2 Port NIC with pfsense

[Jalau]

Hello guys,
I am a computer science student but quite new to the world of networking. Now I have aquired my first real home server that is not an office PC because it has not on board ethernet ports so I put in a 2 port gig ethernet NIC.
Using this NIC I would like to have a pfsense vm running. One port (eth1) being the WAN port (coming from my router in bridge mode) and one port (eth0) being the LAN output port for my network switch and other devices in my home network.
Currently my proxmox runs on the local IP 192.168.0.200 and has the router as gateway 192.168.0.1 (router is not yet in bridge mode).
Now because I am fairly new and I can't seem to find a specific tutorial for my use-case I am asking for advice and explanations for my situation. I only have these 2 ports and I don't want to get a second NIC or anything for now to pass through completely. So what I need would be:
Router <-> pfsense VM <-> Proxmox <-> Switch <->All other devices.
What bridges do I need to create? What gateways/IPs etc. do I need to assign to get this working? I am eager to learn about this stuff so feel free to explain what these options etc. actually do.
Thanks in advanced for any help!

 

[wolfgang]

Hi

# loopback device
auto lo
iface lo inet loopback

# WAM port
auto enp1
iface enp1  inet manual

# LAN port
auto enp2
iface enp2  inet manual

# WAM bridge pfsense is connected with veth0
auto vmbr0
iface vmbr0 inet static
    bridge-ports enp1
    bridge-stp off
    bridge-fd 0

# LAN bridge pfsense is connected with veth1
# gateway is the pfsense
auto vmbr1
iface vmbr1 inet static
    address  192.168.0.200
    netmask  255.255.255.0
    gateway  192.168.0.1
    bridge-ports enp2
    bridge-stp off
    bridge-fd 0
    bridge-pvid 4095
    bridge-vlan-aware yes
    bridge-vids 1-4094

 

[Jalau]

Hi

# loopback device
auto lo
iface lo inet loopback

# WAM port
auto enp1
iface enp1  inet manual

# LAN port
auto enp2
iface enp2  inet manual

# WAM bridge pfsense is connected with veth0
auto vmbr0
iface vmbr0 inet static
    bridge-ports enp1
    bridge-stp off
    bridge-fd 0

# LAN bridge pfsense is connected with veth1
# gateway is the pfsense
auto vmbr1
iface vmbr1 inet static
    address  192.168.0.200
    netmask  255.255.255.0
    gateway  192.168.0.1
    bridge-ports enp2
    bridge-stp off
    bridge-fd 0
    bridge-pvid 4095
    bridge-vlan-aware yes
    bridge-vids 1-4094

Thank you very much. I will try it out this evening once I get home.
One question though: Do I need to change the adapter/connection proxmox is using? And what do you mean with "veth0"? Virtual Ethernet?
Yesterday I just added a vmbr0 and vmbr1 for testing with no seperate IPs etc. set and it for some reason just killed my access to the internet on the proxmox server. It was the last thing that I did yesterday so I am gonna fix that today I guess. But that is why I am wondering about the adapter proxmox is using.

 

[wolfgang]

Do I need to change the adapter/connection proxmox is using?

Yes, the Predictable Network Interface Name may be another[1].
You can see your naming with "ip -c a"

And what do you mean with "veth0"? Virtual Ethernet?

Yes, this is the FreeBSD Network Interface Name for virtio Network devices.

Yesterday I just added a vmbr0 and vmbr1 for testing with no seperate IPs etc. set and it for some reason just killed my access to the internet on the proxmox server.

If you have no IP on the Proxmox VE host you can't use the Network.
For Network connectivity you need an IP address.

But that is why I am wondering about the adapter proxmox is using.

What do you mean with "adapter"?

1.) https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

 

[Jalau]

Yes, the Predictable Network Interface Name may be another[1].
You can see your naming with "ip -c a"

Yes, this is the FreeBSD Network Interface Name for virtio Network devices.

If you have no IP on the Proxmox VE host you can't use the Network.
For Network connectivity you need an IP address.

What do you mean with "adapter"?

1.) https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

I see.
So the WAN port has no IP in your config because it is directly attached to the bridge mode router and the LAN interface has an IP because it needs one in the local network? And after that I just pass through the vmbr0 and vmbr1 to the pfsense vm and set the rest up in there? Do I assign a different IP to pfsense somehow then the ...0.200?

By adapter I mean the virtual or real word ethernet port that proxmox is using. Do I need to change that to the vmbr1 (LAN) port somewhere instead of the eth1 port currently?

Thank you for your help. I am really new to this and just want to understand how exactly it is meant to work so I in the future I can do it on my own.

