Proxmox Host Machine & Proxmox VMs firewall through pfSense VM

[broskees]

I'm trying to set up a network configuration where the Proxmox host machine and VMs are set to go through pfSense which is in a VM. See the diagram below:I have the pfSense VM functioning and when I use the LAN port to go to the switch, everything works fine. But Proxmox itself is not accessible from the devices connected to that switch. How can I achieve what I'm trying to do?

I've looked at some webpages already on this issue, linked below, but it is unclear to me how to set this up:

• https://forum.proxmox.com/threads/how-to-put-proxmox-host-behind-pfsense-vm.100391/
• https://www.reddit.com/r/PFSENSE/comments/hnyt9p/is_it_possible_to_setup_pfsense_inside_proxmox_to/
• https://www.reddit.com/r/PFSENSE/comments/8q7ev5/pfsense_on_proxmox_does_this_setup_make_sense/
• https://www.reddit.com/r/Proxmox/comments/o8pqbu/can_the_proxmox_host_connect_to_its_pfsense_vm/
• https://forum.proxmox.com/threads/proxmox-as-host-for-main-pfsense-router.73912/
• https://docs.netgate.com/pfsense/en...-proxmox-ve.html#virtualizing-with-proxmox-ve

 

[Dunuin]

First you need to tell us your PVE hosts network configuration: cat /etc/network/interfaces

 

[broskees]

@Dunuin Thanks for the quick reply!
I'll include anything I think is relevant here as well as /etc/network/interfaces.

I feel like its relevant here that I tried to follow along with the settings mentioned here & here, to no avail. So that's why my settings are as they are. Currently, my proxmox host is inaccessible through the web-gui, but I do have access to the host machine.

I have two nics. The onboard NIC on my server, and a qlogic 10gbe sfp+ nic I added. I can't use the sfp+ nic for the wan unfortunately. So I have the first port on the onboard NIC as the WAN, and a port on the qlogic nic as the lan.

I can access pfsense dashboard - so I've included the port assignments in a screenshot here:


/etc/network/interfaces:

auto lo

iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface enp3s0f0 inet manual

iface enp3s0f1 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
        bridge-ports enp3s0f0
        bridge-stp off
        bridge-fd 0

auto vmbr3
iface vmbr3 inet static
        address 192.168.2.169/24
        gateway 192.168.2.1
        bridge-ports enp3s0f1
        bridge-stp off
        bridge-fd 0

/etc/hosts:

127.0.0.1 localhost.localdomain localhost
192.168.2.169 pve.mynetworksettings.com pve

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

/etc/resolv.conf:

search mynetworksettings.com
nameserver 192.168.2.1

 

[Dunuin]

And enp3s0f1 is the 10Gbit NIC and that is connected to your switch and vmbr3 is your LAN bridge with a virtio NIC attached to it used in pfsense for LAN?

 

[broskees]

@Dunuin Also as of right now. I have a router between the ONT & pfSense, because I'm still in the process of moving my network over to the pfsense network. Not sure if that is relevant.

 

[broskees]

And enp3s0f1 is the 10Gbit NIC and that is connected to your switch and vmbr3 is your LAN bridge with a virtio NIC attached to it used in pfsense for LAN?

yes

 

[vesalius]

Is 192.168.2.1 the pfsense lan IP? What is the lan subnet mask from pfsense? Is anything else on your internal network besides pfsense connected to the older router?

 

[broskees]

@Dunuin & @vesalius => Turned out to be the other router. I'm not sure why that mattered. It is a Verizon router though so perhaps the ISP was doing something funky, but when I removed it and rebooted pfSense, everything just started working.