pfSense + Proxmox + vlan, not working

[Mattias Hedman]

I was forced to switch my router/firewall since my old one couldn't keep up with the speed.
So I did my research and pfSense was what seemed to be a great choice, I found this in their documentation: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html and set up the container like that.
Installed pfSense and off to the races. Setting up WAN and LAN was a breeze, all is working. Happy I went about and started to config some VLANs and added them to the LAN interface. This is when I hit the brick wall.
First up I thought, hey this is pfSense fault, so I posted on their forums: https://forum.netgate.com/topic/166720/pfsense-unifi-network-lan-works-not-wifi/
Today I got an answer from an administrator and I tried what he recommended.
There is no traffic being sent between LAN and the VLANs, no nothing.

It now seems like there is an issue with how Proxmox handles NICs and guests, does anyone have pfSense running with multiple VLANs?
If so - how?

 

[vesalius]

I was forced to switch my router/firewall since my old one couldn't keep up with the speed.
So I did my research and pfSense was what seemed to be a great choice, I found this in their documentation: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html and set up the container like that.
Installed pfSense and off to the races. Setting up WAN and LAN was a breeze, all is working. Happy I went about and started to config some VLANs and added them to the LAN interface. This is when I hit the brick wall.
First up I thought, hey this is pfSense fault, so I posted on their forums: https://forum.netgate.com/topic/166720/pfsense-unifi-network-lan-works-not-wifi/
Today I got an answer from an administrator and I tried what he recommended.
There is no traffic being sent between LAN and the VLANs, no nothing.

It now seems like there is an issue with how Proxmox handles NICs and guests, does anyone have pfSense running with multiple VLANs?
If so - how?

Several of us do, although I use OPNsense. Can you post your Proxmox /etc/network/interfaces config and let us know which interfaces proxmox has given pfSense for wan and lan.

EDIT:Just looked at their documentation you linked and it’s a bit dated for vlan use. Might be nothing more needed than checking off “vlan aware” on the Proxmox vmbr* you use for the pfSense lan. Next common issue is that the switch connected to this is misconfigured to handle the vlans created in pfSense.

 

[Mattias Hedman]

Several of us do, although I use OPNsense. Can you post your Proxmox /etc/network/interfaces config and let us know which interfaces proxmox has given pfSense for wan and lan.

EDIT:Just looked at their documentation you linked and it’s a bit dated for vlan use. Might be nothing more needed than checking off “vlan aware” on the Proxmox vmbr* you use for the pfSense lan. Next common issue is that the switch connected to this is misconfigured to handle the vlans created in pfSense.

Thank you for a great answer, here's my network config from Proxmox:

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual
        dns-nameservers 10.1.1.50 1.1.1.2
#pfSense WAN

auto eno2
iface eno2 inet manual
#pfSense LAN

auto eno3
iface eno3 inet manual

auto eno4
iface eno4 inet manual

auto bond0
iface bond0 inet manual
        bond-slaves eno3 eno4
        bond-miimon 100
        bond-mode balance-alb

auto vmbr0
iface vmbr0 inet static
        address 10.1.1.10/24
        gateway 10.1.1.1
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
#pfSense WAN

auto vmbr2
iface vmbr2 inet manual
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#pfSense LAN

The switch that receives this is, an Unifi Switch 8, with all ports set to trunk (all).

I should also add that all this is running on a Dell Poweredge 720.

 

[Mattias Hedman]

So the solution...
I got it from Reddit (where else...)
A user there told me that he to all the tagging inside Proxmox and run everything inside pfSense untagged.
Like this: https://imgur.com/a/YbZpaxb

 

[vesalius]

So the solution...
I got it from Reddit (where else...)
A user there told me that he to all the tagging inside Proxmox and run everything inside pfSense untagged.
Like this: https://imgur.com/a/YbZpaxb

More than one way to skin a cat. Congrats on the fix. It can also work the way you initially tried, that’s how I do it from the OPNsense side, but no reason to keep beating your head against that brick wall when you a viable working solution.

 

[lostling]

Hoping someone can assist on this

Managed to ping to proxomox IP from both the laptop and pfsense, but unable to reach pfsense directly from the laptop

not sure if the issue is proxmox based, switch based or pfsense based.

Current proxmox network setting:

auto lo
iface lo inet loopback

auto eno4
iface eno4 inet manual

auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto eno3
iface eno3 inet manual

auto bond0
iface bond0 inet manual
bond-slaves eno1 eno2 eno3
bond-miimon 100
bond-mode 802.3ad

auto vmbr1
iface vmbr1 inet manual
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbr0
iface vmbr0 inet manual
bridge-ports eno4
bridge-stp off
bridge-fd 0

auto vmbr1.10
iface vmbr1.10 inet static
address 192.168.10.2/24
gateway 192.168.10.1

pfsense VM network settings

Network Device (net0) virtio , firewall=1
Network Device (net1) virtio

Current pfsense settings

WAN -> vtnet0 -> v4/DHCP: 192.168.5.108/24
LAN -> vtnet1 ->
OPT1 (OPT1) -> vtnet1.10 -> v4: 192.168.10.1/24

 

[Mattias Hedman]

@lostling Thank for your answer.
First up, why have a firewall on the vmbr that is the wan port for your firewall?
Secondly not reaching pfSense from lan is by design, you have to allow it. Everything is blocked by default.

I had it working, then I tried to install Wireguard and killed pfSense, due to family pressure I was "forced" to go back to my old solution.
That meant firing up my trustworthy Edgerouter.
I will go back to pfSense in due time.
Here you have how I made it happen with pfSense and a Proxmox VM:
https://privetdrive.net/posts/newish-network-and-really-learn-about-vlan/

 

[lostling]

Hi Mattias, sorry, just trying to hijack your thread, cant seem to get any help on mine haha...

Well I should be able to access vlan 10 via my bond from the switch but I am unable to.

 

[Mattias Hedman]

Well I should be able to access vlan 10 via my bond from the switch but I am unable to.

No problem!
It sounds like you are missing some firewall rules to allow that traffic.

 

[lostling]

I literally factory reset my pfsense and only enabled 1 vlan and disabled all firewalls...

 

[Mattias Hedman]

I literally factory reset my pfsense and only enabled 1 vlan and disabled all firewalls...

Disable the firewall? Oh why?!
Have you activaated that interface? Have you configured a dhcp-server for that interface?
How do you connect to that VLAN?

 

[platonas]

I use pfsense(vm) on proxmox as my router with vlans and works fine.

• Got my isp router on bridge mode and connects to 1 nic that i only use on proxmox as WAN , 2nd nic goest to a mikrotik router (set up in bridged mode) that i use as a switch+wifi ap.
• Vms and ct`s use the 2nd nic bridged.

Quick checklist :

1. created the vlans on pfsense , assign and activate
2. setup IPs and dhcp servers for every vlan
3. setup an allow all firewall rule on every vlan (for testing) since pfsense blocks all by default
4. setup vlans on my switch
5. made proxmox bridge(not the WAN one) vlan aware
6. setup proxmox host with vlan settings (so the host can connect to the vlan of my choice)
7. setup CT and VM vlans from the proxmox UI

Rebooted my proxmox host and everything works like intented.

P.S. Used only linux bridge and vlan , not linux bond at anything (if it helps anyone) .