[SOLVED] How to connect OPNsense OPT1 interface with another VM

[jazzlover]

Hello there,

I'm trying (not very successfully yet) to setup a router/firewall (OPNsense) and a small server with a bunch of jails (FreeBSD) as VMs on proxmox and struggling with networking. Can't get my head around how to make it work given that I'm just learning networking.

The goal is to conect jails to the virtual interfaces on OPNsense, which should act as routers for the segments in order to control traffic with the firewall and allow to communicate with the Internet.

On proxmox I created four vmbrs without IPs: vmbr0 for LAN and the rest three for different segments (DMZ, apps) and passed these vmbrs to both OPNsense and FreeBSD. vmbr is connected to a physical NIC with connected to a physical switch (LAN). vmbr1-3 are virtual ones, connected to nothing physical.

I successfully setup OPNsense with several interfaces: WAN, LAN, OPT1-3. For OPT1-3 I assigned the passed through vmbrs from proxmox and setup IPs for different segments to act as routers for the segments. vmbr0 is for LAN.

On FreeBSD the vmbr0 is the primary interface from LAN for the host. The vmbr1-3 (appear as vtnet1-3 inside the VM) I defined as bridges and connected to them jails with epairs.

It started to work at the beginning, but, apparently, the traffic from the jails was routed through LAN interface (host) and the my network "design" seems like a really flawed one. I was hoping that vmbr would act as a switch between VMs, but it doesn't.

So, the main question is if it possible to "pass"(or whatever) an interface from one VM (OPT1 from OPNsense) to another (FreeBSD) on proxmox? How one would accomplish to establish such a connection?

 

[Netwerkfix]

Hi,

This works, you go under Proxmox node then Networking. You see there above create Network Bridge above, then you need comment like Lan-MGT-SRV this is to understandt your config add these nic tho you're Opnsense and the MGT server. Go then to the web gui off pfsense and set an static Ipv4 in an range not used in your home network like e.g 10.24.24.1/24. On your Mgt server set an static ip in that range like 10.24.24.4/24 an gateway 10.24.24.1. try to ping google.com and if this works your connection works

 

[jazzlover]

Hi,

This works, you go under Proxmox node then Networking. You see there above create Network Bridge above, then you need comment like Lan-MGT-SRV this is to understandt your config add these nic tho you're Opnsense and the MGT server. Go then to the web gui off pfsense and set an static Ipv4 in an range not used in your home network like e.g 10.24.24.1/24. On your Mgt server set an static ip in that range like 10.24.24.4/24 an gateway 10.24.24.1. try to ping google.com and if this works your connection works

Thank you for detailed answer, I appreciate that.
I did exactly that:

• In proxmox I created a bridge with no IP and add the bridge as a network device for both OPNsense and FreeBSD VMs
• In OPNsense I added an interface and assigned an IP 10.1.1.1 (different from LAN) and named it DMZ
• In FreeBSD I added the interdace to a jail (it behaves like a physical machine, at least in regard networking) and assigned IP 10.1.1.20

The problem is that OPNsense see the pings from 10.1.1.20 as from LAN, not from DMZ, which make me think that there is no direct connection between 10.1.1.1 and 10.1.1.20 and the ping is routed through LAN from FreeBSD host, which make in turn make me think that the bridging through proxmox doesn't work. Perhaps, I lack of debuging skills in networking and pretty lame understanding of networking (but I'm learning). Any suggestion on how to troubleshoot it are very welcome!

Edit: I'm quite nervous because I have already moved the server and it stopped working (OPNsense blocks traffic) and I can't figurd out what I did for that and how to fix it.

 

[jazzlover]

Another question: should this work if in FreeBSD machine the network device from proxmox would be a bridge? I want to connect multiple jails with different IPs to a bridge with epairs. Or this orks only if the network device has an IP?

 

[Netwerkfix]

Another question: should this work if in FreeBSD machine the network device from proxmox would be a bridge? I want to connect multiple jails with different IPs to a bridge with epairs. Or this orks only if the network device has an IP?

Hi,

I thinking that you did something wrong, so if i'm reading this correct. You add an bridge no ip = Correct steps, then you add it to both machines and don't have other interface on that freeBSD vm? Then on Opsense you have normal 3 interfaces in Proxmox VM, 1 WAN 1 LAN and 1 DMZ?

Then normal you go under firewall>rules>DMZ
Create 1 rule on +
an scroll down to apply let everything default any because need to verify it can ping an route.

If it working then you can then add more rules above to block things.

 

[jazzlover]

I thinking that you did something wrong

I definitely did I added a bridge in proxmox and attached it to the both VMs. On the OPNsense side I did everything correct: I added an interface and assigned to it an IP, which is a router for the segment.

But in the FreeBSD machine I messed up by treating the interface (which is bridge in proxmox) as a bridge with no IP and tried to connect to it jails with epairs. The FreeBSD (poor thing) tried hard to route my traffic FROM jails best it could, which resulted in blocking it by firewall (correctly, as intended) entirely as it comes from LAN interface, not from DMZ interface. Now, thanks to suggestions in the thread, which pushed my thinking in correct direction, I add an IP to the interface in FreeBSD VM and attached it directly to a jail. After that it works like a charm.

So, thanks everyone for suggestion, now it works and I try to mark the thread as solved.