First Proxmox / Pfsense Setup

Regis Froemming

New Member
May 25, 2019
5
2
3
48
Hello Guys!
I have some servers running Pfsense in my customers, but I have never tried using it in a VM. So I started to study Proxmox and made some tests. I struggled in many points and it took me a couple of weeks until I finally finished it. Now it's working like a charm and I'm really proud of my work.
This setup is running in a small registry office, with just a few computers. But I needed to improve security and methods to rapidly restore the system in case of disaster. I just want to thank this forum, which was essential to solve all issues during my journey.
I'm sharing a diagram of my project in the attachment. I hope it can be useful for someone and I'm here to help in case of any doubt.
 

Attachments

  • proxmox.png
    proxmox.png
    227.1 KB · Views: 107
Thanks (Obrigado :D) for this info.
I am starting now exactly the same task.
Do you intend to describe in more detail the whole process?
Regards
 
Last edited:
Thanks (Obrigado :D) for this info.
I am starting now exactly the same task.
Do you intend to describe in more detail the whole process?
Regards
Well, I think it will be boring writing all the process I did during this project. Most of my problems were related to Linux itself, like setup postfix to send emails using a Gmail account. The installation of Proxmox is very easy and may not be a problem for you. However, if you want to have a good start, search on google "Proxmox + Pfsense" and you will find an official guide from Netgear.
The most important part is not forgetting to check this option on Pfsense: Disable hardware checksum offload
I was unchecking this option and I lost a lot of time until I realized my mistake. Check to disable, uncheck to enable, confusing don't you?
 
I already have my pfSense VM working but please clarify me one thing:
How many NICs are you using?
The image shows two:
- one for the pfsense LAN
- one for the pfsense WAN
But that means that you are using the same IP for pfsense WAN and for Proxmox Host?
I tried to do that and did not worked!

I only managed to solve the problem using 3 NICs:
- one for the pfsense LAN
- one for the pfsense WAN
- one for the Proxmox Host
In my case these last two are from the LAN created by my ISP router, respectively 192.168.1.63 (DMZ) and 192.168.1.15.

Regarding the DMZ, I suppose that only with the WAN connected to a DMZ IP, I can take full potential of psSense, right?

Cheers
 
You can complete the setup with just two NIC's
- In most cases you would set the ISP modem/router to bridge mode, so that your PFsense interface (assigned to WAN) would obtain and IP address directly from the ISP DHCP server (not from modem/router)
ISP-->ISP Modem (Bridge Mode)-->Proxmox Physical NIC Interface (Don't Assign an IP address)--->Created Bridge VMBR (Don't assign an IP Address)---> PFsense WAN interface (Will obtain IP address, DNS, Gateway) from ISP directly

On the LAN Side:
Proxmox Physical Inteface --> Create Bridge VMBR (Assign IP address - used to connect to host)-->Connect any VM to this bridge, which you would like to have access to LAN (includes PFsense LAN interface)

This will put the Proxmox Host IP into the same network as your LAN. If you would like a separate management network for the proxmox host, this can be done by adding a third NIC or using VLAN (Placing proxmox into its own subnet)
 
Thanks @vshaulsk for the quick reply!
The problem is that my ISP is very restrictive regarding its router. The most I could managed was to have an DMZ IP in its LAN.
 
I already have my pfSense VM working but please clarify me one thing:
How many NICs are you using?
The image shows two:
- one for the pfsense LAN
- one for the pfsense WAN
But that means that you are using the same IP for pfsense WAN and for Proxmox Host?

Cheers
.

No, actually my Proxmox Host is reachable only through the LAN network for security reasons. I can create a port forward on Pfsense if I want to access Proxmox from an external network.
My physical server has only 2 NICs. On the Pfsense VM, I used both interfaces, one for WAN and the other for LAN. On the Ubuntu VM, I'm using only the LAN interface, which is shared with the PFsense VM and Proxmox Host.

Regarding the DMZ, I suppose that only with the WAN connected to a DMZ IP, I can take full potential of psSense, right?
.

Yes, In my point of view, is the best and most security scenario.
 
Thanks @vshaulsk for the quick reply!
The problem is that my ISP is very restrictive regarding its router. The most I could manage was to have an DMZ IP in its LAN.
No problem, this will be enough. I think you are misunderstanding the concept of a DMZ. Even if you get an invalid IP address from your router, this will be your WAN address, and all traffic coming from the internet will be redirected to the DMZ IP.
 
No, actually my Proxmox Host is reachable only through the LAN network for security reasons. I can create a port forward on Pfsense if I want to access Proxmox from an external network.
My physical server has only 2 NICs. On the Pfsense VM, I used both interfaces, one for WAN and the other for LAN. On the Ubuntu VM, I'm using only the LAN interface, which is shared with the PFsense VM and Proxmox Host.

Yes, that was my initial idea but this can not originate a eventual deadlock?
That is, imagine that for some reason I change something incorrectly in my pfSense settings that do not start its LAN the way I need, and then "Incorrect pfSense" => "No Proxmox host access" => "No pfSense error correction" => "Incorrect pfSense" => "No Proxmox host access"...
The only way I see to break this "cycle of doom" is to recreate my original LAN with the same IP range of the pfSense LAN so I can access the Proxmox host.

Talking about IP ranges, during the installation process of pdSense it suggests a LAN IP range of 192.168.1.xxx, but since my WAN also have that same range, this leads to problems right? That is why I had to change the pfSense LAN to 10.0.5.xxx instead!
 
I didn't understand pretty well your question, but you probably have already set an IP address for Proxmox, which must be a static address, so you will always have access through this IP address, no matter if Pfsense is on or off. Note that your network interface is in bridge mode, so it will be reachable from any machine in the same range IP.
In your case, I would use the following settings:

Proxmox IP:
- eth0 - ip address: 10.0.5.250
- eth1 - none

Pfsense
- vmbr0 (bridge eth0) - 10.0.5.1
- vmbr1 (bridge eth1) - 192.168.1.15

Another VM (ubuntu / windows)
- vmbr0 - 10.0.5.251

Your network:
- any address from 10.0.5.2 to 10.0.5.249
 
hi there im having issue with my first install with Promox and i follow the netgate procedure, but the linux link with the lan ports are not detecting or generating IP address from my existing local network :( any idea.?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!