Edit: I just tried using your config and if I renamed everything correctly/copied it correctly it didn't work. I plugged my current LAN cable into the port 1 (vmbr1) and tried to ping my machine and also ping anything from my machine - no success. So I can't even access the web interface to setup the pfsense. Any idea what I was doing wrong? In this case I was only connection my LAN port to the switch which is also plugged into the NOT in bridge mode yet router.
Just went back to what I was using before and it looks like this (works):

Spoiler: Image

 

[wolfgang]

So the WAN port has no IP in your config because it is directly attached to the bridge mode router and the LAN interface has an IP because it needs one in the local network?

Correct, but this is more an not a must.

And after that I just pass through the vmbr0 and vmbr1 to the pfsense vm and set the rest up in there?

Correct, this is not a pass-through it is the same as you connect two switches with a router/firewall.
So to say you configure your Gateway device in your LAN.

Do I assign a different IP to pfsense somehow then the ...0.200?

The WAM side depends on your ISP. Normally you use DHCP, or you have a static IP.
On the LAN side, you can use every IP subnet you like.
The important thing is the IP from the Proxmox VE must in the same subnet as the LAN subnet from the PFSense.

By adapter I mean the virtual or real word ethernet port that proxmox is using. Do I need to change that to the vmbr1 (LAN) port somewhere instead of the eth1 port currently?

Imagine the vmbrX is a switch and the "adapters" are the cables that you plug in the switch.
The vmbr is just an L2 switch in software.

The config work but the setup is tricky and you need to use a static IP on the Client(Laptop) side.

 

[Jalau]

Correct, but this is more an not a must.

Correct, this is not a pass-through it is the same as you connect two switches with a router/firewall.
So to say you configure your Gateway device in your LAN.

The WAM side depends on your ISP. Normally you use DHCP, or you have a static IP.
On the LAN side, you can use every IP subnet you like.
The important thing is the IP from the Proxmox VE must in the same subnet as the LAN subnet from the PFSense.

Imagine the vmbrX is a switch and the "adapters" are the cables that you plug in the switch.
The vmbr is just an L2 switch in software.

The config work but the setup is tricky and you need to use a static IP on the Client(Laptop) side.

So on the WAM port I need to set mode dhcp instead of manual? Because I think that's what my ISP uses.

Wait, what do I need to do to reach Proxmox this way? Becaues proxmox right now can't ping 192.168.0.1 nor google or anything. And only while I am setting up pfsense or also while I am working with it later on?

 

[wolfgang]

So on the WAM port I need to set mode dhcp instead of manual? Because I think that's what my ISP uses.

I can't tell you, ask your ISP.

Wait, what do I need to do to reach Proxmox this way? Becaues proxmox right now can't ping 192.168.0.1 nor google or anything. And only while I am setting up pfsense or also while I am working with it later on?

In the configuration I send you is Proxmox VE host IP 192.168.0.200 only reachable on the LAN port
The PFSense is reachable on 192.168.0.1 from the LAN port.

 

[Jalau]

I can't tell you, ask your ISP.


In the configuration I send you is Proxmox VE host IP 192.168.0.200 only reachable on the LAN port
The PFSense is reachable on 192.168.0.1 from the LAN port.

I think I got it working:
My setup for any one wondering:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug ens3f1

auto ens3f1
iface ens3f1 inet static

iface eno1 inet manual

iface eno2 inet manual

auto ens3f0
iface ens3f0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  192.168.1.200
        netmask  24
        gateway  192.168.1.1
        bridge-ports ens3f1
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge-ports ens3f0
        bridge-stp off
        bridge-fd 0

Where ens3f1 is my LAN port and ens3f0 is my WAN port.
I am passing both the vmbr0 and vmbr1 to my pfsense. Pfsenses IP is set to 192.168.1.1, Netmask 255.255.255.0, Gateway 192.168.1.1 and DHCP on.

Thank you very much for your detailed explanation. The part with "bridge is just a switch" helped me to understand it and config it like I thought it would work. Dunno what was wrong in the previous setup for it not to work but like this it works.

 

[wolfgang]

Glad you get it working.
only 2 things.

allow-hotplug ens3f1

auto ens3f1
iface ens3f1 inet static

static is not correct here you should use manual instead.
eno1 and eno2 are not used in your config.
It was only an example from me.

 

[Jalau]

Glad you get it working.
only 2 things.

allow-hotplug ens3f1

auto ens3f1
iface ens3f1 inet static

static is not correct here you should use manual instead.
eno1 and eno2 are not used in your config.
It was only an example from me.

I will try to change it to manual. Thank you yet again for all your explanations and help!
eno1 and eno2 are actually two SFP+ ports that my server has but they are not used currently because Rj45 to SFP+ is quite expensive.