ProxMox + pfSense - How to access the pfSense server?

spccat

Member
Nov 3, 2013
19
0
21
Hi there,

I would like to access to my pfSense via the webGUI, but after reading all different kind of things, I have no clue how to do this sadly :(

My interface file looks like this.

Code:
# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).


# The loopback network interface
auto lo
iface lo inet loopback


# The primary network interface
auto vmbr0
iface vmbr0 inet static
        address 8x.1x.3x.2x
        netmask 255.255.255.0
        network 8x.1x.3x.0
        broadcast 8x.1x.3x.255
        gateway 8x.1x.3x.1
        bridge_ports eth0
        bridge_stp on
        bridge_fd 0


## this is for the DMZ - Pfsense
auto vmbr10
iface vmbr10 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

In the pfSense install I gave em0 as the WAN interface and the em1 as the local one. Only the local one has an IP of 192.168.1.1

Please not as well that my ProxMox has one public address (8x.1x.3x.2x). So how can I access to the pfSense server for the webgui and as well ssh, as I cannot go from my proxmox server to 192.168.1.1

Thank you in advance for any help you can give.
 
Try first with only one interface as WAN interface. Thiss will make pfsense create a firewall rule which allows you to access the webGUI from WAN interface. Then shutdown pfsense and add the LAN/DMZ interface. Connect again to your pfsense from WAN and set the rules the way you like/need.

PS:
Which version of Proxmox are you running?
Which version of pfsense?
Ist KVM Hardware Virtualization and VirtIO drivers for your NICs working?

I have some problems with pfsense 2.1 which is based on FreeBSD 8.3 and PVE 3.1
http://forum.proxmox.com/threads/16...rdware-Virtualization-and-VirtIO-not-possible
 
Thanks for your reply.

Well I am running
pfSense-LiveCD-2.1-RELEASE-amd64.iso
on proxmox 3.1-24/060bd5a6

I started new and my interfaces on proxmox are:
Code:
[COLOR=#000000][FONT=Andale Mono]# This file describes the network interfaces available on your system[/FONT]
[FONT=Andale Mono]# and how to activate them. For more information, see interfaces(5).[/FONT]
[FONT=Andale Mono]
[/FONT]
[FONT=Andale Mono]# The loopback network interface[/FONT]
[FONT=Andale Mono]auto lo[/FONT]
[FONT=Andale Mono]iface lo inet loopback[/FONT]
[FONT=Andale Mono]
[/FONT]
[FONT=Andale Mono]iface eth0 inet manual[/FONT]
[FONT=Andale Mono]
[/FONT]
[FONT=Andale Mono]iface eth1 inet manual[/FONT]
[FONT=Andale Mono]
[/FONT]
[FONT=Andale Mono]auto vmbr0[/FONT]
[FONT=Andale Mono]iface vmbr0 inet static[/FONT]
[FONT=Andale Mono]    address 8x.1x.3x.2x[/FONT]
[FONT=Andale Mono]    netmask 255.255.255.0[/FONT]
[FONT=Andale Mono]    gateway 8x.1x.3x.x[/FONT]
[FONT=Andale Mono]    bridge_ports eth0[/FONT]
[FONT=Andale Mono]    bridge_stp off[/FONT]
[FONT=Andale Mono]    bridge_fd 0[/FONT][/COLOR]
[COLOR=#5330E1][FONT=Andale Mono]~ [/FONT][/COLOR]
I have added as well screenshot from the ifconfig of the pfsense machine.
pfsenseifconfig.png
In the pfsense configuration I typed for WAN em0 for LAN nothing at the moment. So what to do next, I have read so many different things that I am confused and lost now.

I would like to get to the webconfig of the pfsense from outside as my machine is hosted at a datacenter, but right now I cannot even ping outside.

Anyone can point me in the right direction please?
Thank you.
 

Attachments

  • pfsenseifconfig.png
    pfsenseifconfig.png
    72.8 KB · Views: 43

Honestly I don't know really how I should draw this as there is one Physical box with one ethernet on a public ip and I want the pfsense be reachable fully from the internet and then create on the pfsense a private network where I can put other VMs in.

