Pfsense as transparent firewall

H

hypemedia

New Member
Nov 7, 2019
2
0
1
46
I am new to Proxmox and try to find out if is a better solution than the current esxi setup we have.

I have a physical server with 2 VMs. One vm is Pfsense that I want to use in transparent bridge and filter the traffic, the other one is a test VM.


Code: 
auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet manual
up /sbin/ip link set enp2s0 promisc on

auto enp0s25
iface enp0s25 inet manual
up /sbin/ip link set enp0s25 promisc on

auto vmbr0
iface vmbr0 inet static
        address  192.168.1.8
        netmask  24
        gateway  192.168.1.2
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#lan

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp0s25
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#wan

auto vmbr2
iface vmbr2 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#dmz

The NAT part works as expected and I have traffic from lan to wan, the problems is that I don't have any traffic between WAN and DMZ. On pfsense I have bridged the 2 interfaces that connect to WAN respectively to DMZ.

I know from esxi that the vswitch (bridge)must be in promiscuous mode in order to work. I did activate promiscuous mode on vmbr2 but still no luck.

The Pfsense setup is identical with what I have form esxi so don't think the problem is there. I imagine it is some configuration that I do wrong in proxmox.

Can somebody help me with some advice.

Thanks
 
hypemedia said:
up /sbin/ip link set enp2s0 promisc on
Click to expand...
The linux bridge automatically sets the ports in promiscous mode - so the above line (and the one for enp0s25) should not be needed.

Of the top of my head I don't see a problem in the posted config ...

One thing that probably would help in analyzing this is checking where the traffic gets lost with tcpdump:
* `tcpdump -envi <iface>`
where you let tcpdump run inside a guest with a DMZ-interface, and on:
* vmbr2
* vmbr1
* both interfaces and the bridge inside the pfsense
* enp0s25

(then run a ping or generate some other traffic)

I hope this helps!
 
Thanks for the suggestions I will try that. What adds an extra layer of complexity is that each machine is connected to internet via an PPPOE connexion.
 
You must log in or register to reply here.
Top Bottom