Proxmox \ pfSense \ 1 Public IP \ 1NIC

I have a VDS from the excellent @MikeA and trying to get the networking correctly setup. I've created 2 bridges vmbr0 for LAN traffic set to 10.0.0.200/24 and another vmbr1 set to the public IP address. What I would like to do is give the public IP address to pfSense and put the Proxmox server behind the pfSense VM. I think I've got everything setup correctly, but when I release the IP address from the bridge and try to have the WAN on pfSense take over it's not working. Any ideas?

Comments

  • Mr_TomMr_Tom Hosting ProviderOG

    So you want to assign the public IP to a VM running pfSense? And then pass everything on via NAT?

  • Correct

  • Probably your settings are wrong.

    Thanked by (1)AaronSS
  • @tetech said:
    Probably your settings are wrong.

    Maybe. I've checked them 3 times and everything seems in order.

  • MikeAMikeA Hosting ProviderOG

    Just to be sure you may want to boot into a rescue image (the new panel has SystemRescueCD and Netboot ISO for you to boot into any OS live CD) and configure both IPs, to be sure both IPs work when configured in a rescue/live system.

  • mikhomikho AdministratorHosting ProviderOG

    Exactly what isn't working?

    I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
    As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.

    Thanked by (2)AaronSS Hetzner_OL

    Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

  • edited March 30

    @mikho said:
    Exactly what isn't working?

    I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
    As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.

    That's correct - and that's now I want it to be. The problem is that after everything is setup and I reboot proxmox it nevers connects again. I lose traffic all together.

  • mikhomikho AdministratorHosting ProviderOG

    @AaronSS said:

    @mikho said:
    Exactly what isn't working?

    I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
    As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.

    That's correct - and that's now I want it to be. The problem is that after everything is setup and I reboot pfsense it nevers connects again. I lose traffic all together.

    Enable access from the WAN while troubleshooting.
    From what you write, it looks like the configuration is never saved and it reboots into default config.

    Thanked by (1)AaronSS

    Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

  • @mikho said:
    Enable access from the WAN while troubleshooting.

    I've done that - that's why I think it's not working. I'm installing teamviewer in a linux VM to see if I can connect to that after the switch.

    Thanked by (1)mikho
  • There must surely be guides on this out there...virtualized pf on proxmox is while fringe...still common enough to google.

    Having exactly zero actual experience on this I shall now give my expert opinion:

    @AaronSS said: when I release the IP address from the bridge and try to have the WAN on pfSense take over it's not working

    Pretty sure you'd always need a bridge. i.e. the bridge is the primary entry point on proxmox. One bridge for the interface coming in and another for the internal "lan". So the whole disconnect bridge and have pfsense "take over" reads wrong to me

  • edited March 30

    @havoc said:
    Pretty sure you'd always need a bridge. i.e. the bridge is the primary entry point on proxmox. One bridge for the interface coming in and another for the internal "lan". So the whole disconnect bridge and have pfsense "take over" reads wrong to me

    Yes, I have two bridges like your talking about. What I mean by "taking over" is releasing the IP address from the bridge. Then I expect pfsense to "take over" the Public IP address. Does that make since?

  • I just notice the that Proxmox was using /32 and pfsense /24 so I changed pfsense to /32 as well.

  • @AaronSS said:
    I just notice the that Proxmox was using /32 and pfsense /24 so I changed pfsense to /32 as well.

    No difference :(

  • I just remember about Disable Hardware Checksums with Proxmox VE VirtIO Sadly it's didn't help.

  • @AaronSS said: . What I mean by "taking over" is releasing the IP address from the bridge. Then I expect pfsense to "take over" the Public IP address. Does that make since?

    If the pfsense is virtualised then you wouldn't be releasing anything...you need that bridge to remain in place since it is connecting your virtualised pfsense to the internet.

    ...release that and unsurprisingly you lose connectivity.

    There is no "taking over" anything here...the pfsense is virtualized...it can only talk to what the hypervisor exposes...and the way proxmox does that is via bridge.

  • So just put the public IP on both the bridge and pfsence?

  • Maybe I would be better off with something like this: https://gist.github.com/Akanoa/afef9cbc6b4f90a78f2c841017932589

    I’m not sure…

  • I think my new strategy will be to forward all traffic to the PF sense box using iptables

Sign In or Register to comment.