[SOLVED] One port host with pfSense

[bgs]

Hello! I know, there are already many posts to this topic, however I'm stuck with my config. I want to use the one NIC for LAN VLAN (ID 1) and WAN VLAN (ID 100).
Therefore I've configured the bridge as VLAN aware:

auto lo
iface lo inet loopback

iface enp3s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.22.2/24
        gateway 192.168.22.1
        bridge-ports enp3s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

On the managed switch, the ISP modem is connected to port 4
Proxmox is connected to port 8

VLAN 1 is untagged on 1-3,5-8 (all except port with ISP modem)
VLAN 100 is tagged on port 8 (Proxmox) and untagged on port 4 (ISP modem)

All containers/VMs use vmbr0 with VLAN tag 1 fine and working.

The pfsense container got two network devices:
net0: bridge=vmbr0,firewall=1,tag=1 --> lan, em0 interface to pfsense
net1: brdige=vmbr0,tag=100 -> wan,em1 interface to pfsense

But the problem is, that pfsense cannot obtain a DHCP lease from the WAN interface via the modem. The modem itself is tested and working. Could someone help me figure this out? Any help is appreciated.

 

[bobmc]

I would try creating vlan interface in pfSense for vlan-100 and assign this to WAN traffic

 

[bgs]

Thank you for your reply. I've tried but hasn't changed anything.

 

[vesalius]

Couple things, the default Proxmox Linux bridge excludes the use of vlan1 tagged. Would need to change the line bridge-vids 2-4094 to bridge-vids 1-4094, but I don’t think that is neccessary.

Vlan1 is untagged on switch port 8 meaning untagged traffic coming in from proxmox, pfSense or VM’s will get tagged with vlan1 at that point. Incoming network packets already carrying a vlan1 tag will get dropped at switch port 8. So you can remove the tag=1 at pfsense net0

 

[bgs]

You are right, I've corrected the interfaces to a more reasonable structure:

auto lo
iface lo inet loopback

iface enp3s0 inet manual

auto vmbr0.1
iface vmbr0.1 inet static
        address 192.168.22.2/24
        gateway 192.168.22.1

auto vmbr0
iface vmbr0 inet manual
        bridge-ports enp3s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

I've removed the second network interface from the pfsense VM, leaving just em0 and assinged em0.100 as WAN in pfsense.


Switch config still the same:

VLAN ID     VLAN Name     Member Ports     Tagged Ports     Untagged Ports
1            Default        1-3,5-8                            1-3,5-8   
100            WAN            4,8                8                4

Sadly I've still got no luck with this setup.

 

[vesalius]

Just to confirm, does the modem need the wan traffic Tagged100 or is this your design? not saying anything wrong with that design.

What isp modem are you using, pfsense has issues with some. Have you restarted the modem and tried to allow pfsense to get a DHCP address, some won't respond to a DHCP request from a new mac address without a restart.

Have you considered moving the Wan traffic to the default vlan and leaving it all untagged, then moving lan to a different vlan ID?

 

[bgs]

Just to confirm, does the modem need the wan traffic Tagged100 or is this your design? not saying anything wrong with that design.

Was my design, but I changed it now like you suggested and I've got one step further. Thank you!

What isp modem are you using

Cisco EPC3212

pfsense has issues with some

Maybe with this one too. It is initially assigning 192.168.100.10 and some seconds later the real public IP. Windows has no troubles with that but pfsense loses 192.168.100.10 some seconds later without assigning the final public IP.

 

[bgs]

I made a workaround and assigned the public IP (I'm getting on other devices than pfSense ) as static.