1 day

Now, block those scanners:

bashКопироватьРедактировать/ip firewall filter
add chain=input src-address-list=PORT_SCANNERS action=drop comment="Drop port scanners"

Step 2: Drop Bogon and Reserved IPs on WAN

Bots often spoof invalid IPs — like private ranges or loopback — that should never appear on WAN.

Block them at the input chain (and forward, if needed):

bashКопироватьРедактировать/ip firewall filter
add chain=input src-address=0.0.0.0/8 action=drop comment="Drop bogus src IP"
add chain=input src-address=127.0.0.0/8 action=drop comment="Drop loopback"
add chain=input src-address=10.0.0.0/8 action=drop comment="Drop private src"
add chain=input src-address=169.254.0.0/16 action=drop comment="Drop link-local"
add chain=input src-address=192.168.0.0/16 action=drop comment="Drop private src"

Step 3: Basic DoS Protection (SYN Flood, Ping Flood)

MikroTik supports connection limits and rate matching.

Limit TCP SYN connections per IP:

/ip firewall filter
add chain=input protocol=tcp tcp-flags=syn connection-limit=30,32 \
    action=add-src-to-address-list address-list=SYN_FLOODERS \
    address-list-timeout=1d comment="SYN flood detect"
add chain=input src-address-list=SYN_FLOODERS action=drop comment="Drop SYN flooders"

Limit ICMP (Ping) Floods:

/ip firewall filter
add chain=input protocol=icmp limit=5,10 action=accept comment="Allow limited ping"
add chain=input protocol=icmp action=drop comment="Drop excessive ping"

Step 4: Brute Force Protection — SSH, Winbox, etc.

We’ll use connection rate limits to detect brute force:

SSH Brute-Force Detection:

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=!TRUSTED_IPS \
    connection-state=new src-address-list=!SSH_WHITELIST \
    action=add-src-to-address-list address-list=SSH_BRUTE address-list-timeout=1d \
    comment="SSH brute force detector"

add chain=input src-address-list=SSH_BRUTE action=drop comment="Drop SSH brute IPs"

You can repeat this for Winbox (port 8291), Telnet, or other services.

Step 5: Log Suspicious Behavior (Optional but Useful)

You can log any drop or suspicious action:

/ip firewall filter
add chain=input src-address-list=SSH_BRUTE action=drop log=yes log-prefix="SSH BRUTE: "

Just remember: log carefully. If you’re under a flood, logging every packet can overload your router.

Tip: Use Connection Limits for Other Abuse Scenarios

If you suspect spamming, malware, or excessive usage — you can add connection limits per IP or per subnet.

Example:

/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=LAN_SUBNETS \
    connection-limit=10,32 action=drop comment="Limit SMTP spam"

Example: Full Protection Ruleset Snippet

# Port scan detection
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
    address-list=PORT_SCANNERS address-list-timeout=1d comment="Port scan detect"
add chain=input src-address-list=PORT_SCANNERS action=drop

# Brute force protection
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=!TRUSTED_IPS action=add-src-to-address-list \
    address-list=SSH_BRUTE address-list-timeout=1d comment="SSH brute detect"
add chain=input src-address-list=SSH_BRUTE action=drop

# SYN flood
add chain=input protocol=tcp tcp-flags=syn connection-limit=30,32 \
    action=add-src-to-address-list address-list=SYN_FLOODERS address-list-timeout=1d
add chain=input src-address-list=SYN_FLOODERS action=drop

# ICMP rate limit
add chain=input protocol=icmp limit=5,10 action=accept
add chain=input protocol=icmp action=drop

# Bogon drop
add chain=input src-address=0.0.0.0/8 action=drop
add chain=input src-address=10.0.0.0/8 action=drop
add chain=input src-address=127.0.0.0/8 action=drop

Summary

You’ve implemented rules against port scanners, brute force, SYN floods, and ping floods
You block reserved and spoofed IPs
You rate-limit ICMP and connection abuse
You log and block offenders dynamically
You’re now very hard to scan or attack

Сообщение Firewall Protection Against Attacks появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

In MikroTik’s firewall, the forward chain handles traffic that passes through the router — not destined to it.

