pfsense - how to get WAN2 for VMs

B

Boyd911

Member
Apr 8, 2023
38
2
8
Hi there, I'm trying to connect my second proxmox host to a separate WAN for its VMs, but I need help.

I'm using the configuration as described in the attachment. I've two proxmox hosts;
a. PVE01 is connected directly to LAN/WAN1 using DHCP and Firewall from the ISP modem. So all VMs are accessible via LAN. It has one NIC - enp4s0.
b. PVE02 has 2 NICs - enp4s0 and enp5s0 and is accessible via LAN of ISP modem. I want to use the second WAN2 for the VMs, use pfsense to firewall that WAN, ideally run the VMs on the LAN.

Screenshot 2023-05-07 at 15.08.41.png
Does this configuration work on paper?

PVE02 is up and running. It has 2 NIC (enp4s0 and enp5s0) and the 2 bridges (vmbr0, vmbr1. Vmbr0 is used to access the proxmox hosts. Vmbr1 is used to connect WAN2.

Installation of Pfsense VM works, but the VM’s still use the WAN1 (enp4so via vmbr0) while they should use WAN2 (enp5s0 via vmbr1). How can i resolve this?
 
Last edited:
"Installation of Pfsense VM works, but after reboot, it asks if I want to instal VLAN - i answer YES."

- why use vlans? answer NO and check if your vm's have internet access and pfsense webgui access.
 
Ok, I gave pfsense the 2 NICs - one for LAN, one for WAN. But now VMs get the LAN IPs but still use WAN1. How can I configure pfsense as such that VMs use WAN2 for their internet access?
 
Network cables:
  • enp4s0 connected via eth4 cable to a unmanaged switch connected to ISP modem (box12)
  • enp5s0 connected directly to box12 for WAN2 line
Managed switch - I don’t have a managed switch at the moment.
 
Is your ISP KPN ? And your modem/router a KPN Box12 ?
I would suggest a managed switch, where you can route the WAN addresses (you get 6 ip addresses) via VLANs.
 
Spoonman2002 said:
Is your ISP KPN ? And your modem/router a KPN Box12 ?
I would suggest a managed switch, where you can route the WAN addresses (you get 6 ip addresses) via VLANs.
Click to expand...
Yes it is. Have an 8 public ip bundle.

Ok a managed switch is quickly bought but how would that work? Any link or description on how to set that up?

I wanted to use pfsense firewall on each WAN.
 
8 public ip addresses indeed, but effectively 6 addresses you can use.

With a managed switch you can do per port vlans (untagged with PVID).
Or/and you can trunk vlans (tagged).
TP-Link and Netgear have several online guides/docs howto configure vlans.
 
Correct - 6 public ips to use.
  1. Would you in case of using a managed switch not use pfsense?
  2. In case of managed switch and using vlans can they provide the VMs the local LAN IP’s 192.168.2.x using the box12 DHCP ? So that all my VM’s are accessble from my LAN via ssh.
Sorry for the newbie questions. Have no expierience with pfsense and vlans.
 
1. I use OPNsense (vlans enabled) AND managed switches (vlans) in my home network.
2. yes.

Maybe you should read more about vlans first, try to understand and master the concept.
It's not rocket science.
 
ok, am already studying vlans - don’t seem that hard. And from your answer I get that opnsense or pfsense could be both used.

Ok bought an TP LInk ER7212PC - multi wan/managed router/vlan capable.
 
Last edited:
Boyd911 said:
ok, am already studying vlans - don’t seem that hard. And from your answer I get that opnsense or pfsense could be both used.

Ok bought an TP LInk ER7212PC - multi wan/managed router/vlan capable.
Click to expand...

So now you have two routers.....
If it is possible, I would remove the Box12 and only use the tp-link router.
That is for making things easier for yourself (or you want to double NAT and give yourself headaches..).

I was wondering with only a KPN Box12 (and no managed switch), how do you seperate/manage (vlan) the 6 public ip addresses...?
This modem/router has a built-in switch with 4 ports, but not "managed".
 
Last edited:
Hum, I didn't want to replace box12 - I need that for some TV channels.

But was wondering how to assign those 6 public IPs to the VLAN per host without having a WAN router. But maybe a managed switch can deal with that. Haven't played with a managed switch and watched so youtube video's on it.

If you have a recommendation for a managed switch that allows me to build 6 vlans each with a dedicated WAN setting than this could work.
 
Why did you buy this TP LInk ER7212PC router so fast.....?

I recently did an installation at a friend's house, also KPN and Box12.
I replaced the Box12 with a DrayTek Vigor 2927F, this gave me so much more options for configuration.
IPTV also works with this DrayTek.

Anyway.....
You can connect your tp-link router (WAN port) to the Box12 (LAN port). Disable DHCP on LAN side (not sure, test this).
From there you somehow have to trunk a port with your 6 public ip addresses (Tagged) towards pfSense/vmbrX.
Then create interfaces in pfSense with the corresponding public ip addresses in it.
Again, this setup is also new for me. And remember that the Box12 is hard to configure, KPN firmware locked very much everything for a few options to change.
 
Spoonman2002 said:
Why did you buy this TP LInk ER7212PC router so fast.....?

I recently did an installation at a friend's house, also KPN and Box12.
I replaced the Box12 with a DrayTek Vigor 2927F, this gave me so much more options for configuration.
IPTV also works with this DrayTek.

Anyway.....
You can connect your tp-link router (WAN port) to the Box12 (LAN port). Disable DHCP on LAN side (not sure, test this).
From there you somehow have to trunk a port with your 6 public ip addresses (Tagged) towards pfSense/vmbrX.
Then create interfaces in pfSense with the corresponding public ip addresses in it.
Again, this setup is also new for me. And remember that the Box12 is hard to configure, KPN firmware locks very much everything for a few options to change.
Click to expand...

Thanks for your replies - super appreciated.

“Why buy so fast” - I wouldn't say I like to wait and need a solution. But didn't do the most thoughtful thing;-(

I could swap the TP-link for the Draytek Vigor and then replace the Box12 of KPN with it - if that makes sense. Please, advise.

But will I encounter new challenges with KPN and IPTV if I replace the box12? If so, I don't like to do that.

I've started a conversation; I hope you're ok with that.

I think you suggested below setup.

IMG_0030.jpeg
 
Last edited:
Ok situation has evolved, see diagram and pfsense dashboard.

So actually, in this scenario, there are two routes to the internet via WAN1 and WAN2. But I'd like the VM's only to use WAN2.

How to do that in pfsense?

Something weird is happening. I set up pfsense with static IP, no DHCP, and I use Ubuntu VMs. During installation of the VM, it asks to confirm its networking setup and I manually define an IP outside the DHCP range. I can ssh that VM from LAN.

I found out the VM doesn't have internet access and ping won't work. So I assume that in this case, pfsense firewall blocks it?

Screenshot 2023-05-13 at 07.49.20.png

Screenshot 2023-05-12 at 14.30.35.png
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back