the problem is in configuring a gateway other than vmbr0

H

hashtag

New Member
May 26, 2023
6
0
1
i installed on proxmox: pfsense, ubuntu, windows 10.
I want all traffic from Ubuntu and Windows to go through pfsense
however, proxmox doesn't give me that option.
by default, I had a vmbr0 interface that outputs all proxmox to a physical network adapter, and I configured this interface as a WAN for pfsense
then I created a second network interface(vmbr1), a linux bridge, configured the network on it, and distributed ips to ubuntu and windows. and configured this interface to LAN pfsense
but it was all in vain, because for all interfaces that I create in proxmox, the default gateway is vmbr0
if I want to put a gateway in the settings of the new interface (vmbr1), then Proxmox gives me an error, for example, for all network adapters, the default gateway is vmbr0
1685080134319.png
1685079995558.png1685079971644.png
 

Attachments

  • 1685079921850.png
    1685079921850.png
    20.5 KB · Views: 21
  • 1685079960720.png
    1685079960720.png
    24.4 KB · Views: 16
The Networking configurations that you input there is for the Proxmox Host. "vmbr0" is both a Linux Bridge (think of a Switch) and an Interface of your Proxmox OS that is attached to the Bridge vmbr0.

So the networking setting like Gateway and IP that you can configure there is for the Proxmox Host, and any Host can only have one Gateway.

I suspect there's something missing in your networking knowledge. If you want to make the classic 'Internal VMs separated by a firewall from an external network' scenario, you should have the following configuration:

A firewall-VM (here: pfsense) with two network interfaces:
  • the 'WAN' interface:
    • attached to vmbr0
    • some IP 192.168.0.* configured on this interface inside that VM
  • the 'LAN' interface:
    • attached to vmbr1
    • some IP 172.10.18.* configured on this interface inside that VM
And your internal VMs:
  • attached to vmbr1
  • some IP 172.10.18.* configured inside those VMs
  • their gateway set as the IP 172.16.18.* of your pfsense

Now what about the configuration of the Bridges itself? For the general VM-workings, you dont need any IP/Gateway configurations on the Bridges. The Question is how do you want the networking of the Proxmox Host to be, so
  • How and from where do you want to access the Proxmox for management?
  • How should the Proxmox be able to access the internet: directly through WAN or through the local pfsense?
For example, if you want to manage Proxmox from 'outside', then you should configure them like this:
  • vmbr0:
    • IPv4/CIDR: 192.168.0.107/24
    • Gateway: 192.168.0.1
  • vmbr1:
    • leave everything empty: No IP, no Gateway, none

Kind regards,
Benedikt
 
  • Like
Reactions: Spoonman2002, hashtag and bobmc
B.Otto said:
The Networking configurations that you input there is for the Proxmox Host. "vmbr0" is both a Linux Bridge (think of a Switch) and an Interface of your Proxmox OS that is attached to the Bridge vmbr0.

So the networking setting like Gateway and IP that you can configure there is for the Proxmox Host, and any Host can only have one Gateway.

I suspect there's something missing in your networking knowledge. If you want to make the classic 'Internal VMs separated by a firewall from an external network' scenario, you should have the following configuration:

A firewall-VM (here: pfsense) with two network interfaces:
  • the 'WAN' interface:
    • attached to vmbr0
    • some IP 192.168.0.* configured on this interface inside that VM
  • the 'LAN' interface:
    • attached to vmbr1
    • some IP 172.10.18.* configured on this interface inside that VM
And your internal VMs:
  • attached to vmbr1
  • some IP 172.10.18.* configured inside those VMs
  • their gateway set as the IP 172.16.18.* of your pfsense

Now what about the configuration of the Bridges itself? For the general VM-workings, you dont need any IP/Gateway configurations on the Bridges. The Question is how do you want the networking of the Proxmox Host to be, so
  • How and from where do you want to access the Proxmox for management?
  • How should the Proxmox be able to access the internet: directly through WAN or through the local pfsense?
For example, if you want to manage Proxmox from 'outside', then you should configure them like this:
  • vmbr0:
    • IPv4/CIDR: 192.168.0.107/24
    • Gateway: 192.168.0.1
  • vmbr1:
    • leave everything empty: No IP, no Gateway, none

Kind regards,
Benedikt
Click to expand...
my goal is this: proxmox should be managed via 192.168.0.107 (this is the proxmox ip in my home network as a physical machine).
traffic to Ubuntu and Windows must go through pfsense. that is, when I ping from 172.10.18.3 (Windows) to 192.168.0.107 (proxmox) - the ping should not go through, there should not be a direct connection. all communication between Ubuntu and Windows with the host or the Internet must go through pfsense.
should be like the diagram I attached to this message. but now, vmbr1 has gateway 192.168.0.107(vmbr0) and i can't change it. help please.1685090856564.png
 
Well then my above config should work. Remove the IP and all other details from vmbr1 and give the gateway to vmbr0. (the settings of vmbr0 in your initial post should be okay).

Another note: Your screenshot of vmbr1 says 172.10.18.0/24 and that is not a valid IP address. Since you are using a 24-mask, the Subnet is 172.10.18.0 - 172.16.10.18.255, but the first and the last IP of a subnet are reserved and not valid 'assignable' IPs.
 
  • Like
Reactions: hashtag
Just remember that pfsense will need to 'allow' the use of a 192.168.x.x network on the WAN interface (see Interfaces/WAN/reserved networks)
 
  • Like
Reactions: hashtag
thank you very much friend!
I followed your recommendations and it seems to work for me, but there is a problem. I don't understand why I can go to the WAN IP of pfsens from the local network. according to my scheme and your recommendations, this should not happen...1685093329430.png
 
you would need to put in a rule to block incoming traffic on the wan interface
 
hashtag said:
thank you very much friend!
I followed your recommendations and it seems to work for me, but there is a problem. I don't understand why I can go to the WAN IP of pfsens from the local network. according to my scheme and your recommendations, this should not happen..
Click to expand...
Hmm, it is not uncommon that you can ping your WAN-Interface from the internal network. In order for your internal VMs to reach the internet your firewall has to route and NAT all traffic from internal and that also applies to the WAN interface.

Sometimes you don't want the WAN-IP to be pingable from outside, but that depends on your applications.

If you don't want the firewall to reply with pings on its WAN interface, you gotta configure a ICMP block rule in your pfsense, like bobmc wrote.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom