Running pfSense as VM - Changes to Network Interfaces in Proxmox to Support vLAN Setup

[norsemangrey]

I am quite new to vLANs so please forgive me of my terminology is off.

Today I have pfSense running as a VM on Proxmox (on a computer with 5 NICs), which is working great and up until now I have only been using subnets as I have not had any vLAN aware equipment. However, I have now bought some Unifi switches and APs that supports vLAN for better segmentation of my network. There are many articles and guides on how to set up vLAN with pfSense, but I am not sure what changes I need to do on the Proxmox side. Below is the way my network interfaces are configured in Proxmox today as well as a diagram of how I'm picturing the physical setup with the new equipment.

The physical interfaces in use today will be the same, however, instead of each of the lan ports (SEC/IOT) being assigned to a separate subnet in pfSense and each connected to a unmanaged switch, they should now each trunk all vLANs defined in pfSense and connect to a managed vLAN-aware switch. Proxmox is also running a couple of other VM machines assigned the SEC interface. However, when changing over to vLAN I guess these needs to be assigned to the correct vLAN.

I would really appreciate some input / comments on what changes I need to do in Proxmox (if any) to get this to work.

Proxmox network interfaces.

pfSense VM network interfaces

 

[rason]

To set up VLANs with your new equipment on Proxmox, you will need to first configure the VLANs on your pfSense VM. Once the VLANs are configured on pfSense, you will need to create VLAN interfaces on Proxmox for each VLAN you want to use. You can then assign the VLAN interfaces to the VMs that need to be on that VLAN.
For example, if you have a VLAN for your security cameras on pfSense, you would create a VLAN interface on Proxmox for that VLAN and assign it to the VM running your security camera software. This will ensure that the traffic from the security cameras is properly segregated on the VLAN.
You will also need to make sure that the physical interfaces on your Proxmox host are set up to trunk the VLANs. This will allow the VLAN traffic to pass through the physical interfaces and be routed to the correct VLAN on your managed switches.
In summary, the steps to set up VLANs on Proxmox with your new equipment would be:

1. Configure the VLANs on pfSense.
2. Create VLAN interfaces on Proxmox for each VLAN you want to use.
3. Assign the VLAN interfaces to the VMs that need to be on that VLAN.
4. Configure the physical interfaces on Proxmox to trunk the VLANs.

Once these steps are completed, your VLANs should be properly set up and you can start using them on your network.

 

[striker54]

as @rason said, first create a configure VLANs in pfSense, then on proxmox, create linux vlan assined to the bridge that you used in pfsense for the vlans.
Here is mine example:

In my case i use a bond of 3 NICs, but it's the same.
For my Lan port of pfSense i have created a Linux bridge vmbr1 and set it up as vlan aware
Then all the Vlans that you configure in pfsense you add in proxmox as Linux VLAN.

just name it with the bridge used and vlanID.
example: vmbr3.55 ------- > stands for vlan id 55 in vmbr3 bridge

here is my /etc/network/interfaces configuration:

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eno1 inet manual

iface enp1s0 inet manual

iface enx00e04c6800d8 inet manual

iface enxa0cec88709e9 inet manual

auto bond0
iface bond0 inet manual
        bond-slaves eno1 enp1s0 enx00e04c6800d8
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer2+3
        bond-lacp-rate 1
        bond-min-links 1
#LAG ---- LAN --- pfsense

auto vmbr3
iface vmbr3 inet static
        address XXX.XXX.XXX.XXX/XX
        gateway XXX.XXX.XXX.XXX
        bridge-ports enxa0cec88709e9
        bridge-stp off
        bridge-fd 0
#USB NIC ---- WAN

auto vmbr1
iface vmbr1 inet manual
        address XXX.XXX.XXX.XXX/XX
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr1.10
iface vmbr1.10 inet manual

auto vmbr1.5
iface vmbr1.5 inet manual

auto vmbr1.50
iface vmbr1.50 inet manual

auto vmbr1.100
iface vmbr1.100 inet manual

auto vmbr1.200
iface vmbr1.200 inet manual

 

[norsemangrey]

@rason @striker54 thank you very mutch for the input! I have a couple more questions though.

Create VLAN interfaces on Proxmox for each VLAN you want to use.

The VLAN intefaces I create in Proxmox, are they only for "internal" use (i.e. for the VMs / CTs running on Proxmox) or are they required also for the physical interface(s).

Configure the physical interfaces on Proxmox to trunk the VLANs.

So I would do this by making the vmbr / Linux Bridge for a physical interface assigned as LAN port on pfSense as "VLAN aware"?

In my case i use a bond of 3 NICs, but it's the same.

What is the purpose of bonding them togheter? Would it make sense for me to do the same (bases on the network diagram) or is it just something you would do if the physical interfaces are connected to the same switch?

---------------------------

I have also tried to figure out what to do about the Proxmox server management interface. Previously I had it connected "back from" the switch connected to the SEC subnet, but I am not sure what to do about it in the new vLAN setup. Now I should be able to access it from any switch/access point, but it should be assigned to a specific vLAN.

 

[leex12]

The VLAN intefaces I create in Proxmox, are they only for "internal" use (i.e. for the VMs / CTs running on Proxmox) or are they required also for the physical interface(s).

VLAN are as the name suggests a virtual network, you use it to segregate traffic away from each other on the LAN either for performance or security. You create as many as you need on a NIC, its not a 1-2-1 relationship.

What is the purpose of bonding them together? Would it make sense for me to do the same (bases on the network diagram) or is it just something you would do if the physical interfaces are connected to the same switch?

If you have three adapters available you could bond them together and then have a management VLAN. However if you aren't having any performance issues I would keep it as you have now.

Like you I have been running pfSense in a VM for ages with no issues. Everything I have tried to setup and get working was fine. Until VLANs .. for some reason this would not work in my setup initially. Then for some strange reason it worked have no idea why! So get the basic VLAN setup (any to any f/w routing) working before jumping into any rules.

 

[striker54]

See the network configuration manual here.
They have great examples and also explains about Bounding.

The VLAN intefaces I create in Proxmox, are they only for "internal" use (i.e. for the VMs / CTs running on Proxmox) or are they required also for the physical interface(s).

Both. For physical interfaces also implies that you configure the switch acording to the vlan's that you created.

 

[norsemangrey]

Both. For physical interfaces also implies that you configure the switch acording to the vlan's that you created.

Ok. I just do not see from your example how they (th Linux VLANs you have created) are tied to the bridge you have for your physical ports (other than the name, vmbr1.xxx).

I did some experimenting today where I hooked up a Unifi switch connected to a Unifi AP to a spare port in the Proxmox server. I created a new bridge for that physical interface, made it VLAN aware and added it to the pfSense VM as a LAN interface. I then created a couple of VLANs in pfSense and tied them to the new LAN interface. After some foumbling around in the Unifi controller I had defined networks/profiles for the same VLANs there and I was able to connect my laptop to the wireless network for the new VLAN and assigned an IP address from pfSense. So that seemed to work.

So what am I misssing by not creating the VLAN interfaces in Proxmox?

 

[striker54]

So what am I misssing by not creating the VLAN interfaces in Proxmox?

Nothing. As you said, you have a "spare port", so you can address all the VLAN's to that physycal port.

In my configuration i don't have any spare ports, the LAN interface of pfSENSE connected to the switch takes care of all the VLAN's.