So, you’ve decided to build your own powerful server with Proxmox VE? Excellent choice! You’re on your way to creating an amazing homelab or small business environment. This guide is designed for absolute beginners and will walk you through every single step of the installation process. Don’t worry, it’s easier than you think!

By the end of this tutorial, you will have a fully functional Proxmox VE 8 host up and running. Let’s begin!

What You’ll Need

• A dedicated physical computer or server that meets the minimum hardware requirements.
• A USB flash drive (at least 4GB).
• Access to another computer to download the software and create the bootable drive.

Step 1: Download the Proxmox VE ISO Image

First, we need to get the installation file.

1. Open your web browser and go to the official Proxmox downloads page.
2. Look for Proxmox Virtual Environment.
3. Download the latest ISO Installer (e.g., version 8.x). It will be a large file, so be patient.

Step 2: Create a Bootable USB Drive

Now we need to write that ISO file to a USB drive so your server can boot from it.

1. Download and install a free tool called BalenaEtcher. It’s available for Windows, macOS, and Linux and is very user-friendly.
2. Plug your USB drive into your computer.
3. Open BalenaEtcher.
4. Click «Flash from file» and select the Proxmox ISO file you just downloaded.
5. Click «Select target» and choose your USB drive. Warning: This will erase everything on the drive, so make sure it doesn’t contain important data!
6. Click «Flash!» and wait for the process to complete.

Step 3: Boot Your Server from the USB Drive

This is the most hands-on part.

1. Plug the newly created bootable USB drive into your destination server.
2. Power on the server.
3. You need to enter the Boot Menu to tell the server to boot from the USB drive instead of its internal hard drive. This is usually done by pressing a specific key right after you power it on, such as F11, F12, F2, or Del. The correct key is often displayed on the screen briefly.
4. From the Boot Menu, select your USB drive and press Enter.

Step 4: The Proxmox VE Installation Wizard

If all went well, you’ll see the Proxmox VE boot menu.

1. Select «Install Proxmox VE (Graphical)» and press Enter.
2. EULA: The first screen is the End User License Agreement. Click «I agree».
3. Target Harddisk: Choose the hard drive where you want to install Proxmox. For most users with one drive, there will only be one option. Click «Next».
4. Location and Time Zone: Set your country, time zone, and keyboard layout.
5. Administration Password and Email: Enter a very strong password for the root (administrator) user. You will use this to log in. Enter your email address for system notifications.
6. Network Configuration: This step is crucial. The installer will try to guess your network settings, but you should verify them.
   • Management Interface: This will be your server’s main network card (e.g., ens18).
   • Hostname: Choose a name for your server, like pve.mydomain.local.
   • IP Address: Set a static IP address. Do not use DHCP. This should be an address on your local network that is not used by any other device.
   • Gateway: This is the IP address of your home router.
   • DNS Server: You can often use your router’s IP address here as well, or a public DNS like 8.8.8.8.
7. Summary: The final screen will show you a summary of all your choices. Double-check everything. When you’re ready, click «Install».

The installation process will now begin and take several minutes. Once it’s finished, the server will automatically reboot. Don’t forget to remove the USB drive!

Step 5: Your First Login!

After the reboot, your Proxmox server is live!

1. On another computer on the same network, open a web browser.
2. Navigate to the IP address you configured: https://Your-Static-IP:8006
3. You’ll see a security warning because Proxmox uses a self-signed certificate. This is normal. Click «Advanced» and «Proceed».
4. At the login screen, enter the username root and the password you created.
5. Congratulations! You are now in the Proxmox VE web interface.

Now that you have Proxmox installed, it’s time to explore its full potential. Check out our Ultimate Guide to Proxmox VE to learn how to create VMs, configure networking, set up backups, and much more!

Сообщение How to Install Proxmox VE 8: A Beginner’s Step-by-Step Guide появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

In modern self-hosted environments, you’re often running multiple services — like a photo gallery (e.g., Immich), media server (e.g., Jellyfin), and dashboards. If all these services expose themselves directly on different ports, things quickly get messy. Enter the reverse proxy.

A reverse proxy routes incoming HTTP/HTTPS traffic to the right container based on domain or path. It allows you to:

• Use pretty domain names like photos.example.com
• Enforce HTTPS with Let’s Encrypt
• Route requests internally by hostname instead of IP and port
• Apply access control, rate limits, or basic authentication centrally

And Traefik does all that, automatically, with minimal config.

