News

Back
2024
August
30
2024

Combining Firewall with Floating IPs

Floating IPs help you to increase the availability of your application and make it easier to manage your setup. They can be moved between virtual servers so that incoming traffic is always routed to the desired server. They are also retained if you want or need to replace a server completely. Use these advantages not only for servers that directly provide a service, but also for your firewalls.

Using firewall distributions with Floating IPs

Two dedicated firewall distributions are available at cloudscale: OPNsense and pfSense CE. Choose one of these images to set up a virtual server as a firewall between the open Internet and a private network. You can then configure this firewall conveniently in a web-based administration interface and adapt it to your requirements.

To ensure that the firewall also processes traffic that arrives via a Floating IP, the Floating IP must be entered in the administration interface. You can find the setting in OPNsense under "Interfaces -> Virtual IPs", in pfSense CE under "Firewall -> Virtual IPs". Enter the Floating IP and the prefix length (/32) here. In most cases, "Type: IP Alias" and the assignment to the "WAN" interface should be the appropriate setting; more details on the individual options can be found in the documentation for OPNsense and pfSense CE. By the way: By default, OPNsense and pfSense CE do not respond to pings; add "ICMP Echo request" to the firewall rules to change this if desired.

If you want to migrate an existing server behind your firewall that already provides a service using a Floating IP, you can – once everything is prepared – simply move the Floating IP from the server to the firewall as the last step. If you are not yet using a Floating IP, we recommend adding it to the existing server first and then adjusting the DNS entries: This way, your service will remain available under the old and new IP addresses in parallel while the new DNS entries are gradually picked up.

Tips for modifying existing setups

If your existing server should no longer be directly accessible from the Internet after the migration, you can remove the "public" interface from the server. To do this, you need an API token with "Write access" as well as the UUID of the server and the private network to which it should be connected. You can then issue the necessary API call via the command line as follows:

curl -i -H "Authorization: Bearer 11112222333344445555666677778888" -H "Content-Type: application/json" -X PATCH --data '{"interfaces": [{"network": "11111111-2222-3333-4444-555555555555"}]}' https://api.cloudscale.ch/v1/servers/11111111-3333-5555-7777-999999999999

NB: It is also possible to add a public interface to the server again later; in this case, the server will be assigned a new public IP address. You can find more information about our API in the API documentation.

After making changes to the interfaces, it is advisable to briefly check the names of the interfaces. If they are not permanently assigned, they could change after a reboot (e.g. the private network from ens4 to ens3) and lead to connectivity issues. The Linux distributions rely on different tools here; keywords are, for example, "netplan" and "udev rules".

If a server is no longer directly accessible from the Internet, you will also need a new way to access it. Choose the solution that suits you best, e.g. a VPN or port forwarding – depending on your firewall strategy. It is also possible to first connect to the firewall via SSH and then continue from its command line to the respective server.

Finally, just in case, we recommend setting a root password on your server with which you can log in "locally", but not via SSH. In the event of boot or connectivity problems, you can then log in to the server via the VNC console in our control panel and resolve the issue. Alternatively (and somewhat more complicated), you can also start the server with a temporarily connected live Linux for troubleshooting purposes.


cloudscale offers a range of features relating to the security and availability of your setups. Use and combine these according to your requirements and preferences. Even with existing setups, you remain flexible and can, for example, replace the direct Internet connection of your servers with a dedicated firewall complete with Floating IP.

Security to suit your taste!
Your cloudscale team

Back to overview