Accessing web gui from different nics/networks

[grock84]

Good morning! I am attempting to setup proxmox web gui access on two separate interfaces/networks. I have 3 nics. Two are dedicated to pfsense (wan/lan) and the other is supposed to be for emergency access in the event pfsense goes belly up. The nic interfaces are as follows:

- enp3s0 - proxmox emergency access connected to a mini router and no wan access

- enp4s0 (wan) and enp6s0 (lan) - pfsense

What would be the best approach? VLANs? vSwitch? I am posting this on my phone so please forgive the lack of configuration file contents. If it would really help, I can type them up. However it is a pretty safe assumption that whatever I have is wrong. For now it's just 3 standard linux bridges (vmbr0-vmbr2) for the 3 nics and vmbr0 is configured for enp3s0 and a static ip and gateway for the proxmox emergency access. Which works, but I can't seem to get it to work through my pfSense LAN at the same time.

 

[Daniel2]

Hello. I'm not a Proxmox or pfSense expert but I use them boh too.
I have a somewhat simmilar setup, just with 1 "pfSense-LAN" nic and 1 "emergency-LAN" nic.
I have configured both static and just don't have any connection at the "emergency-LAN" nic also none clients in this network (subnet).

My relevant Linux Bridges, in your context.

Name	Ports/Slaves	CIDR	Comment
vmbr0	enp3s0	10.0.123.50/24	Emergency Port 123.50
vmbr1	enp4s0		pfSense - WAN
vmbr2	enp6s0	10.0.10.50/24	pfSense - LAN

As I don't know your network(s), I just used the 10.0.0.0/8 for illustration here, 10.0.123.0/24 as your emergency net and 10.0.10.0/24 as your LAN.
All entries are Active, Autostart=Yes, VLAN aware=No and the Gateway of vmbr2 is the pfSense Adress.

I hope I could at least give some hints or ideas

 

[grock84]

Hello. I'm not a Proxmox or pfSense expert but I use them boh too.
I have a somewhat simmilar setup, just with 1 "pfSense-LAN" nic and 1 "emergency-LAN" nic.
I have configured both static and just don't have any connection at the "emergency-LAN" nic also none clients in this network (subnet).

My relevant Linux Bridges, in your context.

Name	Ports/Slaves	CIDR	Comment
vmbr0	enp3s0	10.0.123.50/24	Emergency Port 123.50
vmbr1	enp4s0		pfSense - WAN
vmbr2	enp6s0	10.0.10.50/24	pfSense - LAN

As I don't know your network(s), I just used the 10.0.0.0/8 for illustration here, 10.0.123.0/24 as your emergency net and 10.0.10.0/24 as your LAN.
All entries are Active, Autostart=Yes, VLAN aware=No and the Gateway of vmbr2 is the pfSense Adress.

I hope I could at least give some hints or ideas

That's pretty similar to what I currently have setup and it works well, but what I am trying to do is have my "emergency port" and be able to access the Proxmox web gui from behind pfSense. I really appreciate the advice!

 

[Daniel2]

So with "from behind pfSense" you mean that the Proxmox web gui is filtered by firewall rules etc.?
Because I think thats not directly possible in with "just" 3 Linux Bridges, but you could create another "virtual only" net/Linux Bridge that is just not connected to a physical port, like so:

Name	Ports/Slaves	CIDR	Comment
vmbr0	enp3s0	10.0.123.50/24	Emergency Port 123.50
vmbr1	enp4s0		pfSense - WAN
vmbr2	enp6s0	(removed)	pfSense - LAN
vmbr3		10.0.10.50/24	pfSense - Proxmox

And just connect that to your pfSense, set basic network settings and create rules.
It probably also would work without a full nic but just a VLAN, thats up to you.

 

[grock84]

So with "from behind pfSense" you mean that the Proxmox web gui is filtered by firewall rules etc.?
Because I think thats not directly possible in with "just" 3 Linux Bridges, but you could create another "virtual only" net/Linux Bridge that is just not connected to a physical port, like so:

Name	Ports/Slaves	CIDR	Comment
vmbr0	enp3s0	10.0.123.50/24	Emergency Port 123.50
vmbr1	enp4s0		pfSense - WAN
vmbr2	enp6s0	(removed)	pfSense - LAN
vmbr3		10.0.10.50/24	pfSense - Proxmox

And just connect that to your pfSense, set basic network settings and create rules.
It probably also would work without a full nic but just a VLAN, thats up to you.

Holy crap! That could work! It's so obvious now... I've been racking my brain monkeying around with OVS, vlans and Proxmox's native firewall... I completely over thought it. Attaching the bridge to the pfSense VM in the VM config is what I totally forgot about. I could not figure out how to get Proxmox to talk to pfSense. I am not at home right now, but as soon as am I will test it out and report back. This sounds right though. A big preemptive thank you!!

 

[grock84]

Alright. So, it didn't go as smoothly as I had hoped. I created a bridge with no ip like so:

auto vmbr3
iface vmbr3 inet manual
           bridge-port none
           bridge-stp off
           bridge-fd 0

I tried attaching it via the gui did not work. Proxmox yelled at me because it there was no physical interface. So I had to trick it by adding a physical interface (enp3s0.1) temporarily, attaching it to the pfSense VM as a Network Device and then removing the enp3s0.1 from the bridge (vmbr3). pfSense booted up and saw the interface. However, I could not get it to assign it an IP via DHCP. I tried assigning it to an interface (OPT4). Nothing. Checked the pfSense logs. No mention of it. Then I created a bridge (within pfSense) between LAN and OPT4. Still nothing. I went back to /etc/network/interfaces and tried assigning a static IP:

auto vmbr3
iface vmbr3 inet static
           address 192.168.1.4/24
           bridge-port none
           bridge-stp off
           bridge-fd 0

I went through the same steps as I did before on pfSense and still got nothing. I was so sure your solution was going to work. It's got to be some setting some where that I am missing.

OH! I should mention that the Proxmox gui is accessible via vmbr0. Which is currently connected to a mini router. It's section in the /etc/network/interfaces file is:

auto vmbr0
iface vmbr0 inet dhcp
           bridge-port enp3s0
           bridge-stp off
           bridge-fd 0

It gets assigned an IP and "just works".

Maybe that has something to do with it? I just thought about that so I haven't tested it yet. If disconnecting from the router works and I am able to pull an IP, then that is an acceptable solution, but not ideal. I'll report back when I am able to test it. In the meantime if anyone sees an issue with my configs or thought process, please let me know! Thanks and especially thanks again to you Daniel2!

 

[grock84]

So this is what I arrived at over the weekend:

auto lo
iface lo inet loopback

iface enp3s0 inet manual

iface enp4s0 inet manual

auto enp6s0
allow-vmbr2 enp6s0
iface enp6s0 inet manual
            ovs_type OVSPort
            ovs_bridge vmbr2

auto vlan1
allow-vmbr2 vlan1
iface vlan1 inet static
            address 192.168.6.2/24
            ovs_type OVSIntPort
            ovs_bridge vmbr2
            ovs_options tag=2
            post-up /usr/sbin/ip route replace default via 192.168.6.1

allow-hotplug vmbr0
iface vmbr0 inet static
            address 192.168.10.2/24
            bridge-ports enp3s0
            bridge-stp off
            bridge-fd 0
            post-up /usr/sbin/ip route replace default via 192.168.10.1

auto vmbr1
iface vmbr1 inet manual
            bridge-ports enp4s0
            bridge-stp off
            bridge-fd 0

auto vmbr2
allow-ovs vmbr2
iface vmbr2 inet manual
            ovs_type OVSBridge
            ovs_ports enp6s0 vlan1

It works. Both interfaces get a separate IP and have WAN access. However, they can't both have WAN access at the same time, due to only being able to have one default gateway at a time. Which makes sense and that shouldn't be an issue since the only time vmbr0 (emergency access port) should be used is if pfSense is down.

For future reference to anyone who doesn't know, the post-up line resets the default gateway depending on the interface being used. The allow-hotplug vmbr0 keeps both interfaces from fighting over the default gateway. vmbr0 only fires when a cable is plugged into the physical port on the back of my server.

I wen't with OVS and this vlan implementation because it is the only way I could figure out how to get it to work. If someone has a simpler set up that achieves the same goal, I would love to hear/see it!

 

[shaunstrats]

Hi All

I have exactly the same problem as grock84. Is there any easier implementation for this?

cheers!