Proxmox and pfSense: How does proxmox know "not to listen" on the port connected to WAN?

O

ott

New Member
Dec 17, 2021
18
2
3
44
When using proxmox to run pfSense, i.e. as the edge router/firewall: How does proxmox know "not to listen" on the port connected to WAN?

As I have learned, per default Proxmox listens on all interfaces (https://pve.proxmox.com/pve-docs/pveproxy.8.html)

I have run pfSense bare metal for years, but got new HW and consider running pfSense as VM. Arguments regarding whether to run edge router/firewall as VM aside. How do you set up (harden) proxmox/cluster such that it "secure"?
 
Hi,
if you don't give the WAN interface an IP in /etc/network/interfaces it won't listen on that interface. So for example something like this if eno1 is your wan interface.

Code: 
iface eno1 inet manual


auto vmbr0
iface vmbr0 inet static
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

iface eno2 inet manual

auto vmbr1
iface vmbr1 inet static
    address 192.168.10.20/24
    gateway 192.168.10.1
    bridge-ports eno2
    bridge-stp off
    bridge-fd 0

pfSense would need both vmbr0 and vmbr1 :)
 
  • Like
Reactions: ott
Thanks again!

So, in your example, eno1 will never get an IP (even if my ISP provides one) since it is set to manual? However, if it was iface eno1 inet dhcp it would, right?

The pfsense VM has a two vNICs connected to each of the vmbr's (vWAN -> vmbr0 and vLAN -> vmbr1). vLAN naturally has my .1 IP, and vWAN is assigned an IP from my ISP, correct?
 
So, in your example, eno1 will never get an IP (even if my ISP provides one) since it is set to manual?
Click to expand...
Yes without DHCP it will never try to get one.

However, if it was iface eno1 inet dhcp it would, right?
Click to expand...
Yes that would happen. On a sidenote: as far as I remember it is not idea to let the physical interface have an IP if there is a network bridge attached.

vLAN naturally has my .1
Click to expand...
.1 in the some local network i presume ;)

IP, and vWAN is assigned an IP from my ISP, correct?
Click to expand...
Yes you should get an IP via DHCP on that interface.
 
  • Like
Reactions: ott
shrdlicka said:
.1 in the some local network i presume ;)
Click to expand...
Yes, correct.

Is there any (security) benefit to adding host based access control(/etc/default/pveproxy)? e.g.:
Code: 
ALLOW_FROM="10.0.0.0/24"
DENY_FROM="all"
POLICY="allow"
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom