Pfsense as transparent firewall

hypemedia

New Member
Nov 7, 2019
2
0
1
45
I am new to Proxmox and try to find out if is a better solution than the current esxi setup we have.

I have a physical server with 2 VMs. One vm is Pfsense that I want to use in transparent bridge and filter the traffic, the other one is a test VM.


Code:
auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet manual
up /sbin/ip link set enp2s0 promisc on

auto enp0s25
iface enp0s25 inet manual
up /sbin/ip link set enp0s25 promisc on

auto vmbr0
iface vmbr0 inet static
        address  192.168.1.8
        netmask  24
        gateway  192.168.1.2
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#lan

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp0s25
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#wan

auto vmbr2
iface vmbr2 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge_ageing 0
#dmz

The NAT part works as expected and I have traffic from lan to wan, the problems is that I don't have any traffic between WAN and DMZ. On pfsense I have bridged the 2 interfaces that connect to WAN respectively to DMZ.

I know from esxi that the vswitch (bridge)must be in promiscuous mode in order to work. I did activate promiscuous mode on vmbr2 but still no luck.

The Pfsense setup is identical with what I have form esxi so don't think the problem is there. I imagine it is some configuration that I do wrong in proxmox.

Can somebody help me with some advice.

Thanks
 
up /sbin/ip link set enp2s0 promisc on
The linux bridge automatically sets the ports in promiscous mode - so the above line (and the one for enp0s25) should not be needed.

Of the top of my head I don't see a problem in the posted config ...

One thing that probably would help in analyzing this is checking where the traffic gets lost with tcpdump:
* `tcpdump -envi <iface>`
where you let tcpdump run inside a guest with a DMZ-interface, and on:
* vmbr2
* vmbr1
* both interfaces and the bridge inside the pfsense
* enp0s25

(then run a ping or generate some other traffic)

I hope this helps!
 
Thanks for the suggestions I will try that. What adds an extra layer of complexity is that each machine is connected to internet via an PPPOE connexion.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!