[SOLVED] Proxmox, virtualized pfsense, VLANs

Lumber4236

New Member
May 28, 2022
17
1
3
Hello,

i'm using pfsense on proxmox as my firewall, and trying to add VLANs for network segmentation.

What i tried so far failed :

  • my proxmox has 3 NICs. eno1 is bridged to vmbr0, enp1s0f0 to vmbr1 and enp1s0f1 to vmbr2
  • my pfsense VM use vmbr1 and vmbr2. Both have the "VLAN aware" ticked
  • in pfsense, vmbr1 is vtnet0 and vmbr2 is vtnet1, respectively tied to WAN and LAN
  • in pfsense, i added a VLAN (tagged 50) with vtnet1 as parent interface, and added an interface "iotLAN" using that VLAN, and a DHCP server on that interface, with subnet 192.168.50.0/24
  • in my ubiquity access point, i've added a network "vlan only", tagged 50, and tied a dedicated wireless network to that network

AFAIK, this should work, but when i try to connect to that dedicated wifi network, i just can't get an IP.

iḿ fairly new to both proxmox and pfsense, so it may very well be an obvious mistake on my end, but i can't sort it out myself, and any help would be welcome
 
the first thing I would try at this point would be to try and establish that VLAN50 is working as expected by creating a container on vmbr2, tagged for vlan50 and dhcp, and see if it gets a lease, and that it can reach the internet. If that works, then it's probably to do with vlan tagging on your physical equipment, if it doesn't then the problem is related to proxmox/pfsense.
 
the first thing I would try at this point would be to try and establish that VLAN50 is working as expected by creating a container on vmbr2, tagged for vlan50 and dhcp, and see if it gets a lease, and that it can reach the internet. If that works, then it's probably to do with vlan tagging on your physical equipment, if it doesn't then the problem is related to proxmox/pfsense.
Thanks!

that was a good idea. The VM can't get an IP either if i try to tag vmbr2 with vlan 50.
Any idea how i could investigate further ?
 
does your pfsense interface assignment screen look like this
vlan50if.png

and does your pfsense status screen look similar to this?

vlan50.png
 
On the proxmox node, i assume ?

Code:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eno1 inet manual

iface enp1s0f0 inet manual

iface enp1s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.100.2/24
    gateway 192.168.100.1
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp1s0f0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr2
iface vmbr2 inet manual
    bridge-ports enp1s0f1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
 
That looks correct.

Could you show us a screenshot of interface -> assignments in pfsense?

Also, I presume you’ve checked the firewall rules in pfsense on all your LANs? Maybe add icmp allow all rule at the very top just for testing purposes?
 
here is the assignment page :

2022-06-11_20-46.png


regarding the firewall rules, the setup is pretty barebone for now, and i dont think there's anything there that can be an issue, but once again, iḿ very new to firewalling. My plan was to populate the firewall when the VLANs are ready. (i plan to add a second one)

here are my current rules :

2022-06-11_20-47.png

2022-06-11_20-47_1.png
 
Yes you definitely have to reboot. One of the many idiosyncrasies in proxmox that no one tells you about until you lose half a day trying to configure something.

Supposedly newer versions of proxmox you’re supposed to be able to “edit config without rebooting” but it seems that’s only for certain things - I found whenever I enabled vlan aware on a vmbr it wouldn’t “take” without a host reboot. In fact a shutdown of all VMs and reloading the network may be sufficient but if you’re going to all that trouble may as well reboot the host.
 
  • Like
Reactions: BenRG

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!