Proxmox running PFSENSE FW with single NIC

[zebrahost]

I have proxmox running on my mini ITX board and is doing just fine. It is running a number of roles including NAS, pfsense, homeassistant, etc and its barely working up a sweat. I measured the power consumption for the setup and found it be little higher than I would like so I looking for less power hungry alternatives.

I was wondering if I switch over from my current platform to a lowend NUC. Unfortuantely, it has a major limitation in that it only has single NIC. This NUC is quite lowend and does not support PCI passthrough so I am limited to using the bridges within proxmox.

I have setup pfsense previously using a single NIC on a standalone pc using VLAN and external smart switch and it was working fine.

It is possible to use a single NIC arrangement with proxmox and obtain net isolation using VLAN to seperate WLAN and LAN traffic.

I have the following throughts being to create a seperate bridge on VLAN 10 ( vmbr0.10) and link to the primary NIC. Then attach the pfsense WAN port the valn bridge. Also, attach the LAN to vmbr0.

Is this the best approach? Is there a better alternate solution?

If this is best approach, do I need to set up WAN port in pfsense to send the tagging (VLAN 10) or is tagging added and removed by the VLAN bridge. I have configured my switch to send all traffic tagged with VLAN 10 on the trunk port to port 8 of my switch which will be connected WAN. I will enforce proper tagging within the switch. All other ports are carrying untagged traffic for the LAN.

Is this secure enough for lab non commercial (home) environment? I know this is difficult question as secure enough is subjective. Lets just say, are there any serious security holes with this approach.

I have seen a few tutorials of people doing this, but they are all doing NIC passthrough which I presume is to enhance security (my equipment does not support PCI passthrough). I note, that I am not using passthrough on my current setup with my mini ITX, but using isolation between LAN and WAN by using seperate bridges connected to separate ports on the host.

                                                                     PROXMOX
                                    +-----------------------------------------+
                                    |                                         |
                                    |  +-----+  +-----+                       |
                                    |  | VM1 |  | VM2 |                       |
                       +-----+      |  +--+--+ ++-----+                       |
       +-------+       |     |      |     |    | 192.168.1.3/24               |
       |  PC1 |--------+ SWITCH     |  +--+----++   +-------+                 |
       +-------|       |     |   eth0  |        |   |       |                 |
       +-------|       |    1+---------+ Vmbr0  +---+LAN    |                 |
       |  PC2 |--------+     |      || +--------+   |       |                 |
       +-------+       |     |      || |            |       |                 |
                       |     |      || +--------+   |       |                 |
      +----------------+8    |      +--+        |   |       |                 |
Internet               |     |      |  | Vmbr0.0+---+WAN    |                 |
                       +-----+      |  +--------+   +-------+                 |
                                    |               PFSENSE VM                |
                                    |                                         |
                                    +-----------------------------------------+

 

[sseidel]

Yes, it works. There are two ways to do it: 1. is to pass through only one interface to pfSense and set up VLANs in pfSense. That gives you a little more flexibility. Remember to allow the VLANs for the interface by editing the conf file for the VM and adding ,trunks=1;2;3 to allow VLANs 1, 2 and 3.

The 2. option is to assign multiple interfaces to your pfSense VM in Proxmox and set the VLANs in the interface definition (this can be done in the web frontend). This is the easier way, since pfSense doesn't deal with VLANs and just sees two (or more) normal network interfaces.

 

[Dark26]

I use option 2 and its's working. ( with 4 interfaces, 2 wan, 1 lan, 1 dmz).

 

[kcallis]

I just decided to virtualize pfsense and ran across this thread. O

I use option 2 and its's working. ( with 4 interfaces, 2 wan, 1 lan, 1 dmz).

Would you be willing to share your /etc/network/interface file. I an getting ready to move pfsense over to a single interface machine and would like to see how to handle interfaces. Currently, I am running pfsense on a Netgate APU with 3 physical interfaces, with the WAN interface connected to the ATT gateway, and LAN and OPT (with 10 VLANs) connected to a Cisco switch.

Initially, I thought I would try my hand with installing ovenvswitch and then tag all of the interfaces and plug the single interface on the laptop into my Cisco switch. The more I thought about that, the more I decided that it was to time intensive to add more to plate. Although, I am somewhat confused how to add into my gateway. I also tried to use zebrahost's diagram, and it blew up badly, so I will have to figure out a better way to do a diagram.

