Giving a VM a local IP

PintsizedSix40

New Member
May 18, 2019
15
0
1
I have a vm that is currently being used as a router (running pfsense). I have a network bridge vmbr0 that is connected to the internet, and vmbr1 that is not configured. The vm has both of these bridges, and is able to successfully act as a router. The problem is that I am unable to port forward anything, since the vm does not have its own ip that I can route packets to. I have seen other threads talking about this, but so far I have not had any success making it work. I need a way to be able to give the vm a local ip (only accessible from inside of the proxmox server), and also give it access to the internet.
 
You can't give an IP address to a VM, only to an interface. And that has to be done on the guest.
But I don't understand how your pfSense VM can successfully act as a router, if it is only connected to vmbr0 and the second bridge vmbr1 is unconfigured.
You probably want to configure your vmbr1 and attach the interfaces of your pfSense VM and other VMs so that they can communicate with each other.
 
  • Like
Reactions: Ricardo Bernao
First, let me clarify the router setup. My vmbr1 is not configured with any gateway, IP, or interface. It is though set to autostart. All of my VMs are connected to vmbr1. My router is connected to both vmbr1 and vmbr0.

As for the IP, I am giving it to an interface that only one VM has access to (vmbr0). I just don't know how to go about doing this, so that I am able to access the VM specifically with an IP.
 
I run my pfSense installation for my network as a virtual machine as well. I currently have 4 nodes in the cluster, which are all identical except for the node with pfSense. All nodes have four gigabit NICs that are LACP bonded to form what I have called the "Virtual Machine Trunk". They also have two gigabit NICs that are LACP bonded to form what I call the "Management Trunk". These bonded interfaces are then assigned to separate bridges. This gives me essentially a four-gigabit interface for my virtual machines and a two-gigabit interface for my management and shared storage.

All of my virtual machines connect to the "Virtual Machine Trunk" which not only gives me better throughput but also fault tolerance. The "Virtual Machine Trunk" is connected from each of the nodes to a switch that is also set up with the LACP trunk on the corresponding ports for each node's connections.

As for pfSense, I have added 2 additional NICs into that node, one is a four-port NIC and the other is a dual-port NIC. The four-port is set up as an LACP bond before being added to a bridge which I call the "LAN Bridge" which is connected to my main switch that my other physical devices and switches connect to. I have passed the "LAN Bridge" to pfSense and it is configured as my LAN interface. My other two ports are set up on separate bridges that are configured in pfSense as my WAN1 and WAN2.

I did this as my hardware is on the older side (HP DL380s and a Dell 2950) and they do not support hardware passthrough. Though, this allows me to have all my devices physical or not connected to pfSense. From what I have been able to test and see during use is that I get better than a single NIC speed on any of the virtual machines and I also have fault tolerance as any one virtual machine has access to 4 physical ports to pass traffic through to the pfSense virtual machine.
 
I just found out that my pfSense router is getting its own IP from my modem with DHCP, although when I attempted to connect to it, it failed. Im unsure as to how I can resolve this. If its possible though, I want to give my router its own local ip that is only accessible from inside of the server.
 
How have you tried to connect to the pfSense router?
If you want to access the web interface, you need to allow this in the firewall / port forwarding configuration in pfSense. The web interface is not accessible for the WAN interface per default in pfSense for security reasons. But it may be fine for your setup because you're behind a cable modem / router and therefore the web interface would not be exposed to the public.
 
Sorry for this late response. I port forwarded port 9000 to a VM that hosts on a web server on port 80. When I attempted to connect to it on port 9000, I timed out. I've also tried pinging it, and that doesnt work.
 
Please post the relevant configurations (in code tags) - otherwise it's hard to infer what your problem could be:
* /etc/network/interfaces on your node
* the network config of the pfsense (`ifconfig -a`, `netstat -rn`)

I hope this helps!
 
YAML:
auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto vmbr1
iface vmbr1 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0

auto vmbr0
iface vmbr0 inet static
        address  192.168.0.27
        netmask  24
        gateway  192.168.0.1
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
Code:
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
    ether ##:##:##:##:##:##
    hwaddr ##:##:##:##:##:##
    inet6 fe80::8835:e6ff:feab:73d0%vtnet0 prefixlen 64 scopeid 0x1
    inet 192.168.0.52 netmask 0xffffff00 broadcast 192.168.0.255
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet 10Gbase-T <full-duplex>
    status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
    ether ##:##:##:##:##:##
    hwaddr ##:##:##:##:##:##
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x2
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
enc0: flags=0<> metric 0 mtu 1536
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
    groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
    groups: pfsync
    syncpeer: 224.0.0.240 maxupd: 128 defer: on
 
ok - this seems like it should be working
* I assume vtnet0 is the guests nic connected to vmbr0?
* can you ping 192.168.0.1 from the guest?
if yes then 192.168.0.52 is the IP of the pfsense?!
 
Yes, vtnet0 is connected to vmbr0. I can ping 192.168.0.1, and everything behind the router has internet access, but pinging 192.168.0.52 times out.
 
Maybe a firewall rule in the pfsense is preventing pings to it (I assume that you try to ping 192.168.0.52 from a guest behind the pfsense (or from the PVE-node) ?
 
No, I am trying to ping it from a machine in the same network as the server (physical). I need to be able to access guests from outside of it. That is what I am trying to figure out how to do.
 
No, I am trying to ping it from a machine in the same network as the server (physical).

* you mean a physical machine in the same ethernet-segment as your PVE-node?
* if yes which ip does it have - and where does it send the ping to?!

Please provide a bit more information - since it's impossible to help you otherwise
 
hm - if you can ping 192.168.0.27 (the pve-node has this ip afaics) from the host I would start taking a look where the packets get lost with tcpdump (on the ingress physical interface on the node eno1, on vmbr0, on the tap-interface to the pfsense (tap<vmid>i<num) and finally inside the pfsense )

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!