pfSense , need some help

[Gad]

ok so i have two NICs

i want to deploy pfsense but not sure how the network config of promox shuld look like

i am getting WAN from my ISP from 10.0.0.68(just a port on my ISP router)
i want PF sense to be on 192.168.1.1(this will be my new lan )

i am really confused how linux brodge shuld look like in this case

i am pretty sure i got this part worngg

i want VMBR 0 to be my lan
and VMBR 1 to be my wan
Thanks!!

 

[aaron]

Think of bridges as being similar to hardware switches.

vmbr0 connects the physical interface eno1 with the guests running on the PVE node. vmbr1 connects enp2s0.

A bridge does not necessarily need to have any IP configured on it, only if the PVE node itself should be reachable on that network.

This means that for the pfsense VM you will need to assign it two NICs, each assigned to one of the bridges.

Now you most likely want to use vmbr0 for the internal LAN and vmbr1 for the external network where you connect the NIC to the router from the ISP. For vmbr1 you don't configure any IP address.

Therefore, configure the IP address that the PVE server should get and gateway (pfsense). The IP addresses of the pfSense need to be configured inside the pfsense VM.

PVE does not handle the IP address configuration inside VMs.

 

[bobmc]

So set
vmbr0 CIDR=192.168.1.185/24, Gateway=192.168.1.1
vmbr1 remove IP

Create a VM with two network interfaces, one assigned to vmbr0, the other on vmbr1


Install pfsense, set the LAN address to 192.168.1.1/24
set the WAN address as required (e.g 10.0.0.68)

remember your WAN address is not routable so you will need to ensure this is not blocked (turned off) on the interface



Also don't forget to 'disable Hardware checksum offloading' otherwise your performance will suffer

 

[Gad]

wow thank you both i will try it out in the morning

@bobmc can you please explain
"remember your WAN address is not routable so you will need to ensure this is not blocked (turned off) on the interface"

 

[bobmc]

@bobmc can you please explain
"remember your WAN address is not routable so you will need to ensure this is not blocked (turned off) on the interface"

You stated in your 1st post that your ISP router is giving you a 10.0.0.68 address, this is not your real internet address (try https://www.whatsmyip.org/ to find out what it really is) because it is in a network (10.0.0.0/8) reserved for private networks.

By default, pfsense will block any traffic on it's WAN port that seems to be coming from a private network - which is the behaviour you would want if pfsense was directly connected to the internet.

In your case however, you need to tell pfsense that it is OK to accept private network traffic by unticking the box as shown in my earlier post.

hope this helps

 

[Gad]

You stated in your 1st post that your ISP router is giving you a 10.0.0.68 address, this is not your real internet address (try https://www.whatsmyip.org/ to find out what it really is) because it is in a network (10.0.0.0/8) reserved for private networks.

By default, pfsense will block any traffic on it's WAN port that seems to be coming from a private network - which is the behaviour you would want if pfsense was directly connected to the internet.

In your case however, you need to tell pfsense that it is OK to accept private network traffic by unticking the box as shown in my earlier post.

hope this helps

yes it helps i learned allot!

having some issues with my setup... but i will come around to this post again
thanks!