PFSense with 1 NIC in homelab

ikmk3

Member
Mar 16, 2021
11
1
8
32
Hello guys,

First for all, thank you for all the knowledge you share here with all the newbies (I have close to 0 idea about networking) that started nowadays. I have been reading this forum for some weeks, and I finally decided install Proxmox as VE on my Intel NUC. I have already installed it and have some LXC containers running my apache, rstudio, flask apps, ... and they are running with no problems.

Now, I want to securize my home network because my family have many devices connected and I dont want to create any kind of security problems (neither from me to other nor from others to me). All the devices are connected to the ISP router from wired connected or via wifi. My ISP router does not provide VLAN/subnet creation, so all my devices (including the Intel NUC running Proxmox) are on the same network 192.168.1.X. My current setup idea is to have a completely "isolated" environment for Proxmox, so the containers and VMs created in Proxmox cannot reach the rest of the my home devices and desiredly have some subnets on it to allocate different kind of services (some with WAN access, another without it).

Right now, the Intel NUC running Proxmox is directly connected by an ethernet cable to the ISP router and this Intel NUC has only 1 NIC, which is not desirable from what I read in this forum. I managed to get 1 unused Netgear sg308e switch from a friend, so I hope this could help.

Im so lost on how can I do this. I tried setting up a PFSense VM in proxmox, but it only detects 1 interface (which I think is normal if I only have 1 NIC).

My main question is the next:


Im sorry if I miss to add so much information that could help you to answer me, as I said at the beggining, im very new at this. I attach 2 files, one is an overview of my actual situation, and the second one is an overview of my desired situation. I dont even know if this makes any sense, so will be fine if you guys could guide me if possible.

Thank you in advance guys!
 

Attachments

  • png1.png
    png1.png
    45.8 KB · Views: 214
  • desired.png
    desired.png
    45.7 KB · Views: 222
  • Like
Reactions: MarcMorgan
If the networks you are trying to isolate towards your home network are all VMs inside of Proxmox, there is no need for a switch.
vmbr0 becomes WAN for pfSense and a new bridge (vmbr1) becomes LAN for pfSense and every single VM also gets vmbr1 as their NIC. This way everything inside of Proxmox goes through the one NUC NIC and will not be reachable from the home network, as long as you don't define static routes in your ISP router.
 
  • Like
Reactions: ikmk3
If the networks you are trying to isolate towards your home network are all VMs inside of Proxmox, there is no need for a switch.
vmbr0 becomes WAN for pfSense and a new bridge (vmbr1) becomes LAN for pfSense and every single VM also gets vmbr1 as their NIC. This way everything inside of Proxmox goes through the one NUC NIC and will not be reachable from the home network, as long as you don't define static routes in your ISP router.

Hello, and thanks for your reply! So appreciated ^^

Here is my actual configuration from /etc/network/interfaces. I dont know if its properly set up, but my LAN network things are:
  • 192.168.1.2 static IP for the NUC (Proxmox host)
  • 192.168.1.1 is my actual ISP Routers IP

1616091447721.png


I configured pfSense with Vlan (tag 10) and set interfaces as follows (after reading some tutorials):

1616091700593.png

WAN is pointing to my ISP Router, which is the actual WAN source for pfSense (is this ok?) . Now, LAN points to pfSense, which I dont know if its correct...

With the actual configuration, containers and VMs have internet access even if set no IP for the WAN. From what I understand, this is because vmbr0 has the gateway as my ISP router so whatever I put here, pfSense is not handling the traffic at the moment...


I am missing something until now? Does it make sense until now? Or should I redo a part/entire of my conf?


Now, under "Network" tab at node level, I have the above:

1616091862594.png
As I said before, 192.168.1.2 is my proxmox host and 192.168.1.1 is my ISP Router.

How should I configure vmbr1 to follow what you suggest? I cannot set default gateway nor port because proxmox throws an error. What CIDR should I chose for this? The pfSense IP?

1616092449847.png


Thank you for again for your reply and pattience ^^
 

Attachments

  • 1616091227060.png
    1616091227060.png
    47.9 KB · Views: 63
  • 1616092434432.png
    1616092434432.png
    39.6 KB · Views: 63
Besides that fact that I doubt that having a tagged vlan and the untagged vlan in the same subnet is going to work, you're almost there.
Leave everything blank in vmbr1, just define it. Then assign it to pfSense as net1 and use it as LAN interface inside pfSense.
LAN and WAN have to use different subnets but I suppose pfSense will also tell you that.
Every other VM also gets vmbr1 as their NIC, not vmbr0. Then their traffic has to go through pfSense. Don't forget to activate the DHCP server there. ;)

Do you really use vlans? If so, and pfSense should be able to route them, vmbr1 should be defined as vlan aware.
 
Besides that fact that I doubt that having a tagged vlan and the untagged vlan in the same subnet is going to work, you're almost there.
Leave everything blank in vmbr1, just define it. Then assign it to pfSense as net1 and use it as LAN interface inside pfSense.
LAN and WAN have to use different subnets but I suppose pfSense will also tell you that.
Every other VM also gets vmbr1 as their NIC, not vmbr0. Then their traffic has to go through pfSense. Don't forget to activate the DHCP server there. ;)

Do you really use vlans? If so, and pfSense should be able to route them, vmbr1 should be defined as vlan aware.

So, as you said, I created a "blank" bridge and assignet it to the pfSense VM:

1616097234883.png


Now, I restored the pfSense config to default and pfSense auto assigned the pfSense IP as WAN:

1616097017168.png

Is this right?

I followed the webConfigurator via pfSense GUI and I ended up with this config:

1616097873357.png

I think this is correct.

