pfSense/Proxmox home network diagram and vtnet/bridge/eth concept questions

[gijobin]

Hello all! Having some conceptual questions on setting up pfSense with Proxmox.

• Is vtnet0/1 referring to the pfSense VM vNIC interfaces for WAN/LAN?
  
  
• When we create two linux bridges on proxmox - is that considered to be on the physical host?
  
  
• In this screenshot, how is eth1 defined for the bridge port? Is the bridge port the physical nic interface? How do we know whether vmbr1 is eth1 or eth2?
  
  
• Is this saying that the vmbr0 bridge is bounded to the eth0 interface on the physical host?
  
  
• Is virtio recommended over e1000 for performance?

This is the way my network will look like - please let me know if any of my logic looks incorrect. Thank you in advance for your help and time!

 

[t.lamprecht]

Hi,

Is vtnet0/1 referring to the pfSense VM vNIC interfaces for WAN/LAN?

yes, normally in a pfSense as Proxmox VE VM setup it is.

When we create two linux bridges on proxmox - is that considered to be on the physical host?

Yes, as this are your virtual switches the pfSense is connected on, separating WAN and LAN.

In this screenshot, how is eth1 defined for the bridge port? Is the bridge port the physical nic interface? How do we know whether vmbr1 is eth1 or eth2?

A bridge can have no port, then it'd be normally an internal interface, can still be useful for doing a fast and separated "virtual switch" for VM<->VM or VM<->Host interconnections.
It can also have ports, those are then just like physical switch ports, i.e., what ever you connect to that physical port is reachable for all VMs, CTs and normally also the Proxmox VE host itself.

How do we know whether vmbr1 is eth1 or eth2?

You now what's using by checking the port config and, in the other direction, you choose what to use by checking what physical port has a connection you want to plug into the bridge. So what you use depends on how you plug in your cables

Is this saying that the vmbr0 bridge is bounded to the eth0 interface on the physical host?

rather vice versa, eth0 is bounded to the bridge, but I do not think that "difference" matters much.

Is virtio recommended over e1000 for performance?

yes

This is the way my network will look like - please let me know if any of my logic looks incorrect

See no issues in that diagram.

 

[guletz]

HI,

The best to understand a bridge is to consider that is almost the same as a standard switch, who has some ethernet ports.

 

[gijobin]

Hi @t.lamprecht - thank you so much for your time and help - those questions have been confusing me for some time, and you explained them really well I have a few follow up questions for you:

A bridge can have no port, then it'd be normally an internal interface, can still be useful for doing a fast and separated "virtual switch" for VM<->VM or VM<->Host interconnections.

• If a bridge has no port, how can the VM communicate with the host?

You now what's using by checking the port config and, in the other direction, you choose what to use by checking what physical port has a connection you want to plug into the bridge. So what you use depends on how you plug in your cables

• Is the port config the "ifconfig" inside the Proxmox terminal?

• Is there a difference in functionality/performance or implementation for using OVS over Bridge for connecting the pfSense VM to the host interfaces? Does Proxmox have a tutorial for using OVS with pfSense?

• In order to isolate the pfSense WAN from the host, is there anything that should be done in the bridge interface?

 

[maverickws]

Hi there, sorry to barge in:

• If a bridge has no port, how can the VM communicate with the host?

A bridge can have a port or not.
For example, if you assign a bridge as LAN interface, it doesn't need to have an assigned port on the proxmox host. This bridge interface will be bridged (as in directly connected) to the pfSense, and when you create a VM that will sit on the LAN side of pfSense, you then assign the same bridge to the VM. So it doesn't have a physical port from the host assigned, but acts like a switch where your different vm's are connected to.

You can have a all the bridges (even the one facing WAN) without a port assigned, then you'll have to go with a routed setup to communicate from the bridge to the host.

• Is the port config the "ifconfig" inside the Proxmox terminal?

I believe the above explanation applies to this question.

• Is there a difference in functionality/performance or implementation for using OVS over Bridge for connecting the pfSense VM to the host interfaces? Does Proxmox have a tutorial for using OVS with pfSense?

I use pfSense without OVS. OVS or Open vSwitch is an advanced implementation of a multilayer virtual switch. I'd say start with the linux bridges and when you find the need for the advanced features of OVS swap over.

• In order to isolate the pfSense WAN from the host, is there anything that should be done in the bridge interface?

Use a routed config. But anyway, the pfSense WAN interface is already blocking by default.

Most important will be how you design the solution. You should always have a separate public IP for the Proxmox host and another for the pfSense, as the proxmox host should not be susceptible to a VM going down or not booting for some reason and your proxmox host will lose any connectivity.

Use a routed config and you should be fine. There are many configuration examples and sometimes there are differences from an hosting provider to another.

 

[maschenkeveld]

Hello all, I am running a similar setup to what gijobin is describing. However when I run my pfSense box with VirtIO network adapters, my connecting LXC containers are not able to establish outbound connections through the pfSense router. With any of the other network adapters everything works fine.

Does this sound familiar?