Proxmox and OPNsense transparent firewall not working

J

janczmok

Member
Feb 19, 2021
15
0
6
53
Dear All,
i am having a problem of deploying a transparent firewall as a VM on our proxmox.

Proxmox is 7.3-3

Network config straightforward:

iface bond0 inet manual
bond-slaves eth0 eth1
bond-miimon 100
bond-mode 802.3ad
bond_updelay 200
bond-min-links 1

iface vmbr0 inet static
address 10.200.12.14/24
gateway 10.200.12.1
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

opnsense-vm has 3 network interfaces configured:
net0: e1000, bridge=vmbr0, tag=340
net1: e1000, bridge=vmbr0, tag=341
net2: e1000, bridge=vmbr0, tag=342

net0 is LAN, net1 is WAN, net2 is OPT1 (in opnsense terms)
(permit rules in opnsense FW exist)
net1 and net2 are member of a bridge in opnsense
I want to achieve that traffic from net1 and net2 are bridged, e.g. i create rules to selectively allow some traffic to pass on the transparent firewall.

The issue is:
1) If i configure an IP in the respective interface/vlan i can ping the firewall and the adjacent side.
2) if i just have the bridge active and NO ip address configured (hence "transparent firewall") no traffic is passed.
3) In summary, IP traffic works, if an ip is configured on interface, if no ip is configured, traffic is not bridged.

It seems to be a problem somehow with some settings on proxmox. Also tried different bridge-vids settings but no luck.
So .. Layer3 works if configured, layer2 not.

Any insight or ideas ?
 
Unasked for advice, use paravirtualized VirtIO for the network devices instead of e1000. It’s faster and takes up less host cpu resources. Only use e1000 if some unusual requirement forces it.

so you want to bridge OPNsense WAN (net1) to OPNsense OPT1(net2)? Seems unusual that you would not just create exit firewall rules.

to be clear when getting traffic to flow as you expect, where are you configuring an IP for the bridge … in OPNsense or in Proxmox?

the Proxmox host gateway, 10.200.12.1, is that OPNsense or is that another router? if another router is OPNsense also using that for wan Access?

I assume the LACP bond is attached to a vlan capable switch and you have verified traffic can move both ways via the expected vlans? What is the untagged/native vlan on the LACP switch ports? What are the untagged vlans on the LACP switch ports?
 
Last edited:
I'll explain: To replace a FWSM i need a transparent firewall setup, hence i use LAN as mgmt if only, and WAN<->OPT1 for transparent bridge. On WAN side there is a router with IP 1.1.1.1/24 (example), on OPT1 side there is client network (1.1.1.10-100/24) which needs specific permissions.
So Proxmox is just hosting the firewall vM and is connected to switches via LACP bond (cisco nexus) and i have tagged it on proxmox side.
To be clear:
- proxmox to cisco -> lacp with trunk of multiple vlans, works fine
- net0 -> vmbr0 vlan 340 ; -net1 -> vmbr0 vlan 341; -net2 -> vmbr0 vlan341
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back