pfSense setup

K

kcallis

Active Member
Apr 5, 2018
48
2
28
56
I have been doing my due diligence in trying to make the move from a hardware to software designed network. I am currently trying to decide if I can work with what I have currently running and make the appropriate changes or should I just blow everything away and start from scratch.

Currently, I have a Netgate APU running pfsense and proxmox is installed within a VLAN ( VMBR0 192.168.30.250). If I were to spin up a pfSense, using the same configuration, I know that I will running to problems because the PM host IP has an IP address and there will be be issues when I start pfSense with the same IP defined in OPT VLAN. I thought that I could change the IP address of the host to (for instance, 10.0.0.250) because I don't make use of 10.0.0.0/8 for any purpose in my pfSense setup, but then I started to wonder if I needed to change the IP address of my Cisco switch to 10.0.0.0 range so that the switch could communicate to the PM host. I am also thinking that I can just configure my switch to listen to 10.0.0.x, considering that I can create additional interfaces on the switch.

I have attached the current network diagram as well as the proposed network diagram. Any pointers on how to start this project would be greatly appreciated.
 

Attachments

  • ##Current Network Diagram##.pdf
    244.8 KB · Views: 54
  • ##Propose Network Diagram##.pdf
    261.5 KB · Views: 37
  • Like
Reactions: Bent
Since the switch also supports VLAN, you can create a different VLAN for direct node access. Also, the node doesn't need direct access, it could well go through the pfsense.
 
Thanks for the response. I have re-installed Proxmox 6.1 and again, I have run into a problem. As you can see in the network diagram that I have attached (this time as an actual graphic as opposed to drawn), the only components are the DSL gateway, a Cisco switch, a WAP, and a single port laptop. On the Cisco, I have created a VLAN for each of the VLAN listed on the diagram as trunk with the VLAN10 being untagged. I also created a VLAN02 which for the DSL Gateway.

When I installed the Proxmox server, I gave the management interface an IP address of 192.168.10.250/24. The Cisco switch has an IP address of 192.168.10.2/24. I am able to ping the switch from the Proxmox which seems to be a good thing. I then installed openvswich, make IntPorts for each VLAN, and from the console, I am able to get an IP address from WAN connection, and I assign the LAN address to 192.168.5.1/24. When have tried both creating just a LAN (using VLAN05 defined on both the openvswitch as well as the Cisco switch (which I should point out is in L3 mode)) and creating a WAN connection (which is the VLAN02 on the Cisco switch) as well as creating during the installation all of the VLANs shown on the network diagram. Regardless of how I try to set up pfSense, when I ssh to the proxmox host, I am not able to ping, ssh or connect to the pfSense web interface.

So I am stuck!!! Although I can get to the proxmox, I am not able to make use of pfSense or setup any rules or any other services. I have been told that I need to just create a virtual NIC or two, but that hasn't been of any benefit, I have tried getting creative with my Cisco switch, but that doesn't seem to work correctly, so any pointers would be greatly appreciated!
 

Attachments

  • network_diagram_v1.pdf
    24 KB · Views: 20
  • proxmox_diagram_v1.pdf
    12 KB · Views: 18
Openvswitch will need a trunk port as well. But you don't need the openvswitch. Set the Linux bridge into vlan_aware and specify the VLAN 10 directly on the enp0s25 interface and set it as tagged on the switch port as well. This way the VLAN 10 is filtered out by the host interface directly and passing all the other VLANs through to the bridge.
 
I opted to use openvswitch because it seems to play nicely with my VM and containers. Most of my traffic will be local, so no need to go upstream to the next switch when I can keep everything local with VMs and containers dealing with ovs. I must have missed something, because I see that you stated that I needed to make a ovs trunk??? I created a bunch of IntPort VLANs which was (in my mind) a trunk to be used for pfSense. So the fact that I did not create a trunk for OVS could be the reason that I can not ping from the host any of the VLANs that I defined in /etc/network/interface.

This should not be this difficult!!! Let us remove the Cisco switch from the equation. Let's say that I take a a laptop that has only a single port and install Proxmox and add in openvswitch. At this point, I use the address for the pve host as 129.168.200.250/24 with a gateway of 192.168.200.1. Of course, there is no 192.168.200.1, so it would seem that regardless of my setting a gateway, I would be doomed to failure because there is no real network per se. The physical interface is plugged into my DSL router, but I don't want an DHCP IP address from my gateway because the laptop is not static, but able to connect to any gateway (for instance, right now I am connected to my DSL gateway, but my goal is to take my laptop to say Starbucks, plug my pve laptop to my travel router and it in theory still be connected to the internet.).

So with the above scenario, what am I missing? I am sure that I still need to create a tagged VLAN to the DSL router so that the pve host can connect to the internet though the DSL router. I need to create a ovs trunk that will include all of the VLANs include VLAN200 which allow for the pve host to be able to ping and talk to the other VLANs. And I on the right path or am I completely out in left field?
 
Either use the interface directly on the pfsense or you will need to use masquerading.
 
Alwin said:
Either use the interface directly on the pfsense or you will need to use masquerading.
Click to expand...

I am not looking forward to port forwarding, so could you clarify what do you mean using the interface directly? I give the host the IP address of 192.168.200.250. After installing openvswitch, the first VM that I spin up will be pfSense, and the WAN interface will connect to my VLAN02, and the LAN (192.168.5.1/24) which is in my VLAN05. I have actually did spin up pfsense, and WAN was able to get an IP address from the DSL modem and I did give an IP address on the LAN. Unfortunately, I was not able to go any further, because i was not able to connect to the web interface or even ping the LAN (192.168.5.1) interface.

So on my Cisco switch, I have my pfSense trunk port which is untagged VLAN200 which is the 192.168.200.0/24, and tagged VLAN{05,10,20,30,40,etc). I have defined the VLANs IntPorts in /etc/network/interface (again using openvswitch) and yes, my goal is to have pfsense as the protector of my massive virtual network. So with the VLANs defined on both the Cisco switch as well as pve host, what added ingredient to I need to add so that after I have installed pfSense, I am able to log into the pfSense web interface and do my rule magic, but at the same time, I can still turn around and access the pve management web interface.
 
Interfaces can be directly passed through to the VM. So, pfsense can do all the network lifting. Or see the other examples in our documentation.
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_configuration

Additional, pfsense setup on Proxmox VE.
https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-proxmox.html

And last but not least, there might be other users on the forum that have made a similar setup.
https://forum.proxmox.com/tags/pfsense/
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back