Pfsense

[Kieros]

Hi everyone.
I have been bussy for days reading through forums trying many things but I can not get it to work properly. I think I have a hard time understanding the vlans and mess stuff up.
I have the pfsense running in proxmox. But somehow proxmox becomes unreachable. After pfsense is working and I disconnect the cable from the laptop I first tried this setup pfsense in truenas as vm. Got the same issues. Truenas or proxmox are only reachable when I attach the cable in a normal switch all behind the managed switch.

What I have now
Bridged ISP
- port 1 connected to port 1 of tl-sg105e
1 switch tl-sg105e
- port 1 ISP tagged vlan100 WAN
- port 2 untagged vlan100 WAN, tagged vlan22 LAN
- port 3-5 untagged vlan22 LAN

Port 2 of the tp link switch is connected to 1 intel nic psn5s0 of the server which I want to use as pfsense nic
And need this to use vlan100 and 22
I have one adapter nic some stupid name to manage proxmox

What I need.
Pfsens regulate all traffic. WAN vlan100 and LAN vlan22 over the intel nic
Proxmox need to be reached via the vlan22 via the Adapter nic. Or can this be done via the same nic with bridge in proxmox? I need a to have the vlan22 in a vm which will be running truenas scale.

Please help. I can not figure it out what is the best solution.

 

[bobmc]

have you watched this youtube video

https://youtu.be/z59_MWWPL-Q

 

[Kieros]

Thank you for your time. I have now. But did similar related to my switch. I have pfsense running on proxmox and internet. The body is not realy clear nor related to my own vlan switch tho. The problem I run into is I have a server which run proxmox. I want pfsense running in a vm as well as truenas. The server has 2 nic one onboard. Which i want to use to have pfsense regulate the wan/lan the other nic is for managing proxmox or to be part of this lan. So everything is behind pfsense. See first post. What would be the best setup in proxmox? And how do I do it.

 

[Dunuin]

- make your vmbr0 vlan aware by adding:

    bridge-vlan-aware yes
    bridge-vids 2-4094

- setup your managed switch to use vlan100 tagged + vlan22 tagged on one port. Connect that port to the NIC of your PVE host that is connected to vmbr0.
- create a vlan interface for vmbr0 on vlan22 like this:

auto vmbr0.22
iface vmbr0.22 inet static
    address A.FREE.LAN.IP/24
    gateway LANIP.OF.YOUR.PFSENSE

- create a pfsense VM with a virtio NIC without setting a VLAN tag and attach it to vmbr0. Pfsense then should receive tagged vlan100 + vlan22 traffic. Setup VLAN inside your pfsense
- for all other VMs use virtio NICs attached to vmbr0 with VLAN tag set to "22".

 

[Kieros]

- make your vmbr0 vlan aware by adding:

    bridge-vlan-aware yes
    bridge-vids 2-4094

- setup your managed switch to use vlan100 tagged + vlan22 tagged on one port. Connect that port to the NIC of your PVE host that is connected to vmbr0.
- create a vlan interface for vmbr0 on vlan22 like this:

auto vmbr0.22
iface vmbr0.22 inet static
    address A.FREE.LAN.IP/24
    gateway LANIP.OF.YOUR.PFSENSE

- create a pfsense VM with a virtio NIC without setting a VLAN tag and attach it to vmbr0. Pfsense then should receive tagged vlan100 + vlan22 traffic. Setup VLAN inside your pfsense
- for all other VMs use virtio NICs attached to vmbr0 with VLAN tag set to "22".

Thank you for the instructions. Forgive me I am not good at the linux code. How to create or edit this code or edit this file? I found the shell command is this not possible in GUI. Where to write this code?
I have this now in the GUI.

I have tagged both Vlan 100 and 22 on port2 of the managed switch
I try this in GUI

 

[Dunuin]

You can either use the GUI (there should be a "vlan aware" checkbox) or edit the config file manually for example with nano /etc/network/intefaces and restarting your network with systemctl restart networking afterwards.

 

[Kieros]

can proxmox be part of this vlan22 as well all one the same nic?

 

[Kieros]

Can you help me with these settings?
Is this ok?
Port 1 is the ISP signal
I have port 2 tagged on 22 and 100 and port 3-5 are untagged on 22



But then I do not realy get what to setup here I have set it up like this.

 

[Dunuin]

can proxmox be part of this vlan22 as well all one the same nic?

Thts what...

auto vmbr0.22
iface vmbr0.22 inet static
    address A.FREE.LAN.IP/24
    gateway LANIP.OF.YOUR.PFSENSE

...is doing. With that PVE got a IP in the LAN subnet tagged with vlan22 for webUI and SSH and will connect through the internet over your pfsense because of the gateway pointing to that

I would keep the PVIDs at "1" so untagged traffic will use vlanid 1.

 

[Kieros]

Ok so all PVID should remain 1?

