pfSense and bridged networks

P

proxwolfe

Well-Known Member
Jun 20, 2020
501
52
48
49
Hi,

I want to virtualize pfSense on my proxmox host which has its own built-in NIC (eno1) and a PCIe quard port NIC as well.

vmbr0 is connected to the eno1 NIC. A virtual NIC on vmbr0 is allocated to the pfSense VM and there constitutes the WAN port (vtnet0).

Now my idea is to use a port on the quad port NIC and create vmbr1 in proxmox on it and make it VLAN aware. I would then allocate another virtual NIC to the pfSense VM (vtnet1) from vmbr1. In pfSense I would set up several VLANs (VLAN1, VLAN2, etc.) on this virtual NIC (vtnet10.1, vtnet10.2, etc.).

Now my question: Will all those VLANs created inside pfSense be available at the vmbr1 level? And will I be able to create more virtual NICs for other VMs and pass only one VLAN each (e.g. VLAN1 to VM1, VLAN2 to VM2 etc.)?

As far as I understand, I can pass a VLAN on a virtual NIC to a VM (so the answer to my second question should be 'yes'). But I am unsure as to whether I can pass more than one VLAN out of my pfSense VM to vmbr1. Because when I create a virtual NIC in proxmox (the vtnet1 for pfSense) I have the choice of either adding no VLAN tag or one VLAN tag. If I add no VLAN tag, does this mean all VLANs are passed through or does it mean none are passed through?

Thanks for your help!
 
pfSense is running with two virtual NICs on vmbr0 and vmbr1, respectively. The NIC on vmbr0 is WAN and on the NIC on vmbr1 I have created several VLANs. These VLANs are being served out by my AP (SSIDs linked to the VLANs). I can connect to the Wifi, get an IP from the respective range, surf the web, everything works fine.

BUT: I have set up another VM in proxmox and assigned it a virtual NIC that also connects to vmbr1. I have tagged it for one of the VLANs in pfSense. The VM obtains an IP from pfSenses's DHCP server in the expected range. I can browse to pfSense as the gateway for this VLAN. I can ping hosts outside pfSense, e.g. google.com, (so the packets must be going through pfSense) but I can't browse any sites beyond pfSense (timeout error).

Any ideas what might be causing this?
 
Last edited:
Update:

I have created another bridge vmbr2 on yet another physical port (ens3f1) which is connected it to the same physical switch that the physical port behind vmbr1 is connected to as well. I have added both ports on the switch to the same VLAN and now it works.

So instead of going through only vmbr1, the packets now go through vmbr1 -> PhysSwitch -> vmbr2 and suddenly it works. Why? Or rather: Why does it not work when they only go through vmbr1???
 
So what does a traceroute on vmbr1 vs vmbr2 look like? Are all your firewall rules set correctly?
 
Hmm. :(

After I had to shutdown pfSense and proxmox (to work on the host hardware for another VM), the "table" has turned: Now I can actually connect from another VM with a virtual NIC tat sits on vmbr1. But the same VM cannot connect with a virtual NIC that sits on vmbr2. My head is about to explode

The firewall rules should not affect the situation - while I am setting this all up, I have set them to allow all traffic through on the LAN and OPTx interfaces.
 
Thanks for the suggestion.

It was already functional - before I restarted.

But, of course, I am going to start from scratch.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom