PFSense VM on Proxmox

[Zx4ACQQ7]

Hi,

I plan to install Proxmox on my home server and then have at least 3 VM's one PFSense, one for TrueNAS and one for services.
I only have the single HW NIC that comes with my motherboard that has 4 Ethernet ports.

Is it possible to configure Proxmox so that the input from the Modem goes straight into the PFSense VM and then the output get shared to the host and the other VM's?
Would I need any extra hardware?

 

[bobmc]

I only have the single HW NIC that comes with my motherboard that has 4 Ethernet ports.

That doesn't make a lot of sense .. single or quad?

It's much better if you have at least two physical nic's when installing pfSense - yes you can provide two virtual nics to the VM bu then you loose all sense of separation of function logically and physically, where the whole purpose is to segment networks between WAN and LAN

Second user NIC's are cheap as chips on ebay

very good how-to guide
https://pfsense-docs.readthedocs.io/en/latest/virtualization/virtualizing-pfsense-with-proxmox.html

 

[Rares]

You pfSense VM will have 2 virtual nics attached for WAN and LAN.

1. If you have multiple ports you can put a port in a separated bridge and assign that WAN interface to that bridge.

2. You could consider having a managed switch and set the vlan id on the WAN interface.

 

[Zx4ACQQ7]

That doesn't make a lot of sense .. single or quad?

It's much better if you have at least two physical nic's when installing pfSense - yes you can provide two virtual nics to the VM bu then you loose all sense of separation of function logically and physically, where the whole purpose is to segment networks between WAN and LAN

Second user NIC's are cheap as chips on ebay

very good how-to guide
https://pfsense-docs.readthedocs.io/en/latest/virtualization/virtualizing-pfsense-with-proxmox.html

Hi bobmc,

I am a bit confused about your confusion (so meta ) but I am close to a noob so maybe I phrased it wrong.
I have a motherboard with a Intel® i350 GbE controller (I would call this H/W NIC (Network Interface Card)) that has 4 ethernet ports.

If I understand the guide correctly.
First of all I assume (which may be wrong) that each NIC defines a LAN.

Soo proxmox has 3 HW NIC's which define 3 networks (eth0, eth1, eth2) (hope I am using the term NIC correctly if not please correct me).
eth0 is not relevant in my case and potentially could be omitted if I don't care about network proxmox management.

We will create 2 virtual bridges in proxmox:
vmbr1: where one end is associated with HW NIC eth1 for WAN and
vmbr2: where one end is associated with HW NIC eth2 for LAN

For any bridge to work though we need 2 LAN's to bridge which in this case are automatically created (vtnet0, vtnet1).
This implies that proxmox has setup 2 virtual NIC's right?

Therefore this will bridge:
eth1 network defined by the H/W NIC with the vtnet0 network define by the virtual NIC and accordingly
eth2 with vtnet1

and pfsense will route between vtnet0 (PFSense WAN) and vtnet1 (PFSense LAN).

So now proxmox WAN can be forwarded to the virtual WAN in pfsense and the pfsense LAN.
And then for each other VM that I would like to be able to connect to the internet, I would create a bridge to eth2 right?

If my understanding is correct I don't think it makes any sense.
But out of curiosity I guess the only way to do it with a single NIC would be router in a stick?
Next question is maybe silly for experienced people with virtualization but I am curious, if proxmox did not have a NIC, could it create a virtual one on the host? i.e. Let's say I passthrough the NIC to the PFSense VM and I specify a vmbr that bridges the PFSense network with a virtual NIC on the host? I guess not but would like someone to verify.

 

[H4R0]

Use vlans, you need a managed switch e.g. netgear gs308e or tplink sg108e

 

[bobmc]

Yeah I see I just read your post incorrectly - mea culpa. NIC in it's proper sense, as you rightly point out, is a network interface card. And in your case, your nic has 4 ports - so you have 4 physical network interfaces to use with Proxmox. That being the case you are in an ideal situation.

However, nic is often just used to refer to either a port or a card, so just bear that in mind

You're almost there in your understanding. You create a virtual bridge (vmbr) on a port to allow Proxmox to assign the port to a virtual machine (VM) or a container (CT). It can be helpful to think of a vmbr as a virtual network switch which Proxmox will attach VM's and CT's with the switch 'uplink port' being the physical port to which the vmbr is attached. which in turn allows the VM's to reach the outside world.

Proxmox will create vmbr0 during the install and this would normally be the main LAN port for Proxmox and the VM's and CT's.

If you follow the guide I linked earlier, your WAN port will connect to the ISP Modem and the rest of your network should attach to the LAN port. This means you should install a separate ethernet switch on your network for your LAN clients. You will also need to define a network subnet to use for your LAN, say 10.10.1.0/24 and decide what IP to assign to the pfSense LAN port (e.g 10.10.1.1) which will then become the default gateway for your local LAN.

If your wifi is integrated with the Modem then any device on the Wifi will be 'outside' your network as far as pfSense is concerned and will need firewall rules setup if you wish to access any of the resources running on the Proxmox host. The alternative is to install your own wifi access points on the LAN

and pfsense will route between vtnet0 (PFSense WAN) and vtnet1 (PFSense LAN).

Correct

And then for each other VM that I would like to be able to connect to the internet, I would create a bridge to eth2 right?

Each VM or CT would be connected to vmbr0 and would access the internet via the pfSense VM

One thing the guide doesn't warn you about is that - if your WAN interface address is assigned by your Modem dhcp server and is on a 192.168.x.x network then you need to go to Interfaces/Wan/Reserved Networks and disable the "Block private networks and loopback addresses" option, otherwise it won't work.

 

[Zx4ACQQ7]

You're almost there in your understanding. You create a virtual bridge (vmbr) on a port to allow Proxmox to assign the port to a virtual machine (VM) or a container (CT). It can be helpful to think of a vmbr as a virtual network switch which Proxmox will attach VM's and CT's with the switch 'uplink port' being the physical port to which the vmbr is attached. which in turn allows the VM's to reach the outside world.

Thank you very much for your help.
One clarification, do you mean port or network interface card? Are eth0, eth1 and eth2 different ports (e.g. 3 ports of a single Intel i350 NIC or different cards (3 x Intel i350 NIC)?
Sorry for being pedantic, I just find that sometimes terms are overloaded and I get confused.
Following from this question, can you actually only create a bridge to a single port of a multi-port card? So far I was thinking that you are only allowed to pass all ports together by passing the NI card through (kind of like PCI passthrough).

 

[bobmc]

most people would use 'nic' generically unless you needed to be specific about which interface you were referring to - i.e port1 or WAN port

Following from this question, can you actually only create a bridge to a single port of a multi-port card? So far I was thinking that you are only allowed to pass all ports together by passing the NI card through (kind of like PCI passthrough).

If you're considering pci passthrough, it's very much hardware dependent and how the ports are allocated to IOMMU groups. They may be independently selectable for passthrough, they may not. Personally, I wouldn't do it for network ports as there is very little performance benefit to be gained.

Equally I wouldn't consider bonding ports in a home environment, it only ever makes sense on large networks.