Questions about network setup (firewall/routing)

A

ATQ

Member
Mar 8, 2020
8
1
6
42
Hi,

I've just installed Proxmox on my home server and I'm trying to figure out the best way to set things up. The purpose of the whole thing is to set up network storage and have a router and firewall (plus mess around and maybe learn a thing or two). Networking isn't exactly my strong suite though, but maybe with some help we can rectify that.

The server has two ethernet cards (one on the motherboard and one PCIe) and a wireless card (PCIe). What I want is for the server to act as a router for WAN/LAN/Wireless with a firewall and probably some good stuff I haven't thought of yet.

What's the best configuration for that and how do you set it up?
 
I think it cannot be perfect, if you are not a network engineer and security expert, if "Networking isn't exactly my strong suite though ". You can do something but you should not know you make mistakes or not. It will work, but it will safe and secure?
I recommend to use a product to setup firewall, like Pfsense, example usage with Proxmox here.

Possible scenario: 1 network card for internet input, 2 network card for output to switch after firewall software.
If you need performance, you should use 2 Intel or Broadcom server network cards, what really do as needed.
 
MrBruce said:
I think it cannot be perfect, if you are not a network engineer and security expert, if "Networking isn't exactly my strong suite though ". You can do something but you should not know you make mistakes or not. It will work, but it will safe and secure?
I recommend to use a product to setup firewall, like Pfsense, example usage with Proxmox here.

Possible scenario: 1 network card for internet input, 2 network card for output to switch after firewall software.
If you need performance, you should use 2 Intel or Broadcom server network cards, what really do as needed.
Click to expand...
Yeah, I'm thinking it's time to get up to speed on this. It's just a bit confusing for some reason.
Pfsense seems to come highly recommended so I'll give that a shot. Before I go there though, perhaps you could help me conceptualize this?

Let's say I want to connect my workstation to the server, and the server to the internet - i.e one NIC for LAN and the other for WAN. I want the server to handle firewall and routing through a Pfsense VM. If I understand this right I should...

Create a bridge for each NIC with a static IP but no gateway, since that will be set by Pfsense. Then create the VM and set up routing between the two virtual bridges.

Have I got this backwards or is this the way to go? Or perhaps another idea, like above but PCIe passthrough for the NIC's?

Speaking of security though, wouldn't this mean that an attacker could get directly at the Proxmox server, just ignoring the virtual machine?

In terms of performance the most critical part would be the network storage, as 1Gbit ethernet is probably the limiting factor. There won't be many simultaneous connections though, and the internet connection is at 250Mbit/s so that should be easy for the NIC's to handle - though latency is an important factor.
 
So, I've got Pfsense running in a VM and it seems to be working fine (except torrents don't seem to upload, just download...). However, I'm not sure if the configuration is good or not...

I have vmbr0 as the LAN bridge with an internal IP and gateway 192.168.1.1.

Vmbr1 is the WAN bridge and I've left it without any IP settings.

What concerns me is... doesn't this mean that Proxmox has unprotected access to the internet - with only traffic from the LAN going through Pfsense? Seems to me that would be a security risk.

Seems to me the best setup would be having Proxmox internet connection go through Pfsense, and LAN access going directly. That way outbound connections are behind the firewall but I can still access Proxmox through LAN even if Pfsense goes down.

How do I set that up?

Ps. Hm, maybe that is in fact how things are setup? Just tested my assumption and in fact all internet connectivity goes down if I shut down the Pfsense VM, but LAN connection to Proxmox still works. Seems like everything's in order then.
 
Last edited:
Hi all.

This might be a noob question, and I apoligise for my ignorance.
I am waiting for a small server that I ordered but once I get the hardware necessary I want to run PfSense into ProxMox as well. In advance, I am trying to understand how can I implement the network. Ideally, I want to implement it as the diagram attached.

If I have attached 2 physical NICs (PCIe Passthrough) to the PfSense virtual machine, these NICs would no longer be unavailable for the host ProxMox Server. Isn't that right?
If that is the case, what should I do to assign new VMs from the ProxMox host to the new LAN 1 created (in this case 10.100.1.0/24 network)? As this nic is no longer available to the ProxMox host to assign to a vmbr1 for example. What would be the best approach in this situation?

Also If I want to move the ProxMox Management interface from the home network (192.168.1.0/24) to LAN 1 or any other network behind the PfSense firewall. How could I achieve that securely?



Planned Network.PNG
 

Attachments

  • Planned Network.PNG
    Planned Network.PNG
    62.6 KB · Views: 7
Last edited:
bobmc said:
There is a full official setup guide here
https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

I would not advise pass-through of the physical nics

I would keep the management interface on the 'LAN' side - i.e on the 10.100.1.0 network, if you need to access the proxmox host from the 'WAN' side, then you can create a port forward on pfSense to allow access.
Click to expand...
Thanks for your input on my post.
Could you tell me why you would not advise pass-through of the physical nics?
 
Could you tell me why you would not advise pass-through of the physical nics?
Click to expand...
There is significant effort involved in getting pass-through devices working and in the case of network adapters, in 99% of cases, the cost/benefit ration is negligible. So, my question would be - why do it?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom