installing pfsense vm in proxmox

[firerobin]

Hi all,

I have what is probably a super basic question.

I would like to set up a desktop running proxmox with pfsense vm as the firewall.

Before I can install and configure pfsense, do i have to have proxmox installed and configured as the default gateway? Currently I have proxmox installed to a desktop wired to my TP-link router. I would like to replace the TP-link routher with the proxmox machine and set the TP-link router in AP-mode in a more central location in my house. My assumption is that moving the proxmox PC to my network closet and connecting to my modem will change its IP address. Should I reinstall from that location and then install pfsense?

Apologies if this is all very basic. First time user.

Edit to add: The PC has a 4-port intel NIC and an additional Realtek NIC on the mobo. It has a single 500 GB HDD.

 

[t.lamprecht]

Hi,

I mean you have a few possibilities to do this. What you probably want is to hand-off all the WAN (internet) traffic to the pfSense, so that you just have one thing facing to the public network, I mean virtually, as the Proxmox VE box naturally still needs to be connected with a cable for real.

1. Two Linux bridges on the host, one will be the WAN one (vmbr1 in this post) and one the LAN one (vmbr0 in this post). The WAN one normally needs just to have one slave port assigned, the one from the ISP (modem), the LAN one can have the remaining, or at least the one which goes to your LAN switch.
The pfSense VM would then get two virtual NICs, one uses the WAN bridge vmbr1 and one the LAN bridge vmbr0. So, the traffic goes from the internet in over the vmbr1 and it's slave port to the pfSense VMs "WAN" NIC, there it gets filtered and whatever and then can go over the other vNIC to the hosts vmbr0 and from there to anywhere in the LAN or to other VMs using the "vmbr0" LAN bridge.

2. Passthrough of a NIC, this is similar to 1. but instead of doing the separation a bit more virtual over the extra bridge we hand over one whole NIC HW to the pfSense VM directly. Now, this works good for whole cards, and some newer cards should support virtual functions and thus it could maybe work also for just a port of that NIC - but that depends on your HW and not sure how well pfSense plays with that, so possibly worth a try but don't expect it to be easy peasy lemon squeezy working out of the box (could be but IMO rather not ^^).

3. .. there are other specific setups, using VLANs, ... but IMO above should get over the principle: you need to separate WAN and LAN in such a way that it can be handled by the pfSense VM directly.

Should I reinstall from that location and then install pfsense?

Hmm, well that would be a possibility, but if you got the pfSense ISOs already downloaded and ready you should be able to just move it and change networking after the fact. I mean, some direct physical console access could be nice for that, but as you have a bunch of NICs you could just setup one to a static IP, e.g., 10.1.1.1 connect a laptop or the like to it directly, setup there a static IP too (10.1.1.2) and then the Proxmox VE node and interface should be reachable there - even if you broke it's internet and or LAN access.


Actually, doing this the first time it may lead to questions during this, so you could try to prepare most of it already now with the TP link still in place, just fake that the WAN link is the one from the TPlink and your lan is just the pve nodes vmbr1 bridge (if you go with 1.), then you can do a test VM there and check if you got internet, once that works you know that your pfSense setup and PVE setup should be sound, so you can do the change and connect it directly to the modem.

 

[firerobin]

Thank you for that very detailed reply. I appreciate it.

What I was attempting to do is pretty close to what you are describing in option #1. I was following a guide from Netgate about virtualizing pfSense with Proxmox (link here). I created two Linux Bridges, vmbr1 and vmbr2, in addition to the existing vmbr0, and was going through the pfSense install when it got to the stage where I had to assign WAN and LAN ports. I wasn't clear on how to assign anything when, at the moment, I only have the one cable connected that runs back to my TP-Link router. That got me thinking that I needed to move the machine next to my modem to proceed with the setup.

If I understand what you described, I should assign WAN in pfSense to the same vNIC that has WAN access, which is eth0, since nothing is plugged in to the other parts right now. Then once I'm finished configuring pfSense, I can move it into position as my default gateway and reassign IPs between my current router and the Proxmox/pfSense router I'm building.

