SDN Network and PFSense Bridge

juniper

Well-Known Member
Oct 21, 2013
84
0
46
Hi,

i have one pfsense vm on a proxmox ve cluster act as firewall and IDS with snort,

net0: virtio=AE:D9:1F:2D:B7:8A,bridge=vmbr0,tag=1000 net1: virtio=CA:C1:3A:C8:74:7B,bridge=vmbr0,tag=200 net2: virtio=7E:83:8A:B0:CD:C4,bridge=vmbr100


i configured a bridge of two interface (each one on different bridge)

bridge is net0 and net2

vmbr100 doesn't have any real interface

and all works fine but i miss the possibility to migrate vm on other node (linked to pfsense firewall on others node of cluster)

Is there a way to configure with SDN a pfsense firewall with a bridge?

Thanks in advance
 
Last edited:
hi, do you want to do some kind of distributed bridged pfsense firewall ? (1 pfsense by host )
Hi, i need firewall and all vm linked to itself are able to migrate indipendently on other cluster nodes

I have 6 cluster node and for example i could migrate firewall on node 3 and vm on node 5 for example

Today all works only on one node.
 
just for info

net0: virtio=AE:D9:1F:2D:B7:8A,bridge=vmbr0,tag=1000 net1: virtio=CA:C1:3A:C8:74:7B,bridge=vmbr0,tag=200 net2: virtio=7E:83:8A:B0:CD:C4,bridge=vmbr100

vlan 1000 is my public network on vmbr0 proxmox (vlan aware trunk)

vmbr100 is the other bridge i configured to have all working
 
Yes you are correct, a distributed transparent bridged pfsense firewall
currently it's not possible with sdn, maybe later (as we already have the proxmox firewall).

It's not so easy, as with multiple pfsense, you'll need to sync conntrack table, if you don't want to break connection on live migration .(it's possible with carp, but I don't known how many pfsense you can sync).

I have some plans to manage central box appliance in the future (for gateway, firewall, nat, dhcp, loadbalancer). But doing it distributed it's not easy.

but don't expect it before 1year, they are a lot of other thing to finish before that.
 
currently it's not possible with sdn, maybe later (as we already have the proxmox firewall).

It's not so easy, as with multiple pfsense, you'll need to sync conntrack table, if you don't want to break connection on live migration .(it's possible with carp, but I don't known how many pfsense you can sync).

I have some plans to manage central box appliance in the future (for gateway, firewall, nat, dhcp, loadbalancer). But doing it distributed it's not easy.

but don't expect it before 1year, they are a lot of other thing to finish before that.

Thank you,

Well the only way is to have a pfsense vm (synced) on each cluster node?

Or moving pfsense outside cluster btw
 
Thank you,

Well the only way is to have a pfsense vm (synced) on each cluster node?

Or moving pfsense outside cluster btw
I was looking how vmware nsx implemented it, but traffic is also redirected to central firewall(s) pair somewhere in the network (with some kind of transparent routing), but I'm not sure that it's possible across vm in same lan/vxlan, only when traffic is routed across vxlan.


I don't known what is your needs exactly.
A classic setup could be to use a pair of pfsense, acting as gateway/router/firwall between your differents subnets/vlans. (but you can't filter traffic between 2 vms in same vlan/subnet).
 
I was looking how vmware nsx implemented it, but traffic is also redirected to central firewall(s) pair somewhere in the network (with some kind of transparent routing), but I'm not sure that it's possible across vm in same lan/vxlan, only when traffic is routed across vxlan.

i've just configured for testing two synced pfsense vms on 2 different cluster nodes and now i can migrate vms between two cluster nodes...

my need is to have only one transparent firewall/IDS on proxmox VE and maintain the capabilitie to migrate vm or firewall through all cluster nodes.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!