Examples:

• Your laptop accessing google.com
• A guest phone trying to stream Netflix
• A surveillance camera sending footage to the cloud
• A VPN client accessing a NAS in your LAN

If it goes through the router from one interface to another — it hits the forward chain.

Default MikroTik Behavior

By default, MikroTik allows everything in forward chain. That means:

• LAN can access WAN
• Devices in different subnets can talk to each other
• IoT devices can ping your servers
• Anyone on your guest Wi-Fi can scan your home PCs

Sounds bad? It is.

We’re going to change that.

Our Goal

• Allow LAN to go to the internet
• Block internet from accessing LAN (unsolicited)
• Segment guests, IoT, and sensitive networks
• Only allow specific cross-subnet traffic
• Detect and log suspicious or brute-force attempts
• Rate-limit scans and flooding

Step 1: Allow Established and Related Connections

We always start here:

/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="Allow related & established"

This permits returning traffic like replies to web requests.

Step 2: Drop Invalid Connections

Packets without context or connection tracking often indicate garbage, malware, or errors:

/ip firewall filter
add chain=forward connection-state=invalid action=drop comment="Drop invalid"

Step 3: Allow LAN and VPN to Internet

We’ll assume you already have LAN_SUBNETS and VPN_SUBNETS address lists. You allow these to go out:

/ip firewall filter
add chain=forward src-address-list=LAN_SUBNETS out-interface-list=WAN action=accept comment="LAN to internet"
/ip firewall filter
add chain=forward src-address-list=VPN_SUBNETS out-interface-list=WAN action=accept comment="VPN to internet"

Optional: Instead of out-interface-list=WAN, you can use dst-address-type=!local or other advanced filtering.

Step 4: Block Inter-Subnet Traffic (Optional)

If you don’t want your guest network to access your private network, drop or restrict it.

Example:

/ip firewall filter
add chain=forward src-address=192.168.20.0/24 dst-address=192.168.88.0/24 action=drop comment="Block Guest to LAN"

You can also use interface lists or VLANs here.

Step 5: Log and Drop Everything Else

At the bottom of the chain, drop all other forward attempts. Optionally log them:

/ip firewall filter
add chain=forward log=yes log-prefix="Dropped FORWARD: " action=drop

Or just quietly drop:

/ip firewall filter
add chain=forward action=drop comment="Drop all else"

Pro Tip: If you’re running services that should be reachable (e.g., port forwards), you’ll create exceptions before this drop rule.

Optional: Allow Specific Internal Flows

For example, if a VPN client needs to reach a NAS in your LAN:

/ip firewall filter
add chain=forward src-address=10.10.10.0/24 dst-address=192.168.88.100 protocol=tcp dst-port=445 action=accept comment="VPN to NAS (SMB)"

Or allow ICMP (ping) between LAN and VPN:

/ip firewall filter
add chain=forward src-address-list=VPN_SUBNETS dst-address-list=LAN_SUBNETS protocol=icmp action=accept comment="VPN ping LAN"

Forward Chain Example (Clean & Secure)

/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="Allow known connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid"

add chain=forward src-address-list=LAN_SUBNETS out-interface-list=WAN action=accept comment="LAN internet"
add chain=forward src-address-list=VPN_SUBNETS out-interface-list=WAN action=accept comment="VPN internet"

add chain=forward src-address=192.168.20.0/24 dst-address=192.168.88.0/24 action=drop comment="Guest to LAN — blocked"

add chain=forward action=drop comment="Drop everything else"

Summary

You’ve secured the forward chain
You allowed legitimate traffic to pass
Blocked inter-subnet traffic where needed
Dropped unknown or invalid connections
Laid the groundwork for firewall segmentation

Сообщение Forward Chain Firewall Rules: Controlling LAN, Guests, and the Internet появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.