PfSense + Proxmox 5 one NIC

Gundam

New Member
Feb 18, 2018
1
1
1
Hello,

I describe my situation: I have a dedicated server with only one NIC (88.23.12.120 (not real ip) ) I want to configure a pfsense as firewall for my VMs. For this I have bought a second public IP to add to the same NIC (88.23.12.122) they don't give me other phisical NIC.

I want use the first IP for management of proxmox and the second IP for my VMs

how can configure my network to do this?
 
  • Like
Reactions: hugosantos
I guess it is a hosted setup.
So if you only want pfsense to be used between outside and VMs. I am not sure you need a second ip.

Create a second bridge. Proxmox creates vbr0 so create vbr1 attached to nothing.
Add both bridges to of sense vm.
Vbr0 as wan vbr1 as lan.
And route all tragic through pfsense.
Make sure to create a rule in pfsense to passthrough your management port to host and add internal ip to host nic. This way you should be able to manage host from inside the lan and from outside.
I am sure a more knowlegable people will chime in to correct anything here.
 
I have a similar setup on a hosted Root-Server (Hetzner).

I have only one IP, assigned to eth0 not vmbr0. On eth0 I have some iptables-rules for NAT.
I do NAT on proxmox host level (configured via /etc/network/interfaces).

I have vmbr1 as internal bridge. It only works as WAN interface for my pfsense firewall.
Behind my pfsense I have some bridges (vmbr101, vmbr102, vmbr108, vmbr109) for
different security zones. vmbr101 and vmbr102 are used for public reachable webservers,
vmbr108 is a backend network for databases and others, vmbr109 is a "hidden management network"
(hidden from vmbr101 and vmbr102, so cracked webservers cannot attack management VMs).

I still have an additional network vmbr100, which is the old implementation without pfsense inbetween.
It only uses iptables NAT on the proxmox host.

This works since years...

Some points to my pfsense:
  • WAN interface is private address space, NAT via proxmox host
  • access to webservers via haproxy module in pfsense
  • acme client on pfsense to automatically create and refresh certificates
 
I have a similar setup on a hosted Root-Server (Hetzner).

I have only one IP, assigned to eth0 not vmbr0. On eth0 I have some iptables-rules for NAT.
I do NAT on proxmox host level (configured via /etc/network/interfaces).

I have vmbr1 as internal bridge. It only works as WAN interface for my pfsense firewall.
Behind my pfsense I have some bridges (vmbr101, vmbr102, vmbr108, vmbr109) for
different security zones. vmbr101 and vmbr102 are used for public reachable webservers,
vmbr108 is a backend network for databases and others, vmbr109 is a "hidden management network"
(hidden from vmbr101 and vmbr102, so cracked webservers cannot attack management VMs).

I still have an additional network vmbr100, which is the old implementation without pfsense inbetween.
It only uses iptables NAT on the proxmox host.

This works since years...

Some points to my pfsense:
  • WAN interface is private address space, NAT via proxmox host
  • access to webservers via haproxy module in pfsense
  • acme client on pfsense to automatically create and refresh certificates
Nice setup. But I am confused.
Isn't proxmox creates vmbr0 on install? Or you reconfigure the setup after to drop vmbr0?
Also, with your config pfsense is only for VMs Host is open.
 
Nice setup. But I am confused.
Isn't proxmox creates vmbr0 on install? Or you reconfigure the setup after to drop vmbr0?
Also, with your config pfsense is only for VMs Host is open.

My eth0 is just an ancient relict, it works the same with vmbr0.

Host isn't open, it is controlled by iptables. As I use iptables to DNAT to the pfsense firewall, I do control, which ports are accessible. Host has no additional ports open. Even ssh gets redirected to pfsense firewall.

My hoster does not allow switching MAC address for the assigned IP address. Having no IP on vmbr0 and using assigned IP for WAN interface of pfsense is not feasable.

You may set host firewall rules with proxmox itself. Older versions did not allow to specify DNAT rules, so I still have them in iptables rules in /etc/network/interfaces.
 
I see. I do not use hosted servers so not always sure how it works.
As for changing MAC you can clone it to vmbr0 if needs be.
I just build out a proxmox pfsense router replacement.
A small sff Lenovo pc with proxmox and pfsense vm.
But I have 3 nice. So one is for wan, connects to my isp modem, one is for lan,connects to main switch.
And one is for host management connectes to main switch as well.
All physical mics are aliased to vmbr0, vmbr1 and vmbr2
Pfsense vm is attached to vmbr1 as wan and vmbr2 as lan.
So all traffic from outside always flows through vm. No need to mess with any network on proxmox.
In your case it may not be possible.
 
ok, just a small environment.

I'm used to have larger environments, dozens of networks and several
handful of distributed pfsense firewalls in a cluster.

But these do not have any in common with your setup. So I told about the server above.
But I do have more than one pfsense firewall even in this server...
 
I'm also have a Hetzner bare metal server when I installed Proxmox. Now i need to install a pfsense vm where I ll configure vpn connection and other networking options. I have 2 ip the 1st is configured to the Proxmox physical interface and I host Proxmox GUI but i need to configured another public ip for the pfsense public interface. I tried to configured a linux bridge with the proxmox physical interface but I can access only Proxmox GUI and Pfsense public interface is unreachable. Anyone idea for resolve this issue?
 
You may read Hetzner DokuWiki about additional IPs at https://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen/en.

While there are different setups, personally I like the following:
  • add secondary IP address as alias to Proxmox physical interface (vmbr0 or eth0, as you like)
  • create a bridge, which is not connected to any of the physical ports of the Proxmox host, give the proxmox host an IP address (e.g. vmbr1 not connected to eth0, Proxmox host 192.168.1.1/24, no GW)
  • connect WAN interface of pfsense to this bridge, giving it a private IP address (eg. 192.168.1.251 at vmbr1, GW 192.168.1.1)
  • setup iptables rules at proxmox host, you may put it in /etc/network/interfaces as post-up commands
    • enable ip forwarding
      echo 1 >/proc/sys/net/ipv4/ip_forward
    • enable NAT
      iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j SNAT --to-source $YOUR_SECONDARY_IP
    • accept outgoing sessions
      iptables -A FORWARD -i vmbr0 -o vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A FORWARD -i vmbr1 -o vmbr0 -j ACCEPT
    • enable DNAT, accept packets
      iptables -t nat -A PREROUTING '!' -s '192.168.1.0/24' -d $YOUR_SECONDARY_IP -j DNAT --to-destination 192.168.1.251
      iptables -A FORWARD -i vmbr0 -d 192.168.1.251 -j ACCEPT
I haven't checked the correct syntax, so you may have to experiment a little bit.
 
Hi, thank you for reply. I'm trying to configured pfsense vm with a public interface that have public ip. This is the network diagram:

internet - proxmox physical net interface - pfsense public interface

I have 2 public ip, 1 for the Proxmox GUI and the other for pfsense public interface
 
This traditional setup might not work with a server at Hetzner.

They have set up a lot of security mechanisms. If I remeber correctly, they accept only your physical MAC-address at your outside interface, that's why they describe a routing setup for the secondary address.

If you give your pfsense VM the IP address directly, your (internal) MAC address gets exposed to the physical network and might get blocked. Please ask people at Hetzner about the current situation.

My own setup (like the one I described above) does work.
 
This is clear but I don’t understand why Hetzner give the opportunity to have more than 1 public ip if it’s impossible to use it
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!