 

[Dunuin]

Jup, I would keep the PVIDs at "1" and set the port you connect the ISPs box to to untagged vlan 100. But your port you connect the ISPs model box to (port1) should be untagged VLAN100. Right now your WAN vlan got no access to the internet because it isn't vlan at all.

 

[Kieros]

Ok thank you very much for your help and pointing that out.
I there a way to have a usb network adapter as fallback to get access to the proxmox GUI?
Because pfsense is not finished yet I somehow locked myself out of the system.
No access to the IP set at the vlan22

So I set the ip and gateway that I would be going to use to.
vmbr0.22 with proxmox_IP/24 with gateway which I was going to create at pfsense.
When I applied I am unable to reach proxmox

 

[Kieros]

In addition to that I was first using the usb adapter to acces proxmox. I removed the IP from that
Changed it to the vmbr0.22 and applied

 

[Kieros]

I got back in thanks to your explanation of the command lines

 

[Kieros]

I have no setup pfsense
vlan 22 had to be 11 instead for my setup. So I changed all that.
But this is somewhat confusing me
vtnet0.11 is at 192.168.1.1/24
I want to change that ip. But on the outside proxmox I already made an ip. That is why it appears static?
Can I still change it inside pfsense to what I need?
Also the WAN is not receiving the dhcp of the ISP for some reason.

Edit.
I choosed option 2 and changed the LAN
I changed it for example to 192.168.50.1
I am in the subnet but I can not get to the webui of pfsense

 

[Dunuin]

You didn't gave us details about your ISPs box. If you don't got a router from your ISP these boxes otfen already use a specific VLAN you need to use in order to be able to to connect to and authentificate with your ISP.

When you use the 192.168.1.0/23 subnet you also should give your PVE host a static IP of this subnet. You have to change that in the PVe network config.
Your DHCP-server is also running on the WAN. It should run on the LAN.

 

[Kieros]

Thank you for your reply and time.
It is a ziggo connect box. it just gives random IP's it and is bridged and I think not a vlan. Not sure what you mean there.

However I have setup pfsense a couple of times. The WAN is not setup in dhcp via pfsense
when I want to setup IP's for the LAN then it is telling me that, so it comming from outside probably vmbr1 bridge
wrong screenshot perhaps.

The /23 has to be outside pfsense like this


I still work via the adapter which is vmbr0

And I still can not reach the webgui of pfsense I can reach proxmox via the adapter and I can reach the vlan switch
All are in the same subnet. Should be able to access that right? Dunno what's wrong here.

so the v4:Ip is in my LAN net my laptop is in the range and I can not ping it or reach it. Even without the WAN I should be able to reach it.

 

[Dunuin]

Thank you for your reply and time.
It is a ziggo connect box. it just gives random IP's it and is bridged and I think not a vlan. Not sure what you mean there.

However I have setup pfsense a couple of times. The WAN is not setup in dhcp via pfsense
when I want to setup IP's for the LAN then it is telling me that, so it comming from outside probably vmbr1 bridge
wrong screenshot perhaps.

The /23 has to be outside pfsense like this
View attachment 39453

You can't use "192.168.1.0/23". Thats not a valid IP. Use something reasonable like 192.168.1.2/24.

I still work via the adapter which is vmbr0

And I still can not reach the webgui of pfsense I can reach proxmox via the adapter and I can reach the vlan switch
All are in the same subnet. Should be able to access that right? Dunno what's wrong here.

so the v4:Ip is in my LAN net my laptop is in the range and I can not ping it or reach it. Even without the WAN I should be able to reach it.

View attachment 39454

Your Laptop needs to be in vlan 11 too if you want to be able to access PVE or pfsense.

For WAN it sound like you then want to setup vtnet0 as a DHCP client and vtnet1 as a DHCP server,

 

[Kieros]

You can't use "192.168.1.0/23". Thats not a valid IP. Use something reasonable like 192.168.1.2/24.

Sorry bad example I have something else than 0.

Your Laptop needs to be in vlan 11 too if you want to be able to access PVE or pfsense.

I have a normal switch connected to vlan11 there we have the laptop connected to the normal switch. It worked before (different try)

For WAN it sound like you then want to setup vtnet0 as a DHCP client and vtnet1 as a DHCP server,

The WAN has to be DHCP client to get the IP of the bridged ISP modem
What I have done before is just using the the one virtio nic. for example vtnet0 to be the WAN port
And vtnet0.11 to be the LAN port

The problem was that pfsense was running but no access to proxmox or unable to get truenas attached in that same vlan.
So pfsense has to run in the vm. truenas has to run in the vm
pfsense needs to be the router/firewall for all home traffic.
proxmox has to be reached at to maintain everything also from behind the vlan of pfsense

All things I tried failed sofar to achieve this. So this is a fresh start with help. And guide me where or what am I doing wrong.

 

[Kieros]

My wife is about to kill me since the internet has been down or barely available for about 2-3 days now