pfsense vm, any downside of defining vlans on the promox side

R

Rudy Gevaert

Member
Jul 5, 2020
5
1
8
42
Hi,

I would like to set up a virtual pfsense vm to act as a firewall for several separate networks. There will be a trunk port feeded into the proxmox host (say eth3) with several vlans defined on it.

(note that the proxmox mgt IP is not on those vlans, it's on a different one and is on a different physical port)

I am looking to what would be the easiest way to configure the networks in the pfsense.

I don't have much networking background, which makes it difficult for me to make good decisions. And I hope by doing I am learning too.

I see two options on the proxmox side:
  1. configure eth3 as a bridge port that is vlan aware
  2. define on the proxmox host a bridge port and define the necessary vlans (I have done this already, so I am used to this)

In option 2, I can then just assign multiple network devices to the pfsense VM and have multiple virtual interfaces in the pfsense.
With option 1, I would need to configure the vlans inside the pfsense VM.

Are then any performance impacts for option 1? As the vlan handling will done on the virtual level. While in option 2it is on the proxmox side. Or shouldn't I bother about it?

Also, with option 2 I can very easily assign one of the vlans of eth3 to any other VM. With option 1, is this possible too?

Thank you in advance,

Rudy
 
gurubert said:
With a VLAN aware bridge you tag the virtual interface in the Proxmox configuration with the VLAN ID to have an untagged interface inside the VM. Or without the VLAN ID the interface will get all VLANs (trunk port).
Click to expand...
Thanks Gurubert. So that would confirm that is possible to easily assign them to any vm.
 
I actually do a version of what you are thinking about with around 30 different VLANs on two HA pairs of pfSense routers set up in a layered DMZ / Internal network stack. The Edge pair of pfSense routers handle personal DMZ needs like home IOT game consoles and friends phones, and the internal pair cover all of the more protected inside networks.

Rather than using default Linux vlans and bridging, I moved to using Open vSwitch for networking. This allows me to assign each vlan on the Proxmox host as a separate NIC in proxmox. A bit more setup on the front end for the VMs running pfSense as an HA pair, but it saves configuring a bridge and multiple vlans in the pfSense guests. It also feels a bit more like working with something like VMware if you come from that world.

No complaints about performance or reliability. I have been running like this for about 5 or 6 years.

Here's a link to the Proxmox page on Open vSwitch: Proxmox Open vSwitch
 
You must log in or register to reply here.
Top Bottom