 

[Dark26]

root@p1:~# vi /etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface enp1s0 inet manual

iface enx000ec6de4a02 inet manual

auto bond0
iface bond0 inet manual
slaves enp1s0 enx000ec6de4a02
bond_miimon 100
bond_mode 802.3ad
bond-xmit-hash-policy layer2+3

auto bond0.1
iface bond0.1 inet manual
vlan-raw-device bond0

auto bond0.2
iface bond0.2 inet manual
vlan-raw-device bond0

auto bond0.3
iface bond0.3 inet manual
vlan-raw-device bond0

auto bond0.4
iface bond0.4 inet manual
vlan-raw-device bond0

auto bond0.10
iface bond0.10 inet static
address 10.10.10.91
netmask 255.255.255.0
vlan-raw-device bond0

auto bond0.5
iface bond0.5 inet static
address 10.10.5.91
netmask 255.255.255.0
vlan-raw-device bond0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.91
netmask 255.255.255.0
gateway 192.168.1.254
bridge-ports bond0.1
bridge-stp off
bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
bridge-ports bond0.2
bridge-stp off
bridge-fd 0

auto vmbr3
iface vmbr3 inet manual
bridge-ports bond0.3
bridge-stp off
bridge-fd 0

auto vmbr4
iface vmbr4 inet manual
bridge-ports bond0.4
bridge-stp off
bridge-fd 0
[/CODE]

 

[Dark26]

proxmox config

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface enp1s0 inet manual

iface enx000ec6de4a02 inet manual

auto bond0
iface bond0 inet manual
        slaves enp1s0 enx000ec6de4a02
        bond_miimon 100
        bond_mode 802.3ad
        bond-xmit-hash-policy layer2+3

auto bond0.1
iface bond0.1 inet manual
        vlan-raw-device bond0

auto bond0.2
iface bond0.2 inet manual
        vlan-raw-device bond0

auto bond0.3
iface bond0.3 inet manual
        vlan-raw-device bond0
        
auto bond0.4
iface bond0.4 inet manual
        vlan-raw-device bond0

auto bond0.10
iface bond0.10 inet static
        address  10.10.10.91
        netmask  255.255.255.0
        vlan-raw-device bond0

auto bond0.5
iface bond0.5 inet static
        address  10.10.5.91
        netmask  255.255.255.0
        vlan-raw-device bond0

auto vmbr1
iface vmbr1 inet static
        address  192.168.1.91
        netmask  255.255.255.0
        gateway  192.168.1.254
        bridge-ports bond0.1
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
        bridge-ports bond0.2
        bridge-stp off
        bridge-fd 0

auto vmbr3
iface vmbr3 inet manual
        bridge-ports bond0.3
        bridge-stp off
        bridge-fd 0

auto vmbr4
iface vmbr4 inet manual
        bridge-ports bond0.4
        bridge-stp off
        bridge-fd 0

 

[kcallis]

I have never had to even think about bond and now it looks like it seems like I need to learn something new (not that I am complaining). So the way I had my pfsense set up was the following:

WAN: DHCP
LAN: 192.168.4.0/24
OPT:
VL05 MGMT     - 192.168.5.0/24
VL10 CLRNET   - 192.168.10.0/24
VL15 GUEST     - 192.168.15.0/24
VL20 VPN          - 192.168.20.0/24
VL25 VOIP         - 192.168.25.0/24
VL30 VHOST     - 192.168.30.0/24
VL35 LXC           - 192.168.35.0/24
VL40 DOCKER   - 192.168.40.0/23
VL45 RPi            - 192.168.45.0/24
VL50 WLAN       - 192.168.50.0/24
VL55 STREAM   - 192.168.55.0/24

My proxmox is 192.168.30.250 (which will be assigned to my VL30 once I setup the pfSense). First off, I assume that I need to make a bridge for each of the 3 "physical" interfaces (WAN, LAN, and OPT). I also assume that I need to create an entry for each VLAN under the OPT interface. What is the benefit of creating the BOND0 as well as the vmbr entry? Also, do I need to move the address of the Proxmox address since the address will be part of the VLAN that I have defined in pfSense setup.

auto lo
iface lo inet loopback

iface enp0s25 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.30.250
        netmask 255.255.255.0
        gateway 192.168.30.1
        bridge_ports enp0s25
        bridge_stp off
        bridge_fd 0

 

[Dark26]

I don't know if it's the right or the better way, but it 's work in my case

For the bond, it's not necessayy if you have only one network card to share on the proxmox host.

