Setting up pfSense VM with trunked port on one NIC interface (Dell R710)?

[junior9]

Hi,

I would like to know if my setup below can be configured to work (sorry for my badly drawn schematic).
For the past two weeks I've been struggling to setup pfSense. Every time I turn on the pfSense VM, my connection to Proxmox drops.


My idea is to pass WAN traffic via Vlan 10, filter it with pfSense and connect on the other side with the PCs on Vlan 20. I plan on using pfSense as DHCP (for all Vlans - if possible?)
Management port for the switch and Proxmox should be on Vlan 50. Or worst case scenario, if something fails, connecting to Proxmox will be thru idrac interface.


I must say that I'm pretty new at this and my biggest struggle is to know how bridges work inside linux (and their configuration as well). I ended with creating second bridge, linux vlan, vlan aware brigdes, but nothings works... Every tutorial, forum post gives different solution...

1. Can I separate each Vlan to go to separate bridges (vmbr0 - vlan 10 - eno0 (or eno0.10?), vmbr1 - vlan 20 - eno0 (or eno0.20), vmbr2 - vlan 50 - eno0 or eno0.50) ?
2. Can trunked traffic pass thru brigde? If so, all Vlans should be available to pfSense and configuration should be much easier by using only one brigde.
3. Is Linux Vlan necessary to be created in Proxmox for every Vlan I have?


I know I'm asking too much here, but I'm sure that I'm not the only one with this setup.
If you guys have a conf that works for you, please share it.

PS. I know that it would be easier if I have used those three additional ports, but my current setup is allowing to use only one.

Thanks!

 

[ph0x]

1. Can I separate each Vlan to go to separate bridges (vmbr0 - vlan 10 - eno0 (or eno0.10?), vmbr1 - vlan 20 - eno0 (or eno0.20), vmbr2 - vlan 50 - eno0 or eno0.50) ?

You can but it's not necessary. Just check the box "vlan aware" on your vmbr0 (which contains all the vlans, I guess).
You can then either define one NIC for pfSense and define vlans inside the VM or you pass vmbr0 multiple times with different tag ids.

2. Can trunked traffic pass thru brigde? If so, all Vlans should be available to pfSense and configuration should be much easier by using only one brigde.

Like I said above, this is possible although configuration inside pfSense could become a bit more tricky.

3. Is Linux Vlan necessary to be created in Proxmox for every Vlan I have?

Only if your host should have an own address in this vlan.

 

[junior9]

You can but it's not necessary. Just check the box "vlan aware" on your vmbr0 (which contains all the vlans, I guess).
You can then either define one NIC for pfSense and define vlans inside the VM or you pass vmbr0 multiple times with different tag ids.


Like I said above, this is possible although configuration inside pfSense could become a bit more tricky.

Thank you!!
I did pass vmbr0 multiple times with tags 10 and 20 and nothing crashed. I'm able to manage it from vlan 50 without issues.

Inside pfsense I set up em0 as wan, em1 as lan (em0.10 and em1.20 won't work as wan/lan interfaces, perhaps Proxmox sees it as vlan inside vlan).
I set one Win10 test VM network interface to vmbr0 with vlan tag 20, and it gets an IP from pfsense. All good here. Another PC connected to the switch on vlan 20 won't get an IP.

Any ideas?
vmbr0 is vlan-aware and has all vids passed in the conf file.

Below is my conf file.

auto lo
iface lo inet loopback



iface eno1 inet manual
iface eno2 inet manual
iface eno3 inet manual
iface eno4 inet manual


auto vmbr0
iface vmbr0 inet manual
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.50
iface vmbr0.50 inet manual
    address 192.168.10.20/24
    bridge_ports eno1.50

Only if your host should have an own address in this vlan.

As I wrote above, Proxmox management is going thru vlan 50. Is that enough for security reasons, or should I apply some other settings?



Thanks!

 

[ph0x]

Inside pfsense I set up em0 as wan, em1 as lan (em0.10 and em1.20 won't work as wan/lan interfaces, perhaps Proxmox sees it as vlan inside vlan).

As soon as you define a vlan tag in the VM config that vlan reaches the VM untagged, so this is expected behavior.

I set one Win10 test VM network interface to vmbr0 with vlan tag 20, and it gets an IP from pfsense. All good here. Another PC connected to the switch on vlan 20 won't get an IP.

This should usually work, so you should troubleshoot up the OSI layer ladder. Cable, ping, firewall, etc.

As I wrote above, Proxmox management is going thru vlan 50. Is that enough for security reasons, or should I apply some other settings?

If this is enough is totally depending on your threat assessment. It's a start but you can always do more.