Proxmox behind PfSense

[Deleted member 121278]

Hi, I'm new and I don't know if I'm writing in the right section. I ask why I haven't found any posts that fit my needs and I don't know how to do it. I have a small ryzen mini pc with 2 lan ports (eno1 and enp0s1). I created vmbr0 (linked to eno1) and vmbr1 (linked to enp0s1). PfSense uses vmbr0 as WAN and vmbr1 as LAN, so much so that if I connect a network cable to the lan port enp0s1 I can reach the PfSense configuration page.

For now it is connected: ISP -> Main router (192.168.1.1) -> proxmox on lan eno1 (192.168.1.100 static) -> pfsense (wan dhcp and lan 192.168.100.1)

I would like to make: ISP -> PfSense VM (wan dhcp and lan 192.168.100.1) -> LAN (192.168.100.x). And Proxmox (with static ip 192.168.100.2) behind pfSense VM.
Is possible?

 

[vesalius]

Yes you most certainly can. Although I would recommend opnsense instead of pfsense, but regardless the fix is the same.

Under the GUI menu select "PVE" on the right then "network" from the menu, which should show you all the interfaces (eno1, enp0s1, etc) and any Bridges you have created (vmbr0, vmbr1, etc..)

vmbr0 likely has a CIDR of 192.168.1.100 and GATEWAY of 192.168.1.1 ultimately you will need to edit and delete these from vmbr0
vmbr1 will need to be edited and add a CIDR of 192.168.100.2 and a Gateway of 192.168.100.1

You will also need to edit the HOST file (switch out 192.168.1.100 for 192.168.100.2) and potentially the DNS, check it to be sure 192.168.1.1 is not the primary dns) before you restart which can be done from the same gui as they are the same menu just below the Network. If you don't edit the host file you will get locked out of the webgui after restart.

Check your work a couple of times before you restart, especially if you don't have direct console access to the proxmox machine. I would suggest making sure your pfsense firewall is set to start on boot first in proxmox as well.

 

[Dunuin]

Did you tried to add a IP and gateway to vmbr1?

 

[das1996]

To throw in a wrench into the works...

Why not use pci passthrough for en01 (wan). Give pfsense/opensense/whatever direct access to this nic. I think this is marginally more secure than using a virtualized nic for wan. As far as proxmox is concerned, it has no access to wan unless permitted by the firewall (pfsense). I suspect this scenario might also improve latency as packets have fewer layers to traverse to get online. Also this eliminates any configuration settings wre to the wan nic.

 

[Deleted member 121278]

FIXED LIKE THIS. But I've removed bridge-pvid 4095

/etc/network/interface

/etc/hosts

/etc/resolv.conf

 

[vesalius]

To throw in a wrench into the works...

Why not use pci passthrough for en01 (wan). Give pfsense/opensense/whatever direct access to this nic. I think this is marginally more secure than using a virtualized nic for wan. As far as proxmox is concerned, it has no access to wan unless permitted by the firewall (pfsense). I suspect this scenario might also improve latency as packets have fewer layers to traverse to get online. Also this eliminates any configuration settings wre to the wan nic.

That will work, but can be more trouble than it is worth dependent on MB/Bios/and network adapter support. I actually prefer a third option SR-IOV, which even more frequently be more trouble than it is worth because of similar sparse support and dependencies.

nice to setup up the easy way with a Linux bridge first and confirm everything works with Proxmox on the network lan side and then fiddle around with the 1 WAN interface variable from a known working state.