Not able to set up pfSense

J

John Driessen

Well-Known Member
Proxmox Subscriber
Apr 27, 2020
36
1
48
59
Hi,

I have tried already many times to setup pfSense (CE 2.4.5-p1) in a VM in Proxmox 6.3-3, but until now I did not really succeed.

Here's where I got sofar.
I have a 1 NIC system.
The standard bridge (vmbr0) is linked to the actual NIC (enp1s0) including a CIDR (192.168.x.y) which is the address of my Proxmox machine and 192.168.x.1 (the standard gateway). This vmbr0 is active and is autostarting.
I have created a second bridge (vmbr1) which is not linked to anything but is active and autostarting.
Just for the record I have tried all combinations of possibilities for bridge models (e1000, virtio, rtl8139, vmxnet3)

I want vmbr0 to be the WAN-side of PfSense.
I want vmbr1 to be the LAN side of PfSense.

I can only install PfSense and get access to the Webconfigurator if I only include the vmbr0 in the VM configuration. I set the static IP for the WAN to 192.168.x.z, the mask to 24 and the WAN gateway to 192.168.x.1.
If I also include the vmbr1, than I won't get access to the Webconfigurator, even when setting static IP addresses for both WAN and LAN. (for the LAN I set it to 192.168.a.b)
I have also a LXC running PiHole (on 192.168.x.c), which currently acts as my DHCP server in which also several static IP addresses have been defined.

So I have setup the pfSense VM with only a static WAN IP (192.168.x.z) (only vmbr0 included) and reboot the VM.
I can now access the Webconfigurator via http(s)://192.168.x.z.
Then I update the config of the VM in Proxmox GUI by adding vmbr1.
In the pfSense Webconfigurator now the additional netwerk address is shown and I can configure that to be the LAN side in the Network Assignments.
In the VM I can assign the 192.168.a.b IP (netmask 24) to be the static IP address of the LAN side.
After rebooting the VM I can no longer access the Webconfigurator (either via 192.168.x.z or 192.168.a.b)

Can someone explain me how to get this working correctly?

Thanks in advance for your help.
 
OK, having only 1 nic on your host is not ideal for this scenario but it should be possible to make this work.

vmbr1 will not work for anything physical - this is why access to the webconfigurator is not working, you would need to access via a virtual machine also connected to vmbr1 for this to work.

I assume that 192.168.x.1 is your internet router so for this to work you would need to make this network your WAN network and then define another network for both your physical and virtual devices - on say 192.168.100.x

You would create a VM with a two nics - both on vmbr0 - to install pfSense. This would be your LAN and WAN interfaces. The WAN side would have a network address of 192.168.x.z/24 and gateway of 192.168.x.1. The LAN side would be 192.168.100.1/24 and this would also become the network gateway address for all your devices including the proxmox host which will need an address in the 192.168.100.0 network. Finally, change the network config on the PiHole container to have a network connection of 192.168.100.z and update the DHCP scopes to be in the new network range - or disable the DHCP on PiHole and serve DHCP leases from the pfSense host instead.

You will need to manually configure your desktop pc to have an IP address in the 192.168.100.0 scope while you are doing this work and you will not have any internet access until pfSense is working correctly.
 
Hi Bob,

Thanks for your answer. This sounds like a good way to proceed.
This also means that the vmbr1 will not be needed anymore?

If I understand correctly you place the pfSense VM between the internet router (your assumption was right) and all the other devices.
Amongst these are also Proxmox itself (on which pfSense VM runs), physical PCs, mobile phones etc. Then it would make sense to have PiHole (then also having an 192.168.100.c address) only for the recursive DNS-server and ad-blocker and have the DHCP server part moved to pfSense.

Saying that, suppose I would want to provide a guest network (say 192.168.200.0) as well, could I also accommodate that in pfSense?
f.e by means of 192.168.200.1 as gateway and 192.168.200.d/24 as IP address for guest devices?

One last question: if my Proxmox machine's IP address moves to the 192.168.100.0 range, what should be stated in the vmbr0 part where the CIDR is stated (which is currently my Proxmox IP 192.168.x.y). Should that be replaced with the pfSense VM IP (192.168.x.z) ?
 
I hope this makes it easier to understand

Code: 
                                                                                                       +=============+
                                                                                                       | Desktop PC  |
                                                                           +----->[HOST NIC PORT]<--+->+=============+
                              +=============+      +===============+       |      [192.168.100.3]   |  |192.168.100.x|
+=================+           | pfSense WAN |      |  pfSense LAN  |       |                        |  +=============+
| internet router |           +=============+      +===============+       |                        |   
+=================+<--------->| 192.168.0.2 |<---->| 192.168.100.1 |<------+                        |  +===========+
|   192.168.0.1   |           +=============+      +===============+       |                        +->| Wifi ???? |
+=================+           | vmbr0       |      | vmbr0         |       |                           +===========+
                              +=============+      +===============+       |
                                                                           |
                                                                           |
                                                                           |      +=============+
                                                                           |      | piHole LXC  |
                                                                           |      +=============+
                                                                           +----->|192.168.100.2|
                                                                                  +=============+
                                                                                  | vmbr0       |
                                                                                  +=============+

So in this example, the Proxmox IP would be 192.168.100.3/24. gateway 192.168.100.1

Additional Guest networks are entirely possible

How will you connect your mobile devices in this scenario?
 
Thanks Bob for the drawing.

Currently most mobile devices (smartphones, Ipads, Laptop-Wifi connections) get their IP address from PiHole (predefined mapping mac-address to static IP)
Also laptops, PCs etc connected via network-cable get their IP address from PiHole (same mapping method).
"Unknown" wifi devices get an IP address from PiHole in the higher range, so 192.168.x.n (where 110 < n < 255)
The predefined mapping provides static IP addresses in the range 192.168.x.2 - 192.168.x.110.
I would like to keep these kind of mapping methods (either performed by pfSense or performed by PiHole).

The PiHole lxc in your drawing is not behind the Proxmox host, but directly behind the pfSense LAN and has the vmbr0 attached, where Proxmox hasn't. Is this because PiHole is providing the recursive DNS and /or DHCP services?
Do the VMs / LXCs defined in Proxmox (such as Windows VM, Ubuntu VM, OpenVPN and Samba/FileServer) also need to refer to vmbr0?
And what about the physical PCs / laptops. (They now seem to be behind Proxmox?) In the physical pcs / laptops I know how to change the static IP address.
 
Last edited:
Are you still using the ISP router to provide wifi? If so, wifi clients will never be able to get a DHCP address from either PiHole or pfSense because they are effectively connected on the 'WAN' side of the network.
 
I have seen that f.e an unknown mobile phone gets an IP address in the 192.168.x.n range (so above the 110)
The ISP router has been disabled as a DHCP server (if that's what you mean)
 
But you don't have a seperate wireless AP do you?

In that case, you would have to enable DHCP on the ISP router for wifi-clients. You could amend the dhcp settings to use PiHole for DNS but this would mean you would have setup firewall rules to allow traffic from the WAN side of pfSense to reach the PiHole server. It would also mean that Wifi-Clients would be unable to access anything on your LAN side unless you specifically enable it.

Alternatively, you would need to buy a Wifi Access Point
 
You must log in or register to reply here.
Top Bottom