pfSense on Proxmox What Does Networking Look Like?

[brianmc]

Hey everyone.

I'm trying to wrap my head around running pfSense in a VM. I get external network to the NIC passed through to the VM. Internal NIC to the Linux bridge. VM's are on this bridge so that's OK too.

What IP is the Proxmox host then? I'm totally confused on this part.

 

[brianmc]

I'm thinking maybe I have this in the wrong section.

Here's the setup:

          WAN
              |
           em0
              |
external network br0 1.x.x.x
        |           |
pfs1vm    pfs2vm
        |           |
internal network br1 10.1.1.x

The pfSense VMs I get. Ideally, I'd want the Proxmox host to do updates over WAN. So if I give the Proxmox host an IP on the KVM internal network bridge 10.1.1.x then I have to have the pfSense VMs up and running to do the initial updates right? Otherwise, it won't route to the external network.

I know someone here has done this. Sorry my ascii art sucks.

 

[Patrick]

I know a lot of people here will disagree with me, but is it possible to get a third NIC?

One Proxmox management NIC (default installation.)

One WAN
One LAN

That way, you can still manage the host out of band on a management network. It is not necessary, but it may help simplify your question. Updates would happen from the management network and out from there. You could even have a virtualized pfSense that is the VPN gateway for this management network.

 

[vl1969]

I have a running setup right now.
although you can do this with 2 NIC ideally 3 is better.
I run my on Lenovo p59 machine with a dual port PCI-e Intel nic

the onboard port is dedicated to the management and the both nic ports are used for pfSense.

I did not pass-through anything.
I did Proxmox setup as usual.

than configured 3 virtual Bridges
vmbr0 --> internal nic port for Management. in my case I needed to have 2 network schema the 192.168.x.x and 10.10.1.x at a time. so I have a vmbr0 as 192.168.1.x and vmbr0:1 as 10.10.1.10 all static.

than I have vmbr1 as WAN and vmbr2 as LAN

ports for vmbr0 and vmbr2 are plugged in into main 24 port switch.

the vmbr1 I plugged in into my older router first before setting up pfSense.
than I created pfSense VM and asigned vmbr1 and vmbr2 to it (vmbr1 as net0 and vmbr2 as net1)

to make it simple when installing pfSense unplug the WAN port and chose the active nic to be LAN.

once all is installed plug in the WAN port into your ISP provider modem and reboot VM.

 

[Jay Quin]

One thing I would recommend is if you can, add a third port and connect the PVE host to it. If you passthrough all of our NICs to pfSense and setup PVE host on a bridge connected only to pfSense what happens when the pfSense goes down? You can no longer access the PVE host remotely. So connect your PVE host to a bridge to pfSense AND to a spare NIC port. You don't have to plug in the port, it's only there in case of emