Need help with vlans / pfsense

[Sparkytech]

I currently have a pfsense firewall that I have virtualized in Proxmox. I have 2 vlans setup in pfsense. My Proxmox hardware only has 2 NICs: one will be WAN, and the other will be a trunk port for the 2 vlans. also need to setup a management vlan. I am unsure how to proceed with the vlan setup. Do I keep the vlans in pfsense, do I create vlans in OpenVSwitch, or do I do something entirely different? My initial thoughts are to keep the vlans in pfsense, create a virtual trunk into vswitch, which will carry these 2 vlans, and then finally create virtual ports for each vlan in the virtual switch that can be accessed by other vm's. The ultimate goal is to create a Windows VM in Proxmox, and have it connected to one of the vlans on the virtual switch, so its traffic is filtered by the firewall. Can someone give me a basic "how-to" on accomplishing this? An explanation would be helpful, as I have read up on this a lot, but I am still lost.

 

[wolfgang]

Hi,
I think the best way and also the easiest is to use a linux bridge with Vlan awareness.
Make you vlans in the pfsense.
Enable Vlan awareness on the linux bridge.
On the VM nic set the vlan You like to use.
Then all the vlan is transparent to the guest.

 

[Sparkytech]

Thanks for the info. I got it working most of the way. I currently have vlan 2 & 3 setup in Proxmox and pfSense. I have a Windows VM in Proxmox that has both vlans functional in it. Now I need to have these vlans on eth1, which will be a trunk port to a physical switch. I would prefer to do this in Proxmox, and not in pfSense if possible. How do I set this up? Thanks for any help!

----------------------------------------------------------------------------------------------------------------------------------

My /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto eth2
iface eth2 inet manual

auto vmbr0
iface vmbr0 inet dhcp
bridge_ports eth0
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

auto vmbr2
iface vmbr2 inet static
address 192.168.50.10
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr3
iface vmbr3 inet static
address 192.168.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

auto vmbr20
iface vmbr20 inet manual
bridge_ports eth1.2
bridge_stp off
bridge_fd 0

auto vmbr30
iface vmbr30 inet manual
bridge_ports eth1.3
bridge_stp off
bridge_fd 0

 

[Sparkytech]

I figured it out. Added bridge in Proxmox: eth1, vmbr20, vmbr30. Now I have the 2 vlans on physical port eth1.

 

[Phlogi]

I figured it out. Added bridge in Proxmox: eth1, vmbr20, vmbr30. Now I have the 2 vlans on physical port eth1.

Was your original bridge vmbr1 affected by the two additional bridges (vmbr20, vmbr30), i.e. the traffic that was not tagged did still go through? As soon as I add a bridge for vlan (i.e. using eth1.2 -> vlan2) the (existing) traffic on eth1 is interrupted.

Also, please share your final configuration.

 

[boopzz]

For future reference there are 3 ways you can do it:

1. Setup a bridge for a specific VLAN and add interfaces to that bridge
2. Setup one bridge and make sure its "VLAN Aware" tickbox is checked. Then add an interface to your VM and tag the interface with the VLAN.
3. Similar to 2, setup one bridge but instead just add one interface to the VM and then do VLAN tagging inside of the VM