[SOLVED] Using a bridge as LAN with proxmox as gateway

[Gabriele Assentato]

Hi, I am trying since a few days to setup iptables on my proxmox installation.

Since I have only one public IP address and I need pfSense installed I created a bridge between only the proxmox host and the pfSense guest.

My network cards are the following:
eno1 - Public IP address (XXX.XXX.XXX.XXX/24 with his gateway)
vmbr0 - Bridge for the eno1 card
vmbr1 - Bridged to a dummy card with IP 192.168.1.254/24
vmbr2 - Bridged to another dummy card with IP 172.16.0.0/16

The vmbr1 is used as the WAN for pfSense, and the vmbr2 as the LAN for all the VMs.

This is the configuration of my pfSense box:
WAN IP 192.168.1.1/24 gateway 192.168.1.254
LAN IP 172.16.255.254 and also configured to be the gateway for his lan

I've tried this on my proxmox host machine:

iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
iptables -A FORWARD -i vmbr1 -o eno1 -j ACCEPT
iptables -A FORWARD -i vmbr1 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT

And also replacing the eno1 with vmbr0 but it doesn't works.
I could solve having a 2nd public IP for my pfSense box, but I can't buy it.

How can I solve this issue?

 

[wolfgang]

Hi,

I would use a routed setup for this propose.
see https://pve.proxmox.com/wiki/Network_Model#Routed_Configuration

 

[Gabriele Assentato]

Hi,

I am sorry but I do not understand what this "routed setup" does.
Do I need to add my pfsense vm to a bridge to the primary nic with this configuration?

Sorry for my lack of knowledge

Regards,
Gabriele.

 

[Gabriele Assentato]

Hi,

I solved the issue using the "Routed Setup" following this guide:
https://www.flomain.de/2015/05/how-to-proxmox-networking/

Now my interfaces file looks like this:

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
        address  xxx.xxx.xxx.xyz
        netmask  255.255.255.0
        gateway  xxx.xxx.xxx.254
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address  172.16.255.254
        netmask  255.255.0.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.1.253
        netmask  255.255.255.252
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.1.252/30' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.252/30' -o eno1 -j MASQUERADE

Where vmbr0 is the lan with all my VMs included pfSense and vmbr1 is the WAN for the pfSense machine.

I hope this can be useful to someone.

Best regards,
Gabriele.