Proxmox and pfsense

[dragoncloud]

Hi all . im new on this and discovering a lot proxmox. i rented a dedicated server on server4you and used a debian buster to install the proxmox. so far so good.
but i wanted to install pfsense to secure some VMs inside that server. ok arrived to the red zone. i have the lan part of the pfsense working, vms receive ip dns everything ok. but i cannot make the pfsense go to the internet on that host. i have one ip on one range, gave with the host server then after a lot of search i saw one video that the guy have 2 ips. then i got the 2nd ip but its nt on the same range then the first one. now i ask for help for one configuration similiar of mine or help how to configure this.
i leave here the interfaces file

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
address 62.xxx.xxx.xxx/24
gateway 62.xxx.xxx.xxx
bridge-ports eth0
bridge-stp off
bridge-fd 0

auto vmbr2
iface vmbr2 inet static
address 172.25.1.2/24
bridge-ports none
bridge-stp off
bridge-fd 0

 

[bobmc]

This will be a little tricky to setup on a hosted server as you only have one public IP which can't be used by both Proxmox and PfSense at the same time. The second IP (172.25.1.2/24) is a private address so will be fine for the 'LAN' side of your pfSense but pfSense also needs to use the 62.xxx.xxx.xxx as the 'WAN' address to provide internet access.

 

[dragoncloud]

i have a second ip from them but its not on the same range is a 217.xxx.xxx.xxx and it have no gateway

 

[bobmc]

If you can assign the 217.xxx.xxx.xxx port as the management port for Proxmox, then pfsense could use vmbr0 as the WAN link. You would need to move the IP assignment from vmbr0 and set it as a static address in pfSense. Then you would define NAT rules in pfSense to access your VM's and containers

 

[bobmc]

Otherwise, you could route and NAT on the host itself and do without pfSense at all.

auto lo iface lo inet loopback auto eth0 #real IP address iface eno1 inet static address 62.xxx.xxx.xxx/24 netmask 255.255.255.0 gateway 62.xxx.xxx.xxx auto vmbr0 #private sub network iface vmbr0 inet static address 172.25.1.2 netmask 255.255.255.0 bridge-ports none bridge-stp off bridge-fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '172.25.1.0/24' -o eno1 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '172.25.1.0/24' -o eno1 -j MASQUERADE

 

[dragoncloud]

Otherwise, you could route and NAT on the host itself and do without pfSense at all.

auto lo iface lo inet loopback auto eth0 #real IP address iface eno1 inet static address 62.xxx.xxx.xxx/24 netmask 255.255.255.0 gateway 62.xxx.xxx.xxx auto vmbr0 #private sub network iface vmbr0 inet static address 172.25.1.2 netmask 255.255.255.0 bridge-ports none bridge-stp off bridge-fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '172.25.1.0/24' -o eno1 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '172.25.1.0/24' -o eno1 -j MASQUERADE

bobmc i did like this
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
address 62.xxx.xxx.xxx/24
netmask 255.255.255.0
gateway 62.xxx.xxx.xxx
bridge_ports eno1
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Now vmbr1 is my wan of the pfsense and created a vmbr2 for the LAN of pfsense.
Now pfsense have internet, but with me nothing is easy now the VMs have all from pfsense but no internet.

Gonna dig a litle more now on this next problem.

 

[bobmc]

Probable cause is pfsense is blocking private ip addresses on the wan side - see
https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html