Pfsense as transparent firewall

hypemedia

New Member
Nov 7, 2019
2
0
1
46
I am new to Proxmox and try to find out if is a better solution than the current esxi setup we have.

I have a physical server with 2 VMs. One vm is Pfsense that I want to use in transparent bridge and filter the traffic, the other one is a test VM.


Code:
auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet manual
up /sbin/ip link set enp2s0 promisc on

auto enp0s25
iface enp0s25 inet manual
up /sbin/ip link set enp0s25 promisc on

auto vmbr0
iface vmbr0 inet static
        address  192.168.1.8
        netmask  24
        gateway  192.168.1.2
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#lan

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp0s25
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#wan

auto vmbr2
iface vmbr2 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#dmz

The NAT part works as expected and I have traffic from lan to wan, the problems is that I don't have any traffic between WAN and DMZ. On pfsense I have bridged the 2 interfaces that connect to WAN respectively to DMZ.

I know from esxi that the vswitch (bridge)must be in promiscuous mode in order to work. I did activate promiscuous mode on vmbr2 but still no luck.

The Pfsense setup is identical with what I have form esxi so don't think the problem is there. I imagine it is some configuration that I do wrong in proxmox.

Can somebody help me with some advice.

Thanks
 
up /sbin/ip link set enp2s0 promisc on
The linux bridge automatically sets the ports in promiscous mode - so the above line (and the one for enp0s25) should not be needed.

Of the top of my head I don't see a problem in the posted config ...

One thing that probably would help in analyzing this is checking where the traffic gets lost with tcpdump:
* `tcpdump -envi <iface>`
where you let tcpdump run inside a guest with a DMZ-interface, and on:
* vmbr2
* vmbr1
* both interfaces and the bridge inside the pfsense
* enp0s25

(then run a ping or generate some other traffic)

I hope this helps!
 
Thanks for the suggestions I will try that. What adds an extra layer of complexity is that each machine is connected to internet via an PPPOE connexion.