On the interface i want to share, i create 4 vlan , and then , i create 4 bridge , on for each vlan (vmbr1 , vmbr2 , vmbr3, vmbr4 )

on the pfsense virtual machine, i create 4 network card , each one them on each bridge.

So with that , no real vlan to manage in pfsense, it's see only 4 network card distincts.

this is the config of the PFSENSE VM

#Fonctionne avec 768 mo de ram
balloon: 0
boot: cdn
bootdisk: virtio1
cores: 2
cpu: host
keyboard: fr
memory: 768
name: Pfsense
net0: virtio=D6:96:34:9E:B6:AE,bridge=vmbr2
net1: virtio=5A:1B:62:F1:D8:8F,bridge=vmbr3
net2: virtio=9E:59:3B:FF:4B:6A,bridge=vmbr1
net3: virtio=3A:7E:45:71:2B:F5,bridge=vmbr4
numa: 0
onboot: 1
ostype: other
scsihw: virtio-scsi-pci
smbios1: uuid=3cccecd6-745e-4a11-8659-39bf6495fe1f
sockets: 1
virtio1: SSD:vm-254-disk-0,size=2G

Of course your swich need to manage vlan , and have the good configuration behind

in my case, vlan1 is the lan, vlan 4 is the DMZ, and vlan2 et vlan 3 are for the two internet connexion.
hope this help

 

[zageyiff]

Hello,


I'm in the same situation here, pfsense as a VM in proxmox using a single NIC computer (an Intel NUC). I'm new to proxmox, I installed it in order to have pfsense running along my docker containers in another VM. Will create a VM for a Unifi controller later.

I'm following the advice in here: to assign multiple interfaces to your pfSense VM in Proxmox and set the VLANs in the interface definition.

I'm not able to reach the pfsense ip address.

This is how I'm planning the setup

VLAN 1     default                           
VLAN 10    Management    192.168.10.0/24     
VLAN 20    LAN           192.168.20.0/24     
VLAN 30    VPN           192.168.30.0/24     
VLAN 40    IoT           192.168.40.0/24     
VLAN 50    Guest         192.168.50.0/24     
VLAN 99    WAN

To begin with, I just want to set up VLAN 10 and 99 in pfsense, if that works I can add the other VLANs under different network segment.

VLAN 1     default                           
VLAN 10    LAN           192.168.1.0/24     
VLAN 99    WAN

Here's my /etc/network/interfaces

auto lo
iface lo inet loopback

iface enp0s25 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.100
    gateway 192.168.1.1
    bridge-ports enp0s25
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr10
iface vmbr10 inet manual
    bridge-ports enp0s25.10
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#vlan 10

auto vmbr20
iface vmbr20 inet manual
    bridge-ports enp0s25.20
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#vlan 20

auto vmbr99
iface vmbr99 inet manual
    bridge-ports enp0s25.99
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#vlan 30

auto vmbr30
iface vmbr30 inet manual
    bridge-ports enp0s25.30
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#vlan 50

auto vmbr40
iface vmbr40 inet manual
    bridge-ports enp0s25.40
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#vlan 40

auto vmbr50
iface vmbr50 inet manual
    bridge-ports enp0s25.50
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#vlan 50

So on Proxmox PVE, under Network is similar to:

Name          Type            Active     Autostart      VLAN Aware     Ports/Slaves    IPv4/CIDR           Gatway
enp0s25       Network Device  Yes        No             No                  
vmbr0         Linux Bridge    Yes        Yes            Yes            enp0s25         192.168.1.100/24    192.168.1.1  
vmbr10        Linux Bridge    Yes        Yes            Yes            enp0s25.10
vmbr20        Linux Bridge    Yes        Yes            Yes            enp0s25.20
vmbr30        Linux Bridge    Yes        Yes            Yes            enp0s25.30
vmbr40        Linux Bridge    Yes        Yes            Yes            enp0s25.40
vmbr50        Linux Bridge    Yes        Yes            Yes            enp0s25.50
vmbr99        Linux Bridge    Yes        Yes            Yes            enp0s25.99

In Proxmox web UI, on the pfsense VM Hardware I have two network interfaces like
Network Device (net0) virtio=<mac>,bridge=vmbr99
Network Device (net1) virtio=<mac>,bridge=vmbr10

I'm using this smart switch TP-Link TL-SG108E which supports 802.1Q VLANs.

