PfSense on PROXMOX with VLANs?

[Nikole]

I have posted this on Pfsense forums as well but I guess someone in here might be able to help as I am very new to this! :/

I have proxmox server on a DC with a /28 subnet.

One of the IPs of the subnet is assigned on a Proxmox bridge (vmbr1) and works ok.
On proxmox I also have the following bridge (with no IP):

--
auto vmbr3
iface vmbr3 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
--

The proxmox kvm has 2 virtual NICs, one connected to vmbr1 (as WAN) and the other to vmbr3 (as LAN, 192.168.0.1)

If I create another KVM, and connect it to vmbr3 then I have a happily working KVM behind the Pfsense.

What I want to achieve however (and I can't!) is to create VLANs behind Pfsense.
My problem is not creating the VLANs inside Pfsense but on how to connect the different kvms on those VLANs!

I have followed this tutorial up to the point that the author makes changes on the switch :
http://www.youtube.com/watch?v=-Nf_XsmMmWo

Pfsense shows WAN, LAN, VLAN1 and VLAN2.
The mystery is how to attach KVMs on VLAN1 & VLAN2!!!


I am assuming here that something needs to be done on the proxmox network and can't figure what (and possibly how) as I exhausted my knowledge!

Can someone please heeeeelp?

Nikole

 

[Stewge]

I think your issue is that the Guest VMs aren't using tags?

In that case:

Windows (not tested myself!): Use e1000 as the nic driver. Then download the Intel ProSet software (not just the driver) from intel. This should allow you to create "virtual" interfaces in windows which allow VLAN tagging. I know this works on physical installs, I've not tested this with e1000 in a VM though. But it should work.

Linux: load 802.1q module (already loaded in most distros nowadays), then define interfaces as ethX.VLANID.

Your other option, is to simple define more "empty" vmbr Bridges if all you need is layer2 segregation. Although, you would not be able to extend this outside of that machine.

You may also be able to achieve a similar outcome with a combination of bond interfaces and bridges.

 

[macday]

I think VLAN mapping is just possible through a trunk.

So create a bond (also with one interface only) and create an empty bridge upon this bond.

 

[Nikole]

I think VLAN mapping is just possible through a trunk. So create a bond (also with one interface only) and create an empty bridge upon this bond.

Hi there and thank you for the reply I am in no-way a networking specialist (far from it!). Can you please be a little bit more specific? Bond which interface? And the empty bridge should replace the current one or added as extra? Apologies if I am asking the obvious. It's not obvious to me! :/ Thank you Nikole Edit: Any ideas why my posts are in appearing in one line?

 

[m.ardito]

HAny ideas why my posts are in appearing in one line?

you first post is not on one line, unlike this last.

Are you posting through https or http? Can you try if it makes any difference?
Or try other browsers?

Marco

 

[macday]

OK

You want to do the VLAN Handling/Routing via the pfsense, right?

So you need to look for a free NIC in Proxmox and create a bond (active-passive) upon it via the Network tab. This NIC should be connected to a intelligent switch which has the VLANs configured (tagged).
After that you create a new bridge which is bridged to the newly created bond. Now you install pfsense with only one NIC which is assigned by the new bridge. After installing pfsense you could do the VLAN-Setup inside.

Hope it works for you.

 

[Nikole]

OK

You want to do the VLAN Handling/Routing via the pfsense, right?

So you need to look for a free NIC in Proxmox and create a bond (active-passive) upon it via the Network tab. This NIC should be connected to a intelligent switch which has the VLANs configured (tagged).
After that you create a new bridge which is bridged to the newly created bond. Now you install pfsense with only one NIC which is assigned by the new bridge. After installing pfsense you could do the VLAN-Setup inside.

Hope it works for you.

Hi Macday!
I have to admit that was an 'intelligent' answer!
But... it would probably only be good if my server was next to me...and not in a remote DC with only ONE (physical) NIC!
This means, no extra NIC and no intelligent hardware-based switch. Do those mean that I cannot do what I want? :/

Nikole

 

[pirateghost]

Hi Macday!
I have to admit that was an 'intelligent' answer!
But... it would probably only be good if my server was next to me...and not in a remote DC with only ONE (physical) NIC!
This means, no extra NIC and no intelligent hardware-based switch. Do those mean that I cannot do what I want? :/

Nikole

If all you want are KVM machines in the proxmox node to run through the vlans, just add a vmbr not tied to an ETH device, add that vmbr as another nic in pfsense VM, and use that same vmbr for the KVM machines you want to use...

Sent from my Nexus 5

 

[Nikole]

I can seem to be able to do what I want...
I have placed this post for paid help if anyone is interested!