Installing pfSense and Ubuntu

[ac21]

I installed pfsense following this guide

The next step is to install Ubuntu, during the install I can't get past the mirror config


this is the screen before but im not sure if I should put anything in here



and the screen before that shows the LAN IP I created with pfSense.

 

[esi_y]

I installed pfsense following this guide

The next step is to install Ubuntu, during the install I can't get past the mirror config

I am not sure how fast you would be getting replies on this forum - your question is most likely pfSense related (you might have an issue with routing).

I only glanced at the guide you linked through and the first question in my head is ... why exactly do you even need that pfSense for just a web app? I apologise for coming back with "you are (possibly) doing it wrong", but it would be shortest to troubleshoot to remove anything in the setup that just adds complexity with (to me) no perceived additional benefit.

What's your homelab network topology, the physical one? Will the ubuntu VM be opened to the Internet?

 

[ac21]

I am not sure how fast you would be getting replies on this forum - your question is most likely pfSense related (you might have an issue with routing).

I only glanced at the guide you linked through and the first question in my head is ... why exactly do you even need that pfSense for just a web app? I apologise for coming back with "you are (possibly) doing it wrong", but it would be shortest to troubleshoot to remove anything in the setup that just adds complexity with (to me) no perceived additional benefit.

What's your homelab network topology, the physical one? Will the ubuntu VM be opened to the Internet?

I'm currently using Next Cloud and Home Assistant on a computer running TrueNas Scale, It is a regular full size desktop computer I stuck about 10 hard drives in to store family pictures and videos. This computer stays on all the time due to home assistant and nextcloud, it pulls about 100w of power iding, before this i had no Next Cloud and ran HA on a raspberry pi. Recently I bought a HP elitedesk with a low power 7500T cpu and 16gb ram to move HA and nextcloud to it. Obviously I'm not familiar with any of this but in the process of learning.

On the current system I'm using Cloudflare tunnels to access them remotely, but I read this isn't safe and there are some issues with large files and maybe slow transfer speeds. I initially started following the guide to install NGINX then found I'm missing some things and though for security reasons I should install pfSense. My network topology is modem/ router/ switch. I absolutely may be doing it wrong. Please advise.

 

[rtorres]

Hm... I've setup my pfSense differently than what was on that link.

How is your Proxmox network connections set up? DHCPV4/V6 set up?

 

[esi_y]

Hm... I've setup my pfSense differently than what was on that link.

Do you mind laying out in what sense do you make use of that pfSense?

HP elitedesk with a low power 7500T cpu and 16gb ram to move HA and nextcloud to it.

Cloudflare tunnels to access them remotely

Alright, so this was before and now you plan to access it directly from the outside having ports open? I am asking because the setup through the guide is basically (if I have not misread it) about setting up NAT (private ipv4) within presumably existing NAT (private ipv4 of the physical modem/router). Then you would only expose that pfSense but have to do DNAT (port forwarding) all the time on both to get to your VM.

started following the guide to install NGINX

And then you still put your frontend behind a reverse proxy, which is fine, but it's like ... what was wrong with the cloudflare tunnels again?

topology is modem/ router/ switch.

Suppose your PVE has a vulnerability or the pfSense is misconfigured - you have to worry about that. On top of worrying about having the physical router compromised. And if you got e.g. the NGINX compromised ... you are supposedly already inside that pfSense fronted network segment which ... has access to the rest of your internal network anyhow? I am asking because if you have home assistant, you would have IoT devices inside your network already, do you separate those?

I just wonder if those Cloudflare tunnels were not good as they were. There are other alternatives like VPN or something fancier like tailscale (essentially wireguard) to achieve the same.

To not to completely detract for you post (I suggest you change the title to contain pfSense) - you may boot into the Ubuntu live and start checking what's up with your network connectivity instead of proceeding with the installer - you got stuck after you got DHCP assigned address but you can't reach repos over apt, so you would want to traceroute / tracepath e.g. to 1.1.1.1 and see where it gots thrown away.

DHCPV4/V6 set up?

That's a good question too. Is this IPv4 only or IPv6. And what's the network setup on PVE.

 

[rtorres]

I am running my Proxmox on an HP Elitemini 800 G9 Intel Core i9-12900T and 64GB DDR5 RAM. pfSense has

This is how I have my Proxmox Network NICS set up:vbr0 - LAN for VMs
vmbr1 - WAN straight from ISP
vmbr2 - unused as this is only 1GbE (all other NICS are 2.5GbE)

pfSense VM:


Debian Unifi Console VM:


TrueNAS Scale VM:

 

[esi_y]

I am running my Proxmox on an HP Elitemini 800 G9 Intel Core i9-12900T and 64GB DDR5 RAM. pfSense has

This is how I have my Proxmox Network NICS set up:View attachment 72084vbr0 - LAN for VMs
vmbr1 - WAN straight from ISP
vmbr2 - unused as this is only 1GbE (all other NICS are 2.5GbE)

Oh so the PVE is your router with WAN IP right on it.

The rest I then understand, of course not everyone would want to rely on PVE also be the main (virtual) router. But if you do, the rest is them straightforward.

I just do not see benefit for the OP to have the matrioshka style NAT. I would understand if pfSense is additional firewall layer with nice GUI, but extra DHCP pools and all that (when the same is provided by a physical router) just make it overly complex.

Another alternative is to have some more flexible router that can do VLANs and rely completely on that, bridge that into PVE into respective VMs. It does not have to be anything overly expensive. I know pfSense box is not the cheapest, but if e.g. 1G routing is not an issue, there are really cheap options.

 

[rtorres]

Oh so the PVE is your router with WAN IP right on it.

The rest I then understand, of course not everyone would want to rely on PVE also be the main (virtual) router. But if you do, the rest is them straightforward.

I just do not see benefit for the OP to have the matrioshka style NAT. I would understand if pfSense is additional firewall layer with nice GUI, but extra DHCP pools and all that (when the same is provided by a physical router) just make it overly complex.

Another alternative is to have some more flexible router that can do VLANs and rely completely on that, bridge that into PVE into respective VMs. It does not have to be anything overly expensive. I know pfSense box is not the cheapest, but if e.g. 1G routing is not an issue, there are really cheap options.

I was having the same issue OP was having, however, without much knowing of their current setup it's hard to say.

Technically, I'm using PVE as a virtual 'switch' because the WAN vmbr1 is solely used by pfSense VM no other VM is attached to vmbr1. All the VMs and 1 UniFi AP physically connected on LAN (vmbr0) go strictly through pfSense.

I don't use the Proxmox firewall at all



I can't say about getting a Netgate (pfSense) box, this is the setup that has been working for me well over a year and a half after much trial and error of course.

 

[ac21]

Hm... I've setup my pfSense differently than what was on that link.

How is your Proxmox network connections set up? DHCPV4/V6 set up?

Thank you for your help I see you have two other network devices and recall the official docs going through setting that up. I now plan on abandoning the idea of installing it as esi_y stated its creating a matryoshka effect.

Do you mind laying out in what sense do you make use of that pfSense?

Thank you for your help pfSense is not making much sense now after reading your post. The goal with pfSense was extra security which I probably don't even need because I dont have any data thats sensitive.

And then you still put your frontend behind a reverse proxy, which is fine, but it's like ... what was wrong with the cloudflare tunnels again?

I'm trying to get away from cloudflare tunnel to NextCloud due to it having issues with large files, and it may be slower. I was/am going to install Nginx and open ports on the router just to see if this fixes it.