Situation:
-home user
-my old physical router died yesterday
-I created a hyper-v VM on my desktop (which has two NIC ports) and got pfSense running as my temporary router
-I want to move pfSense to my proxmox host
Background:
Home user, very limited *nix skillset (ie: I can follow directions).
I have proxmox 6.4 configured on an old Intel NUC device (which has a single NIC port).
Physical NIC is configured as a Linux bridge
-physical port name is enp0s25
-bridge port name is vmbr0 (192.168.100.90/24)
I have two containers running for file and media services (192.168.100.91 and 192.168.100.92 respectively).
I have a pfSense VM running on my desktop using Hyper-V as my temporary router (this is how I get to the internet since my external router died yesterday).
My desktop has two physical ports, the modem is attached to the port I assigned to pfSense (private virtual switch).
I have a vlan configurable 8 port switch.
Since I enabled Hyper-V on my desktop I have experienced intermittent stability or performance issues, which I attribute to the recent changes.
Objective(s):
I want to host a pfSense VM in proxmox such that it can become my new router/firewall.
WAN traffic arrives at switch port zero (untagged vlan200), gets routed to switch port 1 (tagged vlan200 + tagged vlan100) which goes to the NUC (proxmox host), then back out from the pfSense VM to switch port 1 as tagged vlan100 traffic, then routed to the remaining switch ports (untagged vlan100 access ports).
I am aware hosting a firewall on a shared VM host can be suboptimal from a network security design perspective and accept the risks (I have zero budget to throw at this project or I'd just get a new device).
I am also aware this could reduce my max throughput (also acceptable for this project).
Draft Action Plan:
-configure switch port zero for untagged vlan200 WAN traffic
-configure switch port one for tagged vlan200 and tagged vlan100 traffic
-configure remaining switch ports for untagged vlan100 traffic (vlan100 access ports)
-this config should ensure nothing leaks out port zero from the other ports
-plug the modem into switch port zero
-configure the proxmox host to use tagged vlan100 for the primary interface
-plug the proxmox host into switch port one
-configure a new virtual NIC within Proxmox for tagged vlan200 traffic (*Need to figure out how*)
--virtual port for vlan200 will be attached to pfSense as the WAN port and use the physical port (vmbr0) for sending/receiving tagged traffic
--physical port (vmbr0) would be attached to pfSense as the LAN port (not sure if this is correct, maybe another option?)
--configure the existing containers to use the tagged vlan100 port (maybe unnecessary?)
Primary: I want to ensure all LAN traffic never reaches the modem without going through the pfSense VM first, which includes the proxmox host itself.
I think this will work, but I'm stuck at figuring out how to properly configure the proxmox virtual and physical NIC ports and containers for tagged traffic. I also expect to lose connectivity at certain points, which will complicate implementation.
So, can anyone help me figure out how to implement the vlan changes to proxmox to achieve the objective?
-home user
-my old physical router died yesterday
-I created a hyper-v VM on my desktop (which has two NIC ports) and got pfSense running as my temporary router
-I want to move pfSense to my proxmox host
Background:
Home user, very limited *nix skillset (ie: I can follow directions).
I have proxmox 6.4 configured on an old Intel NUC device (which has a single NIC port).
Physical NIC is configured as a Linux bridge
-physical port name is enp0s25
-bridge port name is vmbr0 (192.168.100.90/24)
I have two containers running for file and media services (192.168.100.91 and 192.168.100.92 respectively).
I have a pfSense VM running on my desktop using Hyper-V as my temporary router (this is how I get to the internet since my external router died yesterday).
My desktop has two physical ports, the modem is attached to the port I assigned to pfSense (private virtual switch).
I have a vlan configurable 8 port switch.
Since I enabled Hyper-V on my desktop I have experienced intermittent stability or performance issues, which I attribute to the recent changes.
Objective(s):
I want to host a pfSense VM in proxmox such that it can become my new router/firewall.
WAN traffic arrives at switch port zero (untagged vlan200), gets routed to switch port 1 (tagged vlan200 + tagged vlan100) which goes to the NUC (proxmox host), then back out from the pfSense VM to switch port 1 as tagged vlan100 traffic, then routed to the remaining switch ports (untagged vlan100 access ports).
I am aware hosting a firewall on a shared VM host can be suboptimal from a network security design perspective and accept the risks (I have zero budget to throw at this project or I'd just get a new device).
I am also aware this could reduce my max throughput (also acceptable for this project).
Draft Action Plan:
-configure switch port zero for untagged vlan200 WAN traffic
-configure switch port one for tagged vlan200 and tagged vlan100 traffic
-configure remaining switch ports for untagged vlan100 traffic (vlan100 access ports)
-this config should ensure nothing leaks out port zero from the other ports
-plug the modem into switch port zero
-configure the proxmox host to use tagged vlan100 for the primary interface
-plug the proxmox host into switch port one
-configure a new virtual NIC within Proxmox for tagged vlan200 traffic (*Need to figure out how*)
--virtual port for vlan200 will be attached to pfSense as the WAN port and use the physical port (vmbr0) for sending/receiving tagged traffic
--physical port (vmbr0) would be attached to pfSense as the LAN port (not sure if this is correct, maybe another option?)
--configure the existing containers to use the tagged vlan100 port (maybe unnecessary?)
Primary: I want to ensure all LAN traffic never reaches the modem without going through the pfSense VM first, which includes the proxmox host itself.
I think this will work, but I'm stuck at figuring out how to properly configure the proxmox virtual and physical NIC ports and containers for tagged traffic. I also expect to lose connectivity at certain points, which will complicate implementation.
So, can anyone help me figure out how to implement the vlan changes to proxmox to achieve the objective?
Last edited:
