[SOLVED] Pfsense in Proxmox and VLANs

L

lumox

Member
May 29, 2020
111
5
23
42
Hi,
For the time being, I've installed pfSense in Proxmox as a VM. Here is the diagram:

Proxmox01.jpeg
On NIC1 is my WAN connected to my ISP router in, say, DMZ

Here is my Proxmox network setup:
proxmox-network.jpg

In pfSense the two virtual switch are seen this way:

pfSense-interface_dash.jpg

pfsense-interface.jpg

Basically the LAN above with IP 192.168.5.1 manages both Vms in Proxmox and any devices connected to the esternal physical swith on the NIC2.

Everything works greats BUT, for learning purpose, I'd like now to rearrange my network and create VLANs: VLAN10, VLAN20, and VLAN30.

VLAN10 for VMs in Proxmox, my desktop and my private WIFI. VLAN20 for my IoT, and VLAN30 for guest wifi and maybe for one ethernet port on the physical swith. I'm going to use a DD-WRT device to accomplish that. I think that I don't need to change any setup on my WAN port since I also want to access Proxmox from WAN port

Before going on I'd like to figure a few things out and make up my mind on the Proxmox side first.

1) Should I enable 'Vlan aware' in Proxmox for the virtual switch vmbr1:

vlan_aware.jpg


2) Do I need to set up VLAN tag for any VM here too (the windows VM in thie case below?

windowsVLAN.jpg

Please your thought and advice on my project.

Thanks
 

Attachments

  • Proxmox01.jpeg
    Proxmox01.jpeg
    96.3 KB · Views: 197
Last edited:
There are two ways.

Option 1: Do it like you explained it. Enabling "vlan aware" and setting the "VLAN Tag" for you VMs virtual NICs.
Option 2: Create a dedicated VLAN Interface and dedicated bridge for each VLAN on your PVE host.

And you might want to use tagged VLANs (aka trunk) if you want to use different VLANs on that switch that is only connected using a single NIC to your PVE host.
 
Dunuin said:
There are two ways.

Option 1: Do it like you explained it. Enabling "vlan aware" and setting the "VLAN Tag" for you VMs virtual NICs.
Option 2: Create a dedicated VLAN Interface and dedicated bridge for each VLAN on your PVE host.
Click to expand...
I dont' think I have understood option 2..anyway
I'll most likely go for option 1, but I need to make sure that I got it right.
So, when I enable "VLAN aware" on the virtual bridge (vmbr1) it would be as if I had set up a trunk port for my VLANS? Correct?

Dunuin said:
And you might want to use tagged VLANs (aka trunk) if you want to use different VLANs on that switch that is only connected using a single NIC to your PVE host.
Click to expand...

Are you talking about the PHYSICAL switch (a DD-WRT device for the record) that I'm going to attach at the physical NIC (enp5s1)?

Thank you
 
lumox said:
I dont' think I have understood option 2..anyway
I'll most likely go for option 1, but I need to make sure that I got it right.
So, when I enable "VLAN aware" on the virtual bridge (vmbr1) it would be as if I had set up a trunk port for my VLANS? Correct?
Click to expand...
Yes, enabling it basically allows it to carry tagged vlans like a trunk. Without it can only use untagged traffic.
lumox said:
Are you talking about the PHYSICAL switch (a DD-WRT device for the record) that I'm going to attach at the physical NIC (enp5s1)?
Click to expand...
Yes. According to your diagram you want to use that physical switch with multiple VLANs for IoT, Guests, LAN and so on so you need a managed switch that can handle tagged vlans and you need to configure both to use it.
 
I use pfSense and run in on a VM in my ProxmoxVE cluster, I have 3 bridges set up on each of my Proxmox nodes and none of them are set to be VLAN aware.

vmbr0 is set as my virtual machine traffic where all of my LAN-based VLANs will travel.
vmbr1 is for communicating with other Proxmox nodes
vmbr2 is for communication to the Storage network and all my storage servers.

Then for my pfSense, VM I have the following network devices configured:

net0 = WAN connection and is tagged as VLAN 100
net1 = Base LAN connection and is untagged
net2 = My virtual server VLAN and is tagged as VLAN 200

If I add a VLAN to my network I create another interface on the VM, tag the network device as needed and then add it into pfSense as if it was a physical NIC connected to a separate physical network. The reason I did it this way is that all the traffic other than the base LAN (which is for switches and wireless APs) is so that the pfSense VM can run on any host, it is also why my WAN is on a VLAN that only pfSense makes use of and is set as untagged on the switch the modem connects to with access to no tagged VLANs.
 
Astraea said:
I use pfSense and run in on a VM in my ProxmoxVE cluster, I have 3 bridges set up on each of my Proxmox nodes and none of them are set to be VLAN aware.

vmbr0 is set as my virtual machine traffic where all of my LAN-based VLANs will travel.
vmbr1 is for communicating with other Proxmox nodes
vmbr2 is for communication to the Storage network and all my storage servers.

Then for my pfSense, VM I have the following network devices configured:

net0 = WAN connection and is tagged as VLAN 100
net1 = Base LAN connection and is untagged
net2 = My virtual server VLAN and is tagged as VLAN 200
Click to expand...
ok
According to my goal, as for pfSense only, do I need to delete LAN interface and add only VLAN interfaces? Please see image four. Thanks
 
If you are using a single NIC virtual or otherwise to pass tagged and untagged traffic you will need to have a base interface in pfSense. as they are all technically going over a single connection between pfSense and the switch. You would then add the VLANs to pfSense as well as the switch your node is connected to allow the tags to work. I used to set it up with a single LAN and then add the VLANs to pfSense and used OVS in Proxmox but it's been a while since I did it that way.
 
Astraea said:
If you are using a single NIC virtual or otherwise to pass tagged and untagged traffic you will need to have a base interface in pfSense. as they are all technically going over a single connection between pfSense and the switch. You would then add the VLANs to pfSense as well as the switch your node is connected to allow the tags to work. I used to set it up with a single LAN and then add the VLANs to pfSense and used OVS in Proxmox but it's been a while since I did it that way.
Click to expand...

Ok I think I got it right ...for the most part at least.
In order to make it as simple as possible, I decided to create two VLANs only

I set up VLANs in pfSense first:

vlan.jpg
intervlan.jpg

then I tagged a VM's network device (My Windows VM in Proxmox in this case):

tag windows VM.jpg

For VLAN10, I set 192.168.10.0/24 as its network in pfsense and also set a dhcp server. Ok. it works perfectly. The windows VM got its IP! Great.
I can acces internet from my Windows VM which is now on VLAN10.

I got a little problem though.
From my Windows VM I can ping a PC on my real physical network, but I can ping it from my PC.
However, I can ping the VLAN gateway 192.168.10.1 either from my external PC and from my physical external router via its terminal as well.

There must be a problem with the firewall, but I wasn't able to figure it even though I already had set a WAN rule in pfsense:

wan rule.jpg


Could anyone help me with this issue please?
Thanks
 
Last edited:
This is strange. I restarted all my devices this morning, I tried it again, and it turned out that I can now open a Remote Desktop session from my external PC to my Windows VM in Proxmox in VLAN10, but I still can't ping it!
 
Sorry to bring this up again. I'm looking to do the same thing and I've now created the VLAN10 so that other VMs on the same PVE can join the VLAN using a tag(basically option 1 in this thread).

However, other machines connected to the LAN unmanaged switch(which is connected to the LAN port of PVE host) or even directly connected to the PVE host NIC aren't able to join VLAN10 even with manual IP and VLAN tag.

Did you managed to run VLAN on your switch?
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back