pfSense installation

[flatlander]

Here's my goal:

(I tried doing a diagram of this unsuccessfully)

Install PVE and pfSense as a virtual machine.

Have pfSense VM handle the incoming internet connection as DHCP, then fork it out to a LAN network, which will include the PVE console, a VM file server and a LAN switch.

Also on the pfSense VM will be a second fork (vbridge?) handling a VM webserver in a DMZ.

Also on the pfSense VM will be a third fork (vbridge?) handling a wireless router for guests and laptops to hook up to for internet service, walled off from the LAN.

I have tried reading the forum posts, FAQ and documentation. I've experimenting with configs for days, without any luck.

I know this is doable -- I had a Xenserver machine doing exactly this. But I couldn't get the dependencies resolved for NUT or APCUPSD, so I'm returning to the old reliable, Debian.

It's essentially virtualizing my firewall installation to save on upgrades and electricity.

Anybody got anything like this running, and willing to offer some insight into the /etc/network/interfaces file?

 

[jsquire]

Hi,

Not done the same but we use a Vyatta VM as the internet proxy for PVE, and that has proved very solid. We also use a Pfsense VM on a VLAN (untagged in switch bridged to virtual nic) to allow controlled wifi access to network. Pfsense was tricky to setup though.


JS

 

[vitor costa]

We have some pfsense firewalls inside Proxmox. No problems here.

To your project you need many network cards in host or create many vmbr to same eth (you need edit /etc/network/interfaces, after you add each vmbr to pfsense vm (lan,wan, opt1, opt2 etc) via proxmox web interface. To security the many hardware interfaces is better.

 

[flatlander]

I have one on-board network card and two PCI cards in my machine, but can't quite figure out the vmbr configuration in /etc/network/interfaces. Do I add the vmbrs in the dom0 config through the web interface, then jigger them in the interfaces file? I understand vitor's general idea, but can't figure out how to execute it.

 

[vitor costa]

Hera a example of /etc/network/interfaces:

auto vmbr0
iface vmbr0 inet static
address 192.168.0.200
netmask 255.255.255.0
gateway 192.168.0.1
bridge_ports eth0
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.200
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off
bridge_fd 0


now you have 2 vmbr's and in proxmox webinterface you can create vms with 2 nics
same process with 3 or 4 etc...

 

[flatlander]

I think I have that. Here's the problem: how do you set the IP address PVE web interface and the IP address for the pfSense interface for the SAME ethX? I need both of them to be on the LAN interface, and for pfSense to hand out addresses via DHCP on that same PCI network card. When I try to put a second vbridge on the same interface, PVE says the eth is already in use and can't be assigned a second time.

 

[vitor costa]

Here another interfaces conf with 2 vmbr in the same eth:
iface vmbr0 inet static
address 174.123.104.178
netmask 255.255.255.240
gateway 174.123.104.177
bridge_ports eth0
bridge_stp off
bridge_fd 0

iface vmbr1 inet static
address 192.168.1.1
netmask 255.255.255.0
bridge_ports eth0
bridge_stp off
bridge_fd 0

its work and in production.
You can not set two devices with same ip. You can set in same range to firewall porposes.
In a virtual firewall scenario the external ip is set in the vm firewall the eth have no ip, the vmbr can have a ip INSIDE firewall.