OVS setup for pfSense (diagram included)

G

gijobin

New Member
Jul 7, 2020
9
0
1
35
Hello everyone - I would love to give OVS a shot for setting up my pfSense per the following diagram.

In this setup, I have:
  • A PC hosting Proxmox with three ethernet ports:
    • eth0 for WAN
    • eth1 for LAN and will be trunked to port 1 on the switch
    • Third for Proxmox management (which is on the motherboard)
How would I create this setup in the GUI? I haven't seen too many OVS setup tutorials and any feedback would be appreciated! Thank you :)
 
I don't see why you would need to use OVS for this setup. OVS was needed some years ago but by now, the normal Linux bridge can handle pretty much all use cases except a few very special ones.

If you configure a regular Linux bridge (vmbr1) on the internal interface and set the "VLAN aware" option, the pfsense can manage the VLANs by itself and the bridge will pass through the tagged packets.
 
  • Like
Reactions: vesalius
@aaron - thanks for your message. In this case, I would need two Linux bridges correct?

Would vmbr1 need an internal IP address attached to it? Is there any other configuration option I would need for vmbr1 (LAN) or vmbr0 (WAN)?
 
gijobin said:
Would vmbr1 need an internal IP address attached to it?
Click to expand...
How do you plan to access the PVE node itself? do you have another interface?

If the vmbr1 (internal) and vmbr0 (wan) are the two nics that you have, you would probably want to configure an IP on vmbr1 to be able to access the node.
 
I agree with Aaron. I tried both about a year ago with a pfSense VM and found vlan aware linux bridges and bonds, to be easier to implement and work well. Never could get OVS to work, but that was likely my error.
 
aaron said:
How do you plan to access the PVE node itself? do you have another interface?

If the vmbr1 (internal) and vmbr0 (wan) are the two nics that you have, you would probably want to configure an IP on vmbr1 to be able to access the node.
Click to expand...
Hi @aaron - the third interface is the only one used for proxmox management, but I'm not sure if the best way is to attach directly to a host from the node incase the internet goes down. Does that make sense?

I'm curious how would I know the IP to put for vmbr1? Would I have to install pfSense first to know the internal range?
 
vesalius said:
I agree with Aaron. I tried both about a year ago with a pfSense VM and found vlan aware linux bridges and bonds, to be easier to implement and work well. Never could get OVS to work, but that was likely my error.
Click to expand...
Hi @vesalius - thanks for your feedback. Would you have any suggestions on how I would go about setting up my three interfaces with two bridges?
 
gijobin said:
Hi @aaron - the third interface is the only one used for proxmox management, but I'm not sure if the best way is to attach directly to a host from the node incase the internet goes down. Does that make sense?

I'm curious how would I know the IP to put for vmbr1? Would I have to install pfSense first to know the internal range?
Click to expand...
Okay, let's see if I understand the situation correctly. You have 3 NICs on your PVE host right? You want one to be used for the pfsense to connect to your WAN (modem, whatever), another one should enable the pfsense (and probably other guests) to connect to the internal network and you have a third NIC that should only be used for the mgmt of the node?
  1. NIC1 -> WAN (pfsense)
  2. NIC2 -> internal (pfsense & other guests)
  3. NIC3 -> mgmt
Did I get that right?

Linux bridges can be seen as virtual switches where multiple other interfaces can connect to. Those can be physical NICs or the NICs of guests (usually TAP interfaces). In order to make a physical interface available for your guests, you need a bridge.

In the PVE world, the bridges must be named vmbrX with X being a number.

With that in mind, you can configure a vmbr on NIC1 and NIC2. Define the according physical NIC as bridge_port.
For mgmt only you can configure the IP address on which the PVE host should listen, directly on NIC3 without any vmbr necessary.
 
  • Like
Reactions: vesalius
gijobin said:
Hi @vesalius - thanks for your feedback. Would you have any suggestions on how I would go about setting up my three interfaces with two bridges?
Click to expand...
Aaron again answered it well.

To use nomenclature from your diagram.

1. Create Linux Bridge vmbr0, select eth0 as the bridge port and add comment "WAN" if you want to document.
2. Create Linux Bridge vmbr1, select eth1 as the bridge port, check the "vlan aware" option (this makes it a virtual trunk port/switch on the proxmox side), and and comment "lan switch" if you want to document.
3. Management - 3 options here and all will accomplish the same of making the Proxmox webui accessible from another computer with a static management IP address even when pfSense gateway is down. I am assuming vlan3 is your management vlan, if not obviously change to the correct number.
  • edit eth3 directly and type in static IP for the Proxmox Node under CIDR and pfSense Gateway address for the management vlan (assuming this is vlan3 from diagram). Plug into cisco access port (untagged management vlan)
  • create linux bridge vmbr3, select eth3 (or whatever the MB nic is labeled as) for the bridge port. Then type in a static IP for the Proxmox Node under CIDR and pfSense Gateway address for the management vlan. Plug into cisco access port (untagged management vlan)
  • create linux bridge vmbr3, type in eth3.3 (the added ".3" will tag this connection to vlan3) for the bridge port. Then type in a static IP for the Proxmox Node under CIDR and pfSense Gateway address for the management vlan. Plug into cisco general or trunk port (Tagged management vlan)
pfSense VM under hardware add 2 network devices using vmbr0 and vmbr1 as bridges and use VirtIO. No need for vlan tagging here. Within pfSense use Vnet0/vmbr0 for wan and Vnet1/vmbr1 for vlan2-6

For all subsequent VM created that require internet access under hardware add a network device using vmbr1, then type in the Vlan (2-6) number you want this VM within and off you go.

For all subsequent LXC container created that require internet access under network add a network device using vmbr1, then type in the Vlan (2-6) number you want this VM within and off you go.
 
Last edited:
  • Like
Reactions: Soxism and alfre2
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom