SDN/vxlan with VLAN aware PFSense

A

abenoit-reeliant

New Member
Feb 28, 2024
3
1
3
Hello everyone,

I'm trying to setup this kind of setup (with more VM, but this is the simplified version) :
  • 2 proxmox servers (px1 and px2)
  • 1 pfsense firewall (fw1) on px1
  • 2 virtual machines (vm11 and vm21) on px1
  • 2 virtual machines (vm12 and vm22) on px2
My contraints are :
  1. I want vm11 and vm12 to be in the same VLAN and communicate with each other.
  2. I want vm21 and vm22 to be in the same VLAN and communicate with each other.
  3. I want the two VLAN to be distinct and not allow communications between them (ie. a vm1* cannot communicate with a vm2*)
  4. I want all the virtual machines to go through the PFSense firewall to access the Internet
What I manged to test :
  • Conf1 : I managed to have a SDN/VXLAN configuration to have all the virtual machines in the same VLAN and comunicate to each other (which answers contraints 1 and 2 but not 3).
  • Conf2 : I also managed to have VLANs setup on the pfsense firewall and put vm1* and vm2* in separate VLANs using a Linux bridge (vmbr2) and VLANs in the proxmox node network configuration. Which answers contraint 3 but not 1 and 2.
Is there a way to match all 3 constraints on proxmox (with a PFSense firewall being linked to all VLAns) ?

I tried to make multiple vnets in the VXLAN zone, and configure their tags on the VLANs in the PFSense configuration, but then my virtual machines cannot event communicate with the PFSense firewall.

Also, if that is the right scenario, I'm not sure on which interface I should plug the firewall. I tried to plug it to one of the vnets, but that vnet has a mandatory VLAN tag, which is different from the Conf2 case where the interface the PFSense firewall was plugged in was vmbr2 (which didn't have a VLAN tag)
 
Hey abenoit-reeliant,

How did you configure the vxlan?

You need routing for the VLANs, which in your case should be done by pfsense.

The question is how you structure the management ->

A) You submit the created vxlan into the pfsense and can then manage the VLANs.
B) You pass each VLAN into pfsense as an interface and can then manage the routing.

I would pass the vxlan into the pfsense and then manage the routing of the vlans in the pfsense (A). Then you can say in pfsense which VMs are allowed to communicate where and whether the VMs within a VLAN are also allowed to talk to each other.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back