pfsense physical switch and vm isolation

[Andrew H]

I'm still trying to wrap my head around vlan, but before I do that, I'm trying to see if this can be achieved and then isolate with rules.

My pfense inside proxmox has two OVS bridges, vmbr1 is WAN and vmbr2 is LAN. LAN is connected to a physical switch with 192.0.20.x. A vm has the LAN bridge assigned. How do I go about making the vm in 10.0.30.x subnet?

If I create a vlan in pfsense, I can assign 10.x ip to the vm, but no matter what rules I create, I can still ping between these two subnets. Should I figure out how to do it with vlan instead? Create another bridge for the subnet?

 

[bofh]

bridges and vlans are not the same

if you create 2 bridges you have 2 independent lans (virtually but thats still not a vlan)
now you can assign different vlan id´s to each interface.
now you have vlans, only interfaces with the same vlan id can reach each other on ethernet level.

however this has not nessesarly antything todo within pinging or not pinging each other.
the pinging in your case goes a layer higher, those netowrks know each other (ofc they do both ly on the same router aka the promox box)
and promox will by default route to each subnet (why shouldnt it ?)
so you need to setup now firewall rules to stop that.

however your description is cryptic, very incomplete about what you have and what you want to achieve
also if you have troubles with the basics consider to hire a professional

 

[hodo]

Hello,

i would suggest, that you create another bridge on the proxmox host (vmbr3).

Give the Pfsense VM another vNIC on the vmbr3 bridge.

Configure the 10.0.30.x subnet as interface assigned to the new vNIC in the pfsense VM.

Set your vm to use the vmbr3.

Let your pfsense do the routing and firewalling.

You dont need VLANS in your setup.

kind regards,
hodo