That had another question pop into my head; how will I access the proxmox GUI after changing it's IP and moving it? Do I assign it the IP that my TP-link router currently has, then power down and rearrange the hardware?

Thanks again, I really appreciate the assist.

 

[t.lamprecht]

I wasn't clear on how to assign anything when, at the moment, I only have the one cable connected that runs back to my TP-Link router.

This would be a scenario which can work but needs network separation, like VLANs. Such a setup is often called "one armed router" or "single armed router", it only has "one arm" (one physical link). You would need a managed switch for that which can handle VLANs, though.

If I understand what you described, I should assign WAN in pfSense to the same vNIC that has WAN access, which is eth0, since nothing is plugged in to the other parts right now. Then once I'm finished configuring pfSense, I can move it into position as my default gateway and reassign IPs between my current router and the Proxmox/pfSense router I'm building.

Sounds OK.

That had another question pop into my head; how will I access the proxmox GUI after changing it's IP and moving it? Do I assign it the IP that my TP-link router currently has, then power down and rearrange the hardware?

The Proxmox GUI listens to all IPs the host has, so after you moved it over you normally have no IP on the WAN (you could, but fire-walling it off would be good then) and you should statically assign it one on the LAN network range on the LAN facing bridge. So you can reach it from all clients on the LAN.

If you're pfSense would go down for whatever reason you could still reach it on that IP for investigation, but the client you use to access the webinterface may need to be told about it's network manually, as it may not get anything assigned from the pfSense DHCP in such a situation. In linux that it's easy as doing: ip addr add dev eth0 192.168.1.123/24 && ip link set eth0 up assuming your client's NIC is named "eth0" and the LAN network runs on 192.168.1.0/24, other systems have also ways to do that - which you probably know all already, just mentioning in case

 

[juju01]

2. Passthrough of a NIC, this is similar to 1. but instead of doing the separation a bit more virtual over the extra bridge we hand over one whole NIC HW to the pfSense VM directly. Now, this works good for whole cards, and some newer cards should support virtual functions and thus it could maybe work also for just a port of that NIC - but that depends on your HW and not sure how well pfSense plays with that, so possibly worth a try but don't expect it to be easy peasy lemon squeezy working out of the box (could be but IMO rather not ^^).

Can you elaborate a bit more on this? I am attempting to do this with VFs. I understand the part about giving one physical port to the WAN on pfsense. What happens on the LAN side in sr-iov setups? Can I also setup one physical passthrough sr-iov port for the LAN and connect all vms to this one port for lan access? Also how does the other vms go out to the wan? Do I need to connect them to the VF assigned to pfsense? In that case I wont need any linix or ovs bridges at all? A bit confused!

 

[t.lamprecht]

Can I also setup one physical passthrough sr-iov port for the LAN and connect all vms to this one port for lan access?

Hmm, if you'd still need to add an additional vNIC to the pfSesnse which is on a extra LAN bridge on the Proxmox VE host, so that the VMs can also be on that bridge. Then the sr-iov function for LAN would be the physical connection out to the LAN.
The VMs could use it to talk to others VMs on the host directly, for talking to other hosts in the LAN traffic would go over the bridge to the pfSense and from there over the sr-iov function to the outside LAN. So IMO, normally it's better to use the second function on the host as bridge slave and give all VMs including the pfSense one a vNIC connected to that bridge.

Also how does the other vms go out to the wan?

Through the pfSense, that's why a bridge is needed somewhere which has both the pfSense LAN side and all the VMs on it.

Do I need to connect them to the VF assigned to pfsense? In that case I wont need any linix or ovs bridges at all?

That would only work if you have enough virtual functions and then you'd still need a physical switch connecting LAN and WAN site of the pfSense (over VLANs, for example). IMO a Linux bridge on the PVE host for the LAN site is much easier and cheaper.