Proxmox hosting pfSense as a firewall to DMZ web server

[trilljester]

Hi all,

I've read a bunch of articles about this, but I can't seem to find a specific article for my use case. Here it is:

I will be hosting a web server on public WAN and would like pfSense to be the firewall that only allows traffic from ports 80/443 into the DMZ to that web server. The pfSense firewall will be virtualized on my Proxmox host.

What I think I should do:

So, from the articles I read I'd need to create 2 Linux Bridges, vmbr0 (DMZ network) and vmbr1 (Public WAN facing). The host I have has 4 NICs, but I'm thinking I'll only need to use 1 since pfSense will be handling NAT.

So for vmbr0, I'm assuming I'll set that IP to be the subnet of the internal DMZ network. vmbr1 will have no configuration, just a bridge with the physical NIC in it. Then once that's done, I'll need to create the VM for pfSense with 2 NICs, one tied to vmbr0 and vmbr1. I think that's the correct method, but would love someone to confirm.

Also, could someone post an example /etc/network/interfaces layout that would work? I'm a bit confused on that part.

I also will probably need to temporarily hook up the Proxmox host to a dumb switch and then my laptop with an IP on the same DMZ subnet so I can access the management interface to install the pfSense VM.

If there's a better way to do it, all advice/tips appreciated! Thank you.

 

[Stefan_R]

So, from the articles I read I'd need to create 2 Linux Bridges, vmbr0 (DMZ network) and vmbr1 (Public WAN facing). The host I have has 4 NICs, but I'm thinking I'll only need to use 1 since pfSense will be handling NAT.

So for vmbr0, I'm assuming I'll set that IP to be the subnet of the internal DMZ network. vmbr1 will have no configuration, just a bridge with the physical NIC in it. Then once that's done, I'll need to create the VM for pfSense with 2 NICs, one tied to vmbr0 and vmbr1. I think that's the correct method, but would love someone to confirm.

Is the DMZ network only suppose to be a "virtual" network on the PVE host? If so, the IP should probably be configured on vmbr1, if that's the one you choose to tie to your physical NIC, otherwise you'll lock yourself out. In general I'd recommend using vmbr0 for the physical NIC, since that's the default.

If I understand it correctly, it should work this way though.

Also, could someone post an example /etc/network/interfaces layout that would work? I'm a bit confused on that part.

I recommend just using the GUI for network management (under <node> -> Network), it will build the file for you automatically.

I also will probably need to temporarily hook up the Proxmox host to a dumb switch and then my laptop with an IP on the same DMZ subnet so I can access the management interface to install the pfSense VM.

Yeah that's why I'd recommend giving both bridges an IP, it doesn't really hurt but you reduce the chance of locking yourself out.

 

[trilljester]

OK, I got Proxmox installed and did the network this way:

(Not exact format, just ad-libbing it)

# LAN side on pfSense (172.16.0.1 = pfSense VM)
vmbr0:
address 172.16.0.2/24
gateway 172.16.0.1
bridge-ports none
bridge-stp off
bridge-fd 0

# WAN (eno2 is connected to WAN switch)
vmbr1:
bridge-ports eno2
bridge-stp off
bridge-fd 0

pfSense is working on the WAN side, but Proxmox cannot talk to 172.16.0.1. I'm guessing that's because there's no physical NIC port tied to it? Or is it because the pfSense VM is not "up" when vmbr0 is brought up during boot?

 

[Stefan_R]

As stated before, why not just give your PVE an address on vmbr1 too? It doesn't hurt, but you won't be able to lock yourself out (well, not as easily anyway ).

An IP address assigned to a bridge will only be accessible via the 'bridge-ports' (physical NICs) given to it or from CTs/VMs which have a NIC configured on it.