Proxmox \ pfSense \ 1 Public IP \ 1NIC

I have a VDS from the excellent @MikeA and trying to get the networking correctly setup. I've created 2 bridges vmbr0 for LAN traffic set to 10.0.0.200/24 and another vmbr1 set to the public IP address. What I would like to do is give the public IP address to pfSense and put the Proxmox server behind the pfSense VM. I think I've got everything setup correctly, but when I release the IP address from the bridge and try to have the WAN on pfSense take over it's not working. Any ideas?

Comments

  • So you want to assign the public IP to a VM running pfSense? And then pass everything on via NAT?

  • Probably your settings are wrong.

    Thanked by (1)AaronSS
  • @tetech said:
    Probably your settings are wrong.

    Maybe. I've checked them 3 times and everything seems in order.

  • MikeAMikeA Hosting ProviderOG

    Just to be sure you may want to boot into a rescue image (the new panel has SystemRescueCD and Netboot ISO for you to boot into any OS live CD) and configure both IPs, to be sure both IPs work when configured in a rescue/live system.

    ExtraVM - High RAM Specials
    Yours truly.

  • mikhomikho AdministratorHosting ProviderOG

    Exactly what isn't working?

    I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
    As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.

    Thanked by (2)AaronSS Hetzner_OL
  • edited March 2022

    @mikho said:
    Exactly what isn't working?

    I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
    As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.

    That's correct - and that's now I want it to be. The problem is that after everything is setup and I reboot proxmox it nevers connects again. I lose traffic all together.

  • mikhomikho AdministratorHosting ProviderOG

    @AaronSS said:

    @mikho said:
    Exactly what isn't working?

    I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
    As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.

    That's correct - and that's now I want it to be. The problem is that after everything is setup and I reboot pfsense it nevers connects again. I lose traffic all together.

    Enable access from the WAN while troubleshooting.
    From what you write, it looks like the configuration is never saved and it reboots into default config.

    Thanked by (1)AaronSS
  • @mikho said:
    Enable access from the WAN while troubleshooting.

    I've done that - that's why I think it's not working. I'm installing teamviewer in a linux VM to see if I can connect to that after the switch.

    Thanked by (1)mikho
  • There must surely be guides on this out there...virtualized pf on proxmox is while fringe...still common enough to google.

    Having exactly zero actual experience on this I shall now give my expert opinion:

    @AaronSS said: when I release the IP address from the bridge and try to have the WAN on pfSense take over it's not working

    Pretty sure you'd always need a bridge. i.e. the bridge is the primary entry point on proxmox. One bridge for the interface coming in and another for the internal "lan". So the whole disconnect bridge and have pfsense "take over" reads wrong to me

  • edited March 2022

    @havoc said:
    Pretty sure you'd always need a bridge. i.e. the bridge is the primary entry point on proxmox. One bridge for the interface coming in and another for the internal "lan". So the whole disconnect bridge and have pfsense "take over" reads wrong to me

    Yes, I have two bridges like your talking about. What I mean by "taking over" is releasing the IP address from the bridge. Then I expect pfsense to "take over" the Public IP address. Does that make since?

  • I just notice the that Proxmox was using /32 and pfsense /24 so I changed pfsense to /32 as well.

  • @AaronSS said:
    I just notice the that Proxmox was using /32 and pfsense /24 so I changed pfsense to /32 as well.

    No difference :(

  • I just remember about Disable Hardware Checksums with Proxmox VE VirtIO Sadly it's didn't help.

  • @AaronSS said: . What I mean by "taking over" is releasing the IP address from the bridge. Then I expect pfsense to "take over" the Public IP address. Does that make since?

    If the pfsense is virtualised then you wouldn't be releasing anything...you need that bridge to remain in place since it is connecting your virtualised pfsense to the internet.

    ...release that and unsurprisingly you lose connectivity.

    There is no "taking over" anything here...the pfsense is virtualized...it can only talk to what the hypervisor exposes...and the way proxmox does that is via bridge.

  • So just put the public IP on both the bridge and pfsence?

  • Maybe I would be better off with something like this: https://gist.github.com/Akanoa/afef9cbc6b4f90a78f2c841017932589

    I’m not sure…

  • I think my new strategy will be to forward all traffic to the PF sense box using iptables

  • Posting here for @ehab and everyone else

    https://pastebin.com/fkqFHFeW

    This is what I did. So far seems to be working great.

    Thanked by (1)ehab
  • edited October 2022

    PFSense WAN IP: 192.168.100.2/24
    PFSense LAN IP: 10.0.1.1/24

  • Shortly I'll be moving this to github. I've found a couple of things I need to change.

    1. WAN_Network="192.168.100.0/24" should really be WAN_Network="192.168.100.0/30" as you only need 2 IP addresses.
    2. I don't like how SSH and 8006 are open to everyone. Going to make it whitelist only.
    Thanked by (1)ehab
  • edited October 2022

    @havoc said:
    There must surely be guides on this out there...virtualized pf on proxmox is while fringe...still common enough to google.

    Pretty sure you'd always need a bridge. i.e. the bridge is the primary entry point on proxmox. One bridge for the interface coming in and another for the internal "lan". So the whole disconnect bridge and have pfsense "take over" reads wrong to me

    FWIW, it's nowhere near the same hardware (being VPS vs 4-port bare-metal), but the only time I've used proxmox rather than libvirt/QEMU directly, I followed this and it was trivial: https://www.servethehome.com/how-to-pass-through-pcie-nics-with-proxmox-ve-on-intel-and-amd/

    I also have a bridge to the other VMs too. The main difference I can think of that might cause a problem on a VPS, is that I had my proxmox interface on a physical NIC that wasn't passed through to pfSense, and so it's not accessible even internally until I plug it into a router attached to one of the 2 LAN ports.

    Glad you got it sorted anyway, but thought posting the link to this guide might still be useful for others.

Sign In or Register to comment.