PFsense VM networking bridge on proxmox ve

J

juniper

Well-Known Member
Oct 21, 2013
84
0
46
Hi,

i'm exploring the possibility to have a pfsense transparent firewall on a proxmox ve VM but i reach some limitations (or some misunderstanding)

I have a 5 nodes proxmox ve cluster configured with a VLAN aware bridge (trunk connected with all my netwokr vlans)

Is it possible to have on a pfsense VM a bridge made of a 2 interfaces assigned to different vlans?

For example a bridge of:

net0: virtio=AE:D9:1F:2D:B7:8A,bridge=vmbr0,tag=1000 net1: virtio=CA:C1:3A:C8:74:7B,bridge=vmbr0,tag=200

does it works?

Thanks in advance
 
Yes, this does work and is a lot easier to configure on the pfSense side than a single NIC with vlans.
 
ph0x said:
Yes, this does work and is a lot easier to configure on the pfSense side than a single NIC with vlans.
Click to expand...
No in my pfsense installation bridge works only if the bridge is composed on different proxmox ve bridge (for example):

net0: virtio=AE:D9:1F:2D:B7:8A,bridge=vmbr0,tag=1000 net1: virtio=7E:83:8A:B0:CD:C4,bridge=vmbr100

but in this way i miss migration capabilities...
 
Well, I have like 10 VMs that have at least two NICs with the same bridge but with different tags.

Just define the same bridges on your hosts then, in order to solve your migration problems.
 
Last edited:
ph0x said:
Well, I have like 10 VMs that have at least two NICs with the same bridge but with different tags. But what do I know ...

Just define the same bridges on your hosts then, in order to solve your migration problems.
Click to expand...
i have some vms linked to a transparent pfsense bridge....if i migrate pfsense vm remains without network...

the only solution is to have 2 synced pfsense transparent firewall on two different cluster nodes...

I don't know any other solution...
 
juniper said:
Hi,

i'm exploring the possibility to have a pfsense transparent firewall on a proxmox ve VM but i reach some limitations (or some misunderstanding)

I have a 5 nodes proxmox ve cluster configured with a VLAN aware bridge (trunk connected with all my netwokr vlans)

Is it possible to have on a pfsense VM a bridge made of a 2 interfaces assigned to different vlans?

For example a bridge of:

net0: virtio=AE:D9:1F:2D:B7:8A,bridge=vmbr0,tag=1000 net1: virtio=CA:C1:3A:C8:74:7B,bridge=vmbr0,tag=200

does it works?

Thanks in advance
Click to expand...
Does vmbr0 have selected Bridge ports in promox? If so is that bridge port connected to a switch and have you investigated whether or not that switch port is appropriately tagged with both v1000 and v200?
 
vesalius said:
Does vmbr0 have selected Bridge ports in promox? If so is that bridge port connected to a switch and have you investigated whether or not that switch port is appropriately tagged with both v1000 and v200?
Click to expand...
No vmbr0 doesn't have any real interface linked only vm virtual interface
 
juniper said:
No vmbr0 doesn't have any real interface linked only vm virtual interface
Click to expand...
Why not try just adding a single proxmox vmbr0 VLAN aware bridge to pfSense and then create v1000 and v200 in the pfSense GUI using that single interface?
 
vesalius said:
Why not try just adding a single proxmox vmbr0 VLAN aware bridge to pfSense and then create v1000 and v200 in the pfSense GUI using that single interface?
Click to expand...
you don't undestand what i'm doing...

On Proxmox i have one VLAN aware bridge (vmbr0) with all my vlan

i need a pfsense VM with inside a bridge composed of two interface

if i use vmbr0 with for example vlan 200 and vlan 1000 to create 2 different interfaces and then on pfsense i use them for a bridge it doesn't works.

To work i use 2 bridge on proxmox vmbr0 and vmbr100

In pfsense if i make a bridge of one interface vmbr0 (vlan200) and another on vmbr100 all works fine but i loose migration properties (if i migrate pfsense transparent firewall on other cluster nodes, vms with vmbr100 interface loose connection.
 
Well, wait, I seems that I a) misunderstood the term "transparent firewall" and b) missed the part where you said that you want to bridge the two interfaces inside the VM. I don't run that configuration here, sorry for the confusion.

Might the problem be related to the place where the tag gets added? Bridging two VLANs requires a retagging and maybe this is done in an unsuitable order with a vlan-aware bridge ... Does this make sense?
So maybe if you put the complete bridge in a single NIC into the VM and define the VLANs inside then you can actively retag the traffic on the bridge.
Or - if you want to have two NICs at any cost - you could configure those with the needed vlans as tagged traffic. This can only be done in the conf file though, not through the GUI.
Code: 
net0: virtio=<MAC>,bridge=vmbr0,tag=<something_unused or 1 or whatever>,trunks=200
net1: virtio=<MAC>,bridge=vmbr0,tag=<something_unused or 1 or whatever>,trunks=1000

Or the problem is related to a bridge loop in the respective vlan. Employing MSTP (Multiple Spanning Tree Protocol) could resolve this, from what I read.

Regarding the migration: If the bridges exist on the target node and the traffic gets forwarded into a switched vlan then the migration should also work. Why do the VMs with vmbr100 lose connection?
 
Last edited:
  • Like
Reactions: vesalius
ph0x said:
Well, wait, I seems that I a) misunderstood the term "transparent firewall" and b) missed the part where you said that you want to bridge the two interfaces inside the VM. I don't run that configuration here, sorry for the confusion.

Might the problem be related to the place where the tag gets added? Bridging two VLANs requires a retagging and maybe this is done in an unsuitable order with a vlan-aware bridge ... Does this make sense?
So maybe if you put the complete bridge in a single NIC into the VM and define the VLANs inside then you can actively retag the traffic on the bridge.
Or - if you want to have two NICs at any cost - you could configure those with the needed vlans as tagged traffic. This can only be done in the conf file though, not through the GUI.
Code: 
net0: virtio=<MAC>,bridge=vmbr0,tag=<something_unused or 1 or whatever>,trunks=200
net1: virtio=<MAC>,bridge=vmbr0,tag=<something_unused or 1 or whatever>,trunks=1000

Or the problem is related to a bridge loop in the respective vlan. Employing MSTP (Multiple Spanning Tree Protocol) could resolve this, from what I read.

Regarding the migration: If the bridges exist on the target node and the traffic gets forwarded into a switched vlan then the migration should also work. Why do the VMs with vmbr100 lose connection?
Click to expand...
I don't know....i think the problem is all layer 2 related...bridge...vlan....bridge of virtual interface tagged on vlan
 
Yeah, probably. I suggest to try the trunks method, so that the firewall knows about the vlan tags and can handle them accordingly.
 
Last edited:
ph0x said:
Yeah, probably. I suggest to try the trunks method, so that the firewall knows about the vlan tags and can handle them accordingly.
Click to expand...
to solve the problem i moved transparent firewall outside Proxmox VE on dedicated hardware...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back