VLAN / 802.1Q VLAN

VLAN ID     VLAN Name       Member Ports     Tagged Ports     Untagged Ports   
1           Default_VLAN    1-8                               1-8
10          LAN             2-8              2                3-8
99          WAN             1-2              2                1

VLAN / 802.1Q PVID Setting

Port         PVID
Port 1        99
Port 2        1
Port 3        10
Port 4        10
Port 5        10
Port 6        10
Port 7        10
Port 8        10

So my problem, I'm not able to reach the pfsense ip address once installed and configued with WAN and LAN network interfaces,
the LAN interface has a static IP address of 192.168.1.1/24 and WAN has DHCP.
I tried connecting a computer to port 8 in my switch which has VLAN 10 untagged port and trying to reach 192.168.1.1
I tried changing port 8 PVID to VLAN 1, and trying to reach 192.168.1.1.

Is my proxmox network config wrong? or is it my VLAN settings in the switch?

Any help is appreciated

 

[sseidel]

I think the multi-bridge setup is way too complicated. I just use one bridge:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp2s0
iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet dhcp
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0

or with static IP:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp2s0
iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.14.10/24
    gateway 192.168.14.1
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 192.168.14.1
    dns-search mydomain.com
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0

That works out of the box. I define the VLANs in pfSense. For the regular VMs, I just fill in the "VLAN tag" field in the Proxmox network dialog setting. It is left empty for pfSense.

That way it's easy to add VLANs - no need to touch the host config, just add another VLAN interface in pfSense and use the VLAN tag field for the VM that should be on that VLAN (if needed).

 

[zageyiff]

I see your bridge is not vlan aware.
I'll give it a shot like this, and handle the VLAN within the pfsense VM

 

[sseidel]

I see your bridge is not vlan aware.
I'll give it a shot like this, and handle the VLAN within the pfsense VM

Yeah, I think all that stuff about vlan-aware and tagging comes from old versions of Debian that didn't do this by default.

 

[nicholasc1790]

Yeah, I think all that stuff about vlan-aware and tagging comes from old versions of Debian that didn't do this by default.

do you need to define the VLAN tag for VMBR1 network interface in PFSense VM too or just the pfsense web GUI. As VLAN interface is bridged with the lan interface and defined a tag and all the policy is accepted so traffic will work

 

[zageyiff]

This is what works for me after many attempts with different configs. In my case I have only one NIC (an Intel NUC).
I created this interface vmbr0v10 with static address just to have access to proxmox via ssh/https (I was loosing access often without something like this)
And the interface vmbr0 is the one used in the VMs, like:

net0: virtio=...,bridge=vmbr0,firewall=1,tag=XYZ

My /etc/network/interfaces look like this

auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0v10
iface vmbr0v10 inet manual
    address 192.168.10.20/24
    gateway 192.168.10.1
    bridge_ports eno1.10

auto vmbr0
iface vmbr0 inet static
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

 

[john335745634]

Guys, I have a similar situation but not able to get it to work

I have the wan on my switch on VLAN99(enp3s0.99) , and I am getting address from Spectrum via DHCP

/etc/network/interfaces

auto lo
iface lo inet loopback

#primary
#allow-hotplug enp3s0
iface enp3s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.5/24
        gateway 192.168.1.1
        bridge-ports enp3s0
        bridge-stp off
        bridge-fd 0


# WAN on VLAN 99
auto vmbr0v99
iface vmbr0v99 inet dhcp
    bridge_ports enp3s0.99
#    bridge-stp off
#    bridge-fd 0

my vmbr0v99 shows unknown and edit wont work