[SOLVED] pfsense + proxmox with one public ip

C

caymans3

New Member
Aug 20, 2024
3
0
1
Hi, does anyone know if there is a way to configure pfSense to use my public IP (currently used by Proxmox) and then use the LAN interface of pfSense to assign an IP to Proxmox via DHCP?
I only have one IP, "182.xxx.xxx.46/30", which is my Proxmox IP. Is there a way to make my pfSense VM "assume" this IP and then assign a private IP to Proxmox? After that, I could configure port forwarding on pfSense to access the Proxmox web interface.
1724439256420.png
 
If you don't have any "internal" way to gain access to the proxmox shell, this can be tricky to perform.
Also NEVER use DHCP on the proxmox interface, you'll only will cause issues for yourself.

If you can get shell-access to Proxmox without using that 186 IP, for example through IPMI/ILO/Remote-hands/etc., you can just set the IP in pfSense and then change the /etc/network/interfaces file to it's new setup and apply with an ifreload -a , reverting back (and shutting down the VM) if something doesn't work like you planned.

If not, what I personally would do is the following while triple-checking all the settings:
  1. Make sure that the PFSense-server is set to auto-start
  2. Set up a temporary setup in PFSense and create a port-forward (from a port other then 8006 external to internally 8006) set to forward from your external IP (or "just" public internet like it looks to be set up right now anyway) going to the "WAN-IP" (the option, not specifically typing it in) to an IP you reserve for the proxmox-server on LAN, as well as https and ssh forwards for your pfsense itself in case you can still not reach proxmox.
  3. In the network-config of proxmox, set the vmbr0 to be without an IP and gateway, and the vmbr1 to the IP you've selected before and the pfsense-IP as gateway, but DO NOT APPLY yet
    • This will cause the config to be written to a "temporary" file which is applied on reboot or when pressed apply.
  4. Set a reboot from the shell for 5 minutes from now with shutdown -r +5 (or more if you want more time to do the next steps)
  5. In PFSense, change the WAN-settings to the new wan-IP/gateway (here you can apply right away)
    • Still got network now? Good, apply the network-config and try to reach proxmox through the port-forward you made, then cancel the reboot with shutdown -c
      • Apply worked (and lost connection) but port-forward not working? Wait the 5 minutes (+reboot-time) and hope you didn't configure something incorrectly, or try to fix it through the https/ssl forwards that hopefully do work.
    • No network anymore to both proxmox and the port-forward? Wait the 5 minutes (+reboot-time) and hope you didn't configure something incorrectly.
  6. Once you (hopefully) have back connection, change the IP in the host-file to match the new "internal" IP of proxmox as well as the primairy DNS (set it to the pfsense too, secondary can be on an external one directly)
Like you might see, a lot more steps and a lot more uncertainty, so a remote access and using it through there will probably stay the preferred method.
 
  • Like
Reactions: caymans3
Thanks for the reply, @sw-omit .

I followed your instructions on a local Proxmox test setup a couple of times, but I’m not sure what I might be doing wrong.

  1. Checked that pfSense is set to autostart.
  2. Set a temporary WAN IP on pfSense via DHCP (199.178.0.106), configured a NAT rule for the WAN address on port 8080 to redirect to 192.168.0.100 (vmbr1 address) on port 8006, and set up another NAT for accessing pfSense (192.168.1.1) through the WAN.
  3. Deleted the IP/gateway from vmbr0 (199.178.0.177, 199.178.0.1) and assigned the same addresses to vmbr1.
  4. Scheduled a reboot.
  5. In the pfSense web interface, set the WAN interface to static and changed it to 199.178.0.177 with a gateway of 199.178.0.1 (the same as was on vmbr0).
However, I still can’t access my Proxmox web interface through the NAT. Am I missing something?
 
Let's try to test the port forward itself first.
In your test-setup, keep the "wan" port vmbr0 to the 177 IP, and put the pfsense-IP to 178.
Set a firewall rule that allows ping on the wan-interface [1] and see if that works now. If it does, your pfsense is reachable, else there is a problem within proxmox still.
If ping works, try the port-forward to either pfsense or the proxmox-port next. If ping worked but port-forward does not, please screenshot what you have set up for the port-forward (although I personally am more familiar with opnsense.
You can keep the 192.168.0.100 on the vmbr1 with it's gateway set to 192.168.0.1 btw, if you set the ip on vmbr0 without gateway, you can still reach it if you're on the same network.

[1] https://bobcares.com/blog/allow-ping-on-pfsense/
 
You must log in or register to reply here.
Top Bottom