Proxmox \ pfSense \ 1 Public IP \ 1NIC
I have a VDS from the excellent @MikeA and trying to get the networking correctly setup. I've created 2 bridges vmbr0 for LAN traffic set to 10.0.0.200/24 and another vmbr1 set to the public IP address. What I would like to do is give the public IP address to pfSense and put the Proxmox server behind the pfSense VM. I think I've got everything setup correctly, but when I release the IP address from the bridge and try to have the WAN on pfSense take over it's not working. Any ideas?
Comments
So you want to assign the public IP to a VM running pfSense? And then pass everything on via NAT?
Correct
Probably your settings are wrong.
Maybe. I've checked them 3 times and everything seems in order.
Just to be sure you may want to boot into a rescue image (the new panel has SystemRescueCD and Netboot ISO for you to boot into any OS live CD) and configure both IPs, to be sure both IPs work when configured in a rescue/live system.
ExtraVM - High RAM Specials
Yours truly.
Exactly what isn't working?
I did a similar setup with a Hetzner dedicated with pfsense with a public IP and then "everything" behind the pfsense instance.
As I remember when setting it up, pfsense doesn't allow admin connections on the WAN interface by default. I could be wrong, but I remember having set up a Windows VM with Teamviewer behind my pfsense and used that to "properly" connect to pfsense from the "inside" after the IP changes were made.
“Technology is best when it brings people together.” – Matt Mullenweg
That's correct - and that's now I want it to be. The problem is that after everything is setup and I reboot proxmox it nevers connects again. I lose traffic all together.
Enable access from the WAN while troubleshooting.
From what you write, it looks like the configuration is never saved and it reboots into default config.
“Technology is best when it brings people together.” – Matt Mullenweg
I've done that - that's why I think it's not working. I'm installing teamviewer in a linux VM to see if I can connect to that after the switch.
There must surely be guides on this out there...virtualized pf on proxmox is while fringe...still common enough to google.
Having exactly zero actual experience on this I shall now give my expert opinion:
Pretty sure you'd always need a bridge. i.e. the bridge is the primary entry point on proxmox. One bridge for the interface coming in and another for the internal "lan". So the whole disconnect bridge and have pfsense "take over" reads wrong to me
Yes, I have two bridges like your talking about. What I mean by "taking over" is releasing the IP address from the bridge. Then I expect pfsense to "take over" the Public IP address. Does that make since?
I just notice the that Proxmox was using /32 and pfsense /24 so I changed pfsense to /32 as well.
No difference
I just remember about Disable Hardware Checksums with Proxmox VE VirtIO Sadly it's didn't help.
If the pfsense is virtualised then you wouldn't be releasing anything...you need that bridge to remain in place since it is connecting your virtualised pfsense to the internet.
...release that and unsurprisingly you lose connectivity.
There is no "taking over" anything here...the pfsense is virtualized...it can only talk to what the hypervisor exposes...and the way proxmox does that is via bridge.
So just put the public IP on both the bridge and pfsence?
Maybe I would be better off with something like this: https://gist.github.com/Akanoa/afef9cbc6b4f90a78f2c841017932589
I’m not sure…
I think my new strategy will be to forward all traffic to the PF sense box using iptables
Posting here for @ehab and everyone else
https://pastebin.com/fkqFHFeW
This is what I did. So far seems to be working great.
PFSense WAN IP: 192.168.100.2/24
PFSense LAN IP: 10.0.1.1/24
Shortly I'll be moving this to github. I've found a couple of things I need to change.
FWIW, it's nowhere near the same hardware (being VPS vs 4-port bare-metal), but the only time I've used proxmox rather than libvirt/QEMU directly, I followed this and it was trivial: https://www.servethehome.com/how-to-pass-through-pcie-nics-with-proxmox-ve-on-intel-and-amd/
I also have a bridge to the other VMs too. The main difference I can think of that might cause a problem on a VPS, is that I had my proxmox interface on a physical NIC that wasn't passed through to pfSense, and so it's not accessible even internally until I plug it into a router attached to one of the 2 LAN ports.
Glad you got it sorted anyway, but thought posting the link to this guide might still be useful for others.