pfsense interface WAN side

[turtlehurdle]

Hello all,

I have following labo setup:


I have been able to ping a machine in the pentest network by setting up a static route on my pentest computer [route -p add 172.30.1.0 mask 255.255.255.0 192.168.0.1]

In the pfsense interface on a VM in network pentest (172.30.1.12) I disabled following:
- Interfaces > WAN > Block private networks and loopback addresses
- All 3 hardware offloads in pfsense (system>advanced). When virtualized, these don't work apparently.

Problem:
I can ping 172.30.1.12 (windows machine) and 172.30.1.1 (vpfsense router) BUT I can not get on my pfsense interface on the browser of my external pentest laptop, how come?

Thank you,

 

[louie1961]

I am confused. You have the pfSense LAN port, WAN port and the proxmox management interface all using the same NIC? I would think you would need three NICs, and you would want to put pfSense in front of the managed switch. That's how I was able to do it anyway. I mean I guess there would be a way to use VLANs and virtual interfaces to do it with one NIC, but that would be way beyond my skill level.

Can you post the contents of /etc/network/interfaces on your proxmox box? Also how is your managed switch configured, and do you have any VLANs set up?

 

[turtlehurdle]

I am confused. You have the pfSense LAN port, WAN port and the proxmox management interface all using the same NIC? I would think you would need three NICs, and you would want to put pfSense in front of the managed switch. That's how I was able to do it anyway. I mean I guess there would be a way to use VLANs and virtual interfaces to do it with one NIC, but that would be way beyond my skill level.

Can you post the contents of /etc/network/interfaces on your proxmox box? Also how is your managed switch configured, and do you have any VLANs set up?

You can think of the the pfsense WAN port as VMBR0 and LAN port as BRIDGE PENTEST. I only have one NIC so the entire environment is virtual. I can not put the pfsense router in front of the managed switch because the managed switch is a physical one, pfsense router is virtual (and so is everything else withing the dotted area). Hope you understand.

So far i have only created the bridges, and one pfsense router (top left 172.30.1.0/24 network). Also one Windows10 computer (VM 101). Everything on the PENTEST network behaves as it should, I have internet connection as well. With VM 101 (172.30.1.12) I can get on the pfsense interface 172.30.1.1.


Also, no VLANS configured. I have a managed switch but I don't use it yet as it does not seem necessary...

Here is an up-to-date drawing:

 

[louie1961]

I think you have two choices. I think you either need to create VLANs, or you need to add more physical NICs to the server. I would get two more cheap NICs (PCIe GBE NICs can be had for as little as $10) and pass them through to the pfSense vm. Then you could wire the network such that pfSense could sit between the internet and your managed switch. Otherwise you will need vlans kind of like Will did here:

https://www.youtube.com/watch?v=HAi4p7IRvDQ

 

[turtlehurdle]

Hmmm yeah... That might be the easiest solution to just buy me one of those USB NIC s and assign them to the bridge my laptop needs to be connected to...

 

[louie1961]

Honestly I would buy two and dedicate them to pfSense: one LAN and one WAN. I would use the existing interface for the VMs you want to run, the Proxmox management interface, etc. Even then, you may want to set up VLANs since you have a managed switch.

You can use that one interface, not dedicated to pfSense to do everything else. I followed this guy's instructions and have one NIC with multiple VLANs on my proxmox server. I decided a while back that virtualizing pfSense was not appropriate in my situation, and bought a firewall device to run it on. One of those fanless celeron devices off of Amazon. When I did that I was also able to go all 2.5 gbe on my network, since the device came with 2.5 gbe ports.

https://www.youtube.com/watch?v=ljq6wlzn4qo

 

[accel]

I always use my pfsense setups on a different machines.
Never setup in with an VM machice.

 

[louie1961]

I always use my pfsense setups on a different machines.
Never setup in with an VM machice.

When I first tried pfSense I virtualized it and it works fine. The problem for me was that everytime I needed to reboot my server for some reason (which can happen a lot when you are experimenting in a home lab) I would take down my wife's TV and laptop and she would get frustrated with me. I decided it was better to run pfSense on dedicated hardware to keep the Mrs. happy.

 

[accel]

reWhen I first tried pfSense I virtualized it and it works fine. The problem for me was that everytime I needed to reboot my server for some reason (which can happen a lot when you are experimenting in a home lab) I would take down my wife's TV and laptop and she would get frustrated with me. I decided it was better to run pfSense on dedicated hardware to keep the Mrs. happy.

İf you have more than 2 NIC on the server like 4 or more, registering one of the NIC only for pfsense setup will be the best way if you do not have an extra machine for pfsense system. Using Vlan type of configuration can be another bad choice for it. But I am sure there are %100 working solid rock configs where develeped by system masters.