Why Traefik Over Nginx?

While Nginx is popular and powerful, it’s static by default. Every new service requires you to edit config files and reload.

Traefik, on the other hand:

• Automatically discovers Docker containers
• Supports dynamic routing using Docker labels
• Comes with built-in Let’s Encrypt integration
• Has a web dashboard to visualize routes
• Requires minimal config

Traefik was designed for containerized environments from the start.

How Traefik Works Internally

Traefik is composed of three key concepts:

1. EntryPoints

These define which ports Traefik listens on (e.g., :80, :443). You can think of these as your public gateways.

2. Routers

Routers match incoming requests (host, path, method) and forward them to services. They also define TLS settings and middleware.

3. Services

These are the actual Docker containers (or upstream backends) that respond to the requests.

4. Middlewares (Optional)

These are like plugins: things that transform requests (e.g., strip path, redirect HTTP to HTTPS, basic auth, etc).

Installing Traefik with Docker Compose

Let’s build a fully functional Traefik setup using Docker Compose.

docker-compose.yml
version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    command:
      - --api.dashboard=true
      - --api.insecure=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.email=you@example.com
      - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    environment:
      - CF_API_EMAIL=you@example.com
      - CF_API_KEY=your_cloudflare_api_key
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$6yLkU..."
      - "traefik.http.routers.traefik.middlewares=traefik-auth"

You also need to create the directory ./letsencrypt and touch acme.json with permissions 600.

mkdir letsencrypt
chmod 600 letsencrypt/acme.json

Securing the Dashboard

Never expose the dashboard to the public without auth. Use basic auth like above or restrict access to specific IPs.

Alternative example:

- "traefik.http.routers.traefik.middlewares=dashboard-auth"
- "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/users.htpasswd"

Generate passwords with:

htpasswd -nb admin strongpassword

Deploying a Sample Service Behind Traefik

services:
  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=cloudflare"

Start both containers:

docker compose up -d

Now visit https://whoami.yourdomain.com — you’ll see the container response.

Additional Features to Explore

• Middleware: redirect, stripPrefix, basicAuth
• Rate-limiting
• Retry and load balancing
• Redirect HTTP to HTTPS automatically
• Wildcard TLS certificates
• Forward headers to preserve real IP

Conclusion

Traefik makes deploying, securing, and managing multiple services in Docker easy and dynamic. With a few Docker labels and one compose file, you get:

• Auto-routing by domain
• HTTPS with Let’s Encrypt
• Centralized auth and middleware
• Visibility via dashboard

Traefik replaces hours of nginx tinkering with a declarative, scalable, and elegant solution.

Сообщение Ultimate Guide: Setting Up Traefik as a Reverse Proxy in Docker (with Let’s Encrypt, Cloudflare, and Secure Services) появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Why This Matters

A solid firewall config can take hours to build — but minutes to lose.

Whether it’s:

• A reboot gone wrong
• A bad rule blocking your access
• An upgrade that resets the config
• Or simply forgetting what each rule does…

You need a system to keep your firewall alive, readable, and resilient.

1. Regular Backups and Exports

Difference Between Backup and Export:

How to Backup:

/system backup save name=firewall_config

You’ll get a file like firewall_config.backup in Files — download it to your PC!

How to Export Firewall Only:

/export file=firewall_export

You’ll get firewall_export.rsc.
You can edit, version in Git, or apply on other routers.

2. Use Comments Everywhere

Every rule, every address list, every NAT line — must have a comment.

Example:

/ip firewall filter
add chain=input src-address-list=TRUSTED_IPS action=accept comment="Allow remote Winbox"
/ip firewall nat
add chain=dstnat dst-port=443 action=dst-nat to-addresses=192.168.88.100 comment="HTTPS to NAS"

It’s not optional — future you will thank you.

3. Group Rules Logically

Use grouping by chain and purpose, for example:

• Section 1: Input chain
• Section 2: Forward chain (LAN access)
• Section 3: Forward chain (guest/VPN)
• Section 4: NAT rules
• Section 5: Special protections (DoS, brute-force)
• Section 6: Logging and drops

You can even add empty comment rules as section headers:

/ip firewall filter
add comment="=== INPUT CHAIN START ==="

4. Monitor With Logging (But Not Too Much)

Logging is great — until it crashes your CPU.

Tips:

• Only log important drops, like SSH brute-force or port scans
• Use log-prefix= to easily grep or filter
• Use log limits to reduce spam:

add chain=input src-address-list=SSH_BRUTE action=drop log=yes log-prefix="SSH_BRUTE " log-disabled=no

5. Lock Yourself Out? Here’s the Rescue Plan

If you apply a bad rule and lose access — do one of the following:

Option 1: MAC Winbox

• Connect directly via Winbox using MAC address
• It bypasses IP settings
• Only works in L2

Option 2: Netinstall Reset

• Use MikroTik’s Netinstall to reflash router
• You’ll need physical access and boot from Netinstall server

6. Pro Tips From the Field

Use Address Lists for everything — even internal networks
Document every rule in a .md or .rsc file
Export rules monthly and save in Git or cloud
Use scheduled scripts to check config or notify you
Disable unused services in /ip service

Final Summary

You’ve now built a fully functional, professional-grade MikroTik firewall with:

• Clear input/forward logic
• Dynamic protection against attacks
• NAT and Hairpin NAT
• Scalable address lists
• Clean, well-commented rules
• Backups, logging, and recovery plans

Сообщение Firewall Logging, Backups & Best Practices появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

What is NAT?

NAT (Network Address Translation) lets multiple devices on your internal network (usually private IPs like 192.168.x.x) share a single public IP to communicate with the internet.

MikroTik uses source NAT (src-nat) with masquerade by default to make this happen.

Basic Outbound NAT — Internet Access for LAN

Let’s make sure devices in your LAN can access the internet.

/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade comment="LAN to internet"

This tells MikroTik:
“All packets leaving the WAN interface should have their source IP replaced with the router’s public IP.”

What About Incoming Connections?

Suppose you want to host something like:

• A website on your NAS
• An Immich gallery on your home server
• A game server on your PC

You’ll need to port-forward incoming traffic from your public IP to the correct internal IP.

Step-by-Step: Create a Destination NAT (Port Forward)

Let’s say your NAS is at 192.168.88.100 and you want to expose HTTPS (TCP port 443):

/ip firewall nat
add chain=dstnat dst-address=YOUR_PUBLIC_IP protocol=tcp dst-port=443 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=443 comment="Forward HTTPS to NAS"

If you have a dynamic IP, you can use interface lists instead:

/ip firewall nat
add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=443 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=443 comment="Forward HTTPS"

What Is Hairpin NAT?

Imagine this:

• Your DNS (e.g., Unbound or Pi-hole) resolves nas.yourdomain.com to your public IP
• You’re inside your home network
• You open https://nas.yourdomain.com

Now your request leaves the LAN → goes to the router’s public IP → hits the port forward… and fails

That’s because by default, MikroTik doesn’t know how to reflect this back to LAN — it’s confused because the destination is “external,” but the source is internal.

That’s where Hairpin NAT comes in.

How to Enable Hairpin NAT

You’ll need two extra rules to make it work:

1. Accept Internal Reflection in Firewall

/ip firewall filter
add chain=forward src-address=192.168.88.0/24 dst-address=192.168.88.100 action=accept \
    comment="Allow hairpin access to NAS"

Adjust IPs accordingly.

2. Add NAT Reflection Rule

This rule rewrites the source address so the internal server sees it as coming from the router:

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.100 \
    out-interface=bridge action=masquerade comment="Hairpin NAT"

Replace bridge with your LAN bridge or interface if different.

Now you can access https://yourdomain.com inside your LAN, and it will hit the internal server without issues.

Troubleshooting Tips

• Make sure your port forward is above the general masquerade rule in NAT
• Check that your firewall forward chain allows the internal access
• If using VLANs, match the correct interfaces/subnets in Hairpin NAT rule
• Test from a real client, not the router itself

Full Example: HTTPS to NAS With Hairpin

# Port forward
/ip firewall nat
add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=443 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=443 comment="HTTPS to NAS"

# Hairpin NAT
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.100 \
    out-interface=bridge action=masquerade comment="Hairpin NAT"

# Allow forward
/ip firewall filter
add chain=forward src-address=192.168.88.0/24 dst-address=192.168.88.100 action=accept

Summary

You understand what NAT and port forwarding are
You can expose internal services to the public safely
You added Hairpin NAT to make them accessible locally
You troubleshooted common issues like DNS and interfaces

Сообщение Understanding NAT & Hairpin NAT in MikroTik появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Let’s face it — if you’ve ever tried managing a firewall with individual IP rules, you know it gets messy fast. One rule for your laptop, another for your phone, a separate one for your work VPN, and maybe one more for your buddy’s IP that you forgot to label properly. Before you know it, your rule set looks like a crime scene.

Address Lists fix that.

They let you group IPs into logical categories and reference them in your rules. Once you start using them, you’ll wonder how you ever lived without them.

What Is an Address List?

In MikroTik, an address list is simply a named group of IP addresses or subnets. You can reference them in:

• Firewall filter rules
• NAT rules
• Mangle rules
• And even scripts

Instead of writing 5 different rules for 5 IPs — you can write one rule and maintain the list separately. This keeps your rules clean, readable, and easy to update.

Why Use Address Lists?

Here’s what you get when you build your rules around address lists:

Benefit	Why it matters
Clarity	You’ll immediately know what the rule is protecting
Simplicity	Fewer firewall rules overall
Scalability	Easily add/remove IPs without editing rule logic
Automation	Use scripts or dynamic rules to update lists
Security	Group risky IPs together for blocking or limiting

The Essential Lists You Should Create

Here’s a professional starter kit of address lists you can (and should) build:

You’ll use these lists throughout your firewall — from access control to detection.

How to Add IPs to Address Lists

Here are real-world examples of building useful address lists.

Add your main LAN subnet:

/ip firewall address-list add list=LAN_SUBNETS address=192.168.88.0/24 comment="Main LAN"

Add your work IP for remote access:

/ip firewall address-list add list=TRUSTED_IPS address=203.0.113.5 comment="Work VPN Admin"

Add a known attacker to blocklist:

/ip firewall address-list add list=BLOCKED_IPS address=185.23.88.44 comment="SSH Brute Force"

How to Use Lists in Firewall Rules

Let’s say you want to allow only your LAN to access the router. You could write:

/ip firewall filter add chain=input src-address=192.168.88.0/24 action=accept

But that’s hardcoded. What if you have more than one subnet?

Instead, write:

/ip firewall filter add chain=input src-address-list=LAN_SUBNETS action=accept comment="Allow LAN access"

Now if you add another subnet to LAN_SUBNETS, the rule automatically applies — no editing needed.

Bonus: Temporary Blocks with Timeout

You can even add entries to a list that expire automatically — great for banning bots or brute-force IPs for a limited time:

/ip firewall address-list add list=BLOCKED_IPS address=192.0.2.66 timeout=1d comment="Temp ban"

The IP will be automatically removed from the list after one day.

Dynamic Updates & Detection

Once you’ve built address lists, you can:

• Dynamically add IPs to lists based on behavior (via firewall rules or scripting)
• Use Netwatch or scripts to pull blocklists from external sources
• Trigger alerts when new IPs are added

It’s flexible, it’s powerful — and it scales with your network.

Example — A Well-Structured List Setup

/ip firewall address-list
add list=LAN_SUBNETS address=192.168.88.0/24 comment="Main LAN"
add list=LAN_SUBNETS address=192.168.50.0/24 comment="Server Subnet"

add list=TRUSTED_IPS address=203.0.113.5 comment="Work VPN Admin"
add list=TRUSTED_IPS address=192.0.2.77 comment="My Laptop"

add list=BLOCKED_IPS address=185.22.11.19 comment="Repeated Scanner"

Advanced Use Cases

• Firewall detection logic: If someone hits a protected port → auto-add to BLOCKED_IPS
• Geographic filtering: Create lists for country-specific IP ranges
• Scheduled lockdowns: Block/allow lists based on time (via script or scheduler)
• External threat feeds: Import addresses from abuse.ch, spamhaus, etc.

Recap

You now understand what address lists are
You know how to build and use them effectively
You’re ready to write cleaner, more flexible rules
You’ve added tools for blocking, detecting, and managing access like a pro

Сообщение Address Lists for Humans (and Hackers) MikroTik появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.