I created a container just to check if this worked, and it seems to not have internet connection. A simple apt update stucked and cant ping anywhere:

1616098154550.png

I rebooted the pfSense VM since the LAN interface seems to not be detected in Traffic Graphs dashboard and the result was listed above in the pfSense console:

WAN (wan) -> vtnet0 -> v4/DHCP: 192.168.1.3/24 (which is the ip of pfSense VM)
LAN -> vtnet1 -> (blank)

I also lost the connection to GUI.

Now, I created a LXC with vmbr1 as the only network device, and it has no connection to internet and cannot ping local VMs (neither pfSense or host). I dont know if this is due to a bad ip for WAN/LAN or something else.

Thank you for your help ^^ Im learning a lot with your help
 
As I said above, activate dhcp on your pfSense, then the container should receive an address. The network to be used you do define inside the interface tab of pfSense. This should differ from vmbr0, though.
And that you don't have any access is most probably due to the fact, that pfSense is a production grade firewall. You have to allow traffic for anything to work. ;)
 
As I said above, activate dhcp on your pfSense, then the container should receive an address. The network to be used you do define inside the interface tab of pfSense. This should differ from vmbr0, though.
And that you don't have any access is most probably due to the fact, that pfSense is a production grade firewall. You have to allow traffic for anything to work. ;)

With the following configuration:

WAN

1616109449394.png

LAN

1616109552709.png


Im still having issues. I created a new container (with vmbr1 bridge) with DHCP ip configuration and also with manually entered IP, and im still not having communication to INET/LAN.

I enabled the rule to allow all the traffic from the container to anywhere, with no luck.

I think im missing something simple, but I cant get it.

Many thanks!

Edit:

The ip of the pfsense appears twice in my ISP router. Second line correspond to the pfsense net0 interface, but I dont know what correspond to first line. Im constantly losing access to the pfsense UI, and i think this is causing something weird because of duplicated IPs:

1616110173748.png


pfsense console:

1616110230633.png
 
Last edited:
Your LAN address on the PfSense does not have a subnet assigned to it. In your PfSense GUI you need to make a few changes.

  1. Interfaces-> Lan: Change IPv4 Configuration Type from DHCP to Static IPv4
  2. Static IPv4 Configuration -> IPv4 Address: 192.168.X.1 (change x to some number between 2 and 255) [WARNING. DON'T USE 1 or you'll mess with your regular network].
  3. Same Section to the right of that. Make sure that is /24
  4. Service -> DHCP Server: Check the box that says enable
  5. Same section: In Range put 192.168.X.1 (where X is the same number you put earlier) in the from box
  6. Same Section: In Range put 192.168.X.254 in the to box
  7. Go to Firewall->rules->LAN: Add a rule: Action PASS, Interface LAN, Address Family IPv4, Source LAN net, Destination ANY
  8. Make sure to save changes and apply

All of those should get your LAN interface set up to issue leases
 
Your LAN address on the PfSense does not have a subnet assigned to it. In your PfSense GUI you need to make a few changes.

  1. Interfaces-> Lan: Change IPv4 Configuration Type from DHCP to Static IPv4
  2. Static IPv4 Configuration -> IPv4 Address: 192.168.X.1 (change x to some number between 2 and 255) [WARNING. DON'T USE 1 or you'll mess with your regular network].
  3. Same Section to the right of that. Make sure that is /24
  4. Service -> DHCP Server: Check the box that says enable
  5. Same section: In Range put 192.168.X.1 (where X is the same number you put earlier) in the from box
  6. Same Section: In Range put 192.168.X.254 in the to box
  7. Go to Firewall->rules->LAN: Add a rule: Action PASS, Interface LAN, Address Family IPv4, Source LAN net, Destination ANY
  8. Make sure to save changes and apply

All of those should get your LAN interface set up to issue leases

Hello, and thank you for your answer!!

I learned a lot these last weeks, so I started understanding a little bit how this works (obviously this is just a noob knowledge :D)

I also switched to OPNsense over pfSense

I configured my firewall VM with 2 vmbr0 network adapters (one wan, another lan) , and I have it working now. The config is as follows:

1617139596133.png


Now, Im messing up with the Unbound DNS service. I can use it within the LAN (can ping machines using hosts as configured in Unbound DNS in OPNSense), but I would like to use it in my "local machine". Lets say, I would like to type "http://flask.homelab.com" in my MacBook and access to my flask server interface.

How should I achieve this? Im reading a lot, but I cant solve my problem.

Thank you!
 
Usually you configure homelab.com as the "domain" property in the DHCP settings and tell the DHCP server to register the leases and hostnames in DNS entries. That way you can query your OPNSense for local domain names.
 
Usually you configure homelab.com as the "domain" property in the DHCP settings and tell the DHCP server to register the leases and hostnames in DNS entries. That way you can query your OPNSense for local domain names.
Hello, thank you for your answer!

Here is my actual config for the Unbound part:

1617173898847.png


and here is my config in "System -- > Settings --> General":

1617174088789.png
1617174112014.png
 
I recommend adding the domain in the dhcp settings of the lan interface as well, so that the clients also know it. The rest looks good, does it not work?
 
  • Like
Reactions: ikmk3
I recommend adding the domain in the dhcp settings of the lan interface as well, so that the clients also know it. The rest looks good, does it not work?

Hi, DHCP is disabled in both LAN and WAN:

1617185320110.png

I disabled it in my OPNSense configuraion from CLI, because I want to manually set the IPs of the containers.

Should I enable it?
 
I tried it with no luck :(

I configured the OpenVPN server to push the dns and the domain name to my /etc/resolve.conf file, but i cannot find the way to achieve it without using OpenVPN
 
Either your dhcp does that or you have to define these values on your VMs yourself. How else do you think it should work? That's what the dhcp is for.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!