Hello all. I recreated a virtual range in proxmox using the same design that successfully works in vmware. However, what I have working in vmware is not working in proxmox.
I configured a pfSense router that mirrors traffic from the DMZ VLAN to the SPAN_port VLAN. The pfSense router's diagnostics packet capture feature confirms the traffic does mirror from the DMZ to the SPAN_port. However, any of the VMs (Ubuntu, Kali, Sec Onion, another pfSense router, etc.) I placed in the SPAN_port VLAN did not see the traffic. Since all of the pfSense router configurations match in both the vmware and proxmox environments, I believe I missed some configuration on proxmox.
The threads I have encountered regarding SPAN (mirror) ports with proxmox cover using ovs to mirror traffic from outside of proxmox into a VM within proxmox. However, I want all the traffic to remain within proxmox so I don't think the other threads help my issue. If I have to use ovs to mirror DMZ to SPAN_port within proxmox, that defeats the point of using the pfSense router?
I thought the issue could be that the proxmox network device connected to the SPAN_port VLAN needed to be placed in promiscuous mode, which is something similar that needs to be done for port groups or vSwitches in ESXi, but I did not find any option for that in proxmox.
Are there any configurations I should consider when dealing with this issue?
I hope the following helps expand what I tried to convey.
Topology:
Proxmox network devices:
By the way, I am using proxmox's software defined network (sdn) solution to create virtual networks within a 3-node cluster.
https://pve.proxmox.com/pve-docs/chapter-pvesdn.html
pfSense router interface assignments:
SPAN_port interface enabled on pfSense router:
Bridge configured in pfSense router:
Confirmation pfSense mirrors traffic from DMZ to SPAN_port:
Many thanks for any assistance with this issue.
Edit: I used the
I configured a pfSense router that mirrors traffic from the DMZ VLAN to the SPAN_port VLAN. The pfSense router's diagnostics packet capture feature confirms the traffic does mirror from the DMZ to the SPAN_port. However, any of the VMs (Ubuntu, Kali, Sec Onion, another pfSense router, etc.) I placed in the SPAN_port VLAN did not see the traffic. Since all of the pfSense router configurations match in both the vmware and proxmox environments, I believe I missed some configuration on proxmox.
The threads I have encountered regarding SPAN (mirror) ports with proxmox cover using ovs to mirror traffic from outside of proxmox into a VM within proxmox. However, I want all the traffic to remain within proxmox so I don't think the other threads help my issue. If I have to use ovs to mirror DMZ to SPAN_port within proxmox, that defeats the point of using the pfSense router?
I thought the issue could be that the proxmox network device connected to the SPAN_port VLAN needed to be placed in promiscuous mode, which is something similar that needs to be done for port groups or vSwitches in ESXi, but I did not find any option for that in proxmox.
Are there any configurations I should consider when dealing with this issue?
I hope the following helps expand what I tried to convey.
Topology:
Proxmox network devices:
By the way, I am using proxmox's software defined network (sdn) solution to create virtual networks within a 3-node cluster.
https://pve.proxmox.com/pve-docs/chapter-pvesdn.html
pfSense router interface assignments:
SPAN_port interface enabled on pfSense router:
Bridge configured in pfSense router:
Confirmation pfSense mirrors traffic from DMZ to SPAN_port:
Many thanks for any assistance with this issue.
Edit: I used the
brctl setaging [bridge] 0 command. Not ideal since this only works when VMs reside in the same node. If anyone has some alternative way, please share.
Last edited: