Install pfSense as a VM on Proxmox, single NIC, manageable physical switch & VLANs

[imothep77]

Hi All,

Thank you for the great Proxmox, and thank you in in advance dear community, for your wise advice you will give to the newbie I am.

During the last Black Friday, I decided to rebuild a new PC as mine was reaching its first decade.
I also decided to repurpose my old gear get started on the wonderful world of homelab-ing.

I have Proxmox 7.3 now running on my new server (E52683v3 - 14 cores / 18 threads 2,0 / 3,0 GHz, 32 GB ECC RAM.
I have successfully installed Unraid as a VM (GPU & HDD / HBA passthrough). While I'm thinking about how to organize my data, I decided to first get my network protected from the Internet.

So here I am, trying to install pfSense in the most efficient way, given my setup. Here's a quick diagram.



In grey, my all-in-one ISP box, serving as router, WiFi AP, 4-port 1Gbps switch, TV, telephone.
In yellow, my repurposed server where Proxmox is installed.

My ISP box and all my wired devices are currently connected to my Netgear G108e manageable 8 x 1Gbps port switch.
On that switch:

• port 1 - ISP Box
• port 8 - Proxmox server
• port 7 - main Desktop PC
• port 6 - nVidia Shield TV
• port 5 - Zigbee bridge

All my WiFi devices are currently connected directly to my ISP Box's WiFi SSID. If there is no other simple way to also protect those devices (including my kids'), I'm willing to buy an access point or another WiFi-enabled router.

My Proxmox server only has 1 x 1Gbps NIC (enp6s0).

While digging through the Internet to answer my question: What is the best way to configure all of this given my hardware and my setup? I think the most efficient way would be to use VLANs. None are currently setup on my switch.

I went through lots of reading and youtube watching, but am unable to find a comprehensive way to properly configure my physical switch, my proxmox pfSense VM, the network on my other VMs, my ISP router configuration, etc...

For now, I have assigned:

• 192.168.0.1 to my Desktop PC
• 192.168.0.101 to my Proxmox server
• 192.168.0.253 to my Netgear switch
• 192.168.0.254 is my gateway (ISP box LAN IP)

All IPs (except Proxmox's which is static) are currently assigned by my ISP router DHCP (permanent IP lease per MAC), not sure it's the good way to configure this for my switch or for my main workstation... I guess at some point in time, pfSense is to replace my box as a DHCP server.

I'm wondering how to set-up my VLANs on my switch? on Proxmox? on pfSense?
While experimenting all of this, what is the most secure way to keep access from my desktop or laptop to my ISP box and to Proxmox? How do I setup a management VLAN on Proxmox?
Which kind of VLAN (tagged, untagged) should I allow, and for which port on my switch? on Proxmox?
I don't want to use my ISP Box in bridge mode as I'm using the TV & Telephony services - ISP Box must stay a "router".
I can setup a DMZ on my ISP box.
If my wireless devices keep getting their IP from my ISP box, is there any way to get incoming and outgoing traffic to go through pfSense? I guess not.....

I'll keep digging by myself, but I'd appreciate any help.

Thanks

 

[Dunuin]

You need tagged VLAN from your switch to your PVE.
I personally would use a single VLAN aware bridge on proxmox, then assign your virtualo NICs of your guests a VLAN by by setting the "VLAN Tag" of your virtual NIC in the VMs hardware tab.
If you for example want your PVE host to sit the the VLAN 100, you could add a entry in your /etc/network/interfaces like:

auto lo
iface lo inet loopback

iface YouzrNICName inet manual

auto vmbr0
iface vmbr0 inet manual
    bridge-ports YourNICName
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.100
iface vmbr0.100 inet static
    address 192.168.100.2/24
    gateway 192.168.100.1

And I would buy a AP that is VLAN capable (I like to flash a router with OpenWRT to ct as my Wifi AP and to have a SSID for every VLAN I use...IoT, Guest, LAN, DMZ, Mngt, ...).