Code:
                    WAN
                       |
                    EHT0 (public IP)
                       |
                   PFSENSE
                       |
                    ETH1 (private IP)
                       |
                  ----------
                  |     |    |
                 other VMs
 
thats not gonna work
you have to have a VM that can reach the private ip of pfsense first, i.e. a small xp or linux client that can reach the default ip 192.168.1.1
 
thats not gonna work
you have to have a VM that can reach the private ip of pfsense first, i.e. a small xp or linux client that can reach the default ip 192.168.1.1

ok, thanks. Could you give me please an idea how the config file should look like?

cheers
 
you don't need a special config file
vmbr0 will be your WAN connected with eth0 of the host
vmbr1 will be your internal network, so you have on the pfsense guest vmbr0 and vmbr1 connected
on the xp/linux client you just need vmbr1 and in the VM you assign the IP 192.168.1.2 and then connect with the browser of your choice to 192.168.1.1

i suppose that your host-server is a hosted solution? otherwhise you just need to assign eth1 (if you have a second nic in your server) to vmbr1 and you could do that with an notebook/pc/whatever
 
you don't need a special config file
...so you have on the pfsense guest vmbr0 and vmbr1 connected...

Hello

In such a configuration I assume that the host is connected to vmbr0 and get the public IP. Right? So what a about the IP allocated to pfSense on its vmbr0? (FYI I have only one IP address on my proxmox host).

Best Regards,
 
we are using pfsense with proxmox on all our servers in our datacenter.

Your server must have 2 physical nics, one nic for the internet and one nic for the intranet

Our installation procedure :

1) Installation of Proxmox using the official internet ip address on vmbr1
2) make all updates to Proxmox
3) we use vmbr0 for our internal network with e.g. 10.10.10.10 for the proxmox server
4) Install a small ubuntu system, eg. lubuntu on 10.10.10.20 for internal web admin purposes
5) install pfsense with two nics, the internal network card should point to vmbr0 / external network card should point to vmbr1
6) start pfsense and change the default ipadress vom 192.168.1.1 to 10.10.10.1

we still have the official ip address on the proxmox interface but now we are ready to get internal web access via 10.10.10.1

We prefer to use pfsense to isolate proxmox completely from the internet and use pfsense as firewall for all our VMs.

If you have an ip range for you network, give your pfsense an official ip address (different than your proxmox official ip address)

Next step is to make a NAT rule to get web access

pfsense_web_access_01.png

pfsense_web_access.png

If you use 127.0.0.1 for Redirect target IP, it is very easy to change the internal LAN outside from the webgui

Next step is makeing a VPN to pfsense, when done you can change the internet ip address via intranet an you are protected
 
Last edited:
Thank you for your post.

My configuration is completely different. My proXmoX server is hosted in a Data Center. I have juste one NIC with one public IP.

Best Regards
 
We need a way to exchange the official internet address from the Proxmox Server to pfsense.

Do you have shell console access to the Proxmox Server via KVM ?
 
Please check if you have only one present NIC in your server, most servers in datacenters have two NICS but only use one
 
Hello,

excuse me for asking, but why such trouble with pfSense? Do you want to use pfSense as a convenient way for administering the packet filter? Personally I wouldn't go the route of DMZ and make the GUI avaiable on the WAN port and so on. Way too many vectors for my taste. If you mess up one thing it could cause big trouble. Even if your concept works on paper, it's still not guaranteed to behave well in production. The pfSense devs aren't the only people on earth that recommend not using pfSense in a virtualized environment unless for testing purposes. And this would be LAN, not some server in a datacenter facility.

It's debian we're using with proxmox, right? Isn't it easier to properly configure iptables together with OpenVPN (either within a VM or on the host) and go from there? I just don't see the point of using pfSense simply as a packet filter + OpenVPN server/and/or/client.

If you now argue that CLI iptables is too complex, well, use chains for each VM. Or use iptables within the VMs. Or both: Use basic rules on the host and fine tuned ones within the VMs. The webGUI nowadays has a convenient firewall configuration tab built in.

Long story short, my approach would be: iptables on the host (basic + one chain for each VM), OpenVPN Server on the host. Only open (INPUT) the OpenVPN listen port (which sould not be 1194) for NEW,ESTABLISHED connections. You can even place a limit like 5/minute for NEW and an unlimited rule for ESTABLISHED. You can even go fancy with portknocking if you're paranoid (which I don't consider a bad thing by default).
 
Hello Jora. thank you for your post and sorry for the delay in my response.

I agree with you to don't put pfSense in front of proxmox in a VM managed by proxmox (as you said it could cause big trouble if I mess up one thing). It's probably a very good idea to use Linux/Netfilter running on the proxmox host to filter the network and why not using port knocking for paranoid people.

But what is your information source when you say that nobody recommends to use pfSense a VM? (OK; of course everything depends on the security level offered by the Virtualization system and the security level you require for your applications).

Actually, my concern is not to have a Web GUI for my firewall but using a technology other than Linux to protect my Linux machines. In this context pfSens is a very good candidate along with Linux/Netfilter (as pfSense is based on FreeBSD). That's why pfSense interests me.

Best Regards,
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!