 

[imothep77]

this is what I have in my interfaces file:

auto lo
iface lo inet loopback

iface enp6s0 inet manual

auto vmbr0.99
iface vmbr0.99 inet static
address 192.168.0.101/24
gateway 192.168.0.254

auto vmbr0
iface vmbr0 inet static
bridge-ports enp6s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4092

As you can see, I restarted from scratch using vlan99 for my WAN.
On my switch, for VLAN99, I have port 1 (untagged) and port 8 (tagged).
On Opn/Pfsense, I managed to manually configure vnet0 = vmbr0.99 for WAN and vnet1 = vmbr0 for LAN.
I managed to manually set my LAN network as 10.0.0.0/24 with Opnsense LAN address being 10.0.0.101, no gateway
I'm not able to retrieve a WAN IP using DHCP, I'm getting WAN (vtnet0) -> v4/DHCP4: 0.0.0.0/8
So I decided to configure WAN manually: 192.168.0.252 with gateway 192.168.0.254

From my PC which now gets 10.0.0.1, I'm able to ping 10.0.0.101 and 192.168.0.252, but nothing else
From Opnsense, I'm not able to ping 8.8.8.8 nor 192.168.0.254

Before achieving this, I had to play with PVID on my switch for port 7 (to get my desktop in the same VLAN as my other 2 machines) and my network card setup swapping between 10.x.x.x and 192.168.0.x

I'm stuck here... please help

 

[gsdfgsdfgbsdfgsdf]

Hey guys, I’m on the same boat as the OP. Anyone with some answers?

 

[Portlander]

I have a proxmox system with a single NIC. I do not have a hardware switch with VLAN support and I did not want or need that level of complexity at this point. I ended up creating a virtual switch. A virtual switch in Proxmox is just a Linux bridge. Something like this should work:

1. Create Two Linux Bridges on Proxmox​

1. Log in to the Proxmox web interface.
2. Navigate to Datacenter -> Node (your Proxmox node name) -> Network.
3. Click on the Create button and select Linux Bridge.
4. Name the first bridge for WAN (e.g., vmbr0). Assign an IP address that will work with the ISP router.
5. Click Create.
6. Create another bridge for LAN (e.g., vmbr1). Again, set the IP settings to "None".
7. Click Create.

2. Bind the Physical Interface to the WAN Bridge​

1. Still under the Network tab, click on Create and then Bridge Port.
2. For the Bridge field, select the WAN bridge (e.g., vmbr0).
3. For the Port field, select your physical network interface (e.g., enp3s0).
4. Click Create.

3. Setup pfSense VM​

1. Create a new VM for pfSense.
2. When setting up the network interfaces, add two NICs.
3. For the first NIC (WAN), select vmbr0.
4. For the second NIC (LAN), select vmbr1.

4. Setup Client VMs​

1. For your Windows and Linux VMs, add a NIC and select the LAN bridge (vmbr1).

5. pfSense Configuration​

1. Once pfSense is installed, you will be asked to assign interfaces.
2. Assign the WAN interface to the NIC connected to vmbr0 and the LAN interface to the NIC connected to vmbr1.
3. Configure the WAN interface as DHCP or static based on your external network setup.
4. The LAN interface will be your internal network. Set it up with a static IP (e.g., 192.168.1.1/24).
5. Proceed with pfSense setup, enabling DHCP for the LAN side so that your client VMs get IP addresses.
6. Set up NAT and firewall rules to allow traffic from the LAN to the WAN.

 

[EBoProx]

I have a proxmox system with a single NIC. I do not have a hardware switch with VLAN support and I did not want or need that level of complexity at this point. I ended up creating a virtual switch. A virtual switch in Proxmox is just a Linux bridge. Something like this should work:

1. Create Two Linux Bridges on Proxmox​

1. Log in to the Proxmox web interface.
2. Navigate to Datacenter -> Node (your Proxmox node name) -> Network.
3. Click on the Create button and select Linux Bridge.
4. Name the first bridge for WAN (e.g., vmbr0). Assign an IP address that will work with the ISP router.
5. Click Create.
6. Create another bridge for LAN (e.g., vmbr1). Again, set the IP settings to "None".
7. Click Create.

2. Bind the Physical Interface to the WAN Bridge​

1. Still under the Network tab, click on Create and then Bridge Port.
2. For the Bridge field, select the WAN bridge (e.g., vmbr0).
3. For the Port field, select your physical network interface (e.g., enp3s0).
4. Click Create.

3. Setup pfSense VM​

1. Create a new VM for pfSense.
2. When setting up the network interfaces, add two NICs.
3. For the first NIC (WAN), select vmbr0.
4. For the second NIC (LAN), select vmbr1.

4. Setup Client VMs​

1. For your Windows and Linux VMs, add a NIC and select the LAN bridge (vmbr1).

5. pfSense Configuration​

1. Once pfSense is installed, you will be asked to assign interfaces.
2. Assign the WAN interface to the NIC connected to vmbr0 and the LAN interface to the NIC connected to vmbr1.
3. Configure the WAN interface as DHCP or static based on your external network setup.
4. The LAN interface will be your internal network. Set it up with a static IP (e.g., 192.168.1.1/24).
5. Proceed with pfSense setup, enabling DHCP for the LAN side so that your client VMs get IP addresses.
6. Set up NAT and firewall rules to allow traffic from the LAN to the WAN.

@Portlander I have a PC like this one https://www.aliexpress.com/item/1005005837997640.html
if I follow a setup like yours and in Proxmox I add more physical ports to the LAN bridge (vmbr0) am I correct to say that both the physically connected machines to the ports in the Lan bridge (vmbr01) and the VMs where the proxmox assigned NIC is this LAN bridge(vmbr0) would work like if they were all connected to a single hardware network switch ?
Sorry for this basic question but I'm a noob with Proxmox and I'm stil planing its installation with pfsense

 

[nlitend1]

I have a proxmox system with a single NIC. I do not have a hardware switch with VLAN support and I did not want or need that level of complexity at this point. I ended up creating a virtual switch. A virtual switch in Proxmox is just a Linux bridge. Something like this should work:

1. Create Two Linux Bridges on Proxmox​

1. Log in to the Proxmox web interface.
2. Navigate to Datacenter -> Node (your Proxmox node name) -> Network.
3. Click on the Create button and select Linux Bridge.
4. Name the first bridge for WAN (e.g., vmbr0). Assign an IP address that will work with the ISP router.
5. Click Create.
6. Create another bridge for LAN (e.g., vmbr1). Again, set the IP settings to "None".
7. Click Create.

​

in the first section you mention to assign it an IP address that will work with the ISP router. Does that mean you are running double NAT or a static IP? Would it work to just leave the IP settings to "None" for both virtual switches if you have DHCP coming from the ISP?

Also, if i have a VLAN aware switch and have wan over vlan10 and lan over vlan100, what would I setup? Two vlan aware bridges? Again this is still coming in through a single nic on the proxmox host, but I have a vlan hardware switch to use if possible.

Thanks!

 

[imothep77]

Hi All,

Thanks to all of those who replied.
I did finally manage to use one single NIC and set the proper VLANs for WAN, LAN, IoT, Guest, etc. (Prox-02 below)

As I managed to save some money, I bought new gear (VLAN aware ASUS WiFi Router, with OpenWRT of course), a new 2.5 Netgear manageable switch.

I would like to implement the following.

New Thread

 

[Speedy059]

You can use 1 NIC as long as you set the port to the Proxmox server as a "Trunk" port and not "Access". You'll then need to configure the "VLAN Tag" on each VM to use the VM network VLAN ID. You'll also want to configure the Proxmox server to use it's "Host VLAN" if you have one for it.

 

[jerry001]

I purchased a Proxmox server from a hosting platform, and it comes with static IPs. I have created a pfSense VM on it and assigned a static IP to the WAN interface. I also set up virtual IPs and performed NATing with the Ethernet interface. With this setup, I can access the internet using the virtual IPs. I assigned one of these virtual IPs to the pfSense server for the LAN interface. However, when I attempt NAT port forwarding, it is not working correctly. Does anyone have suggestions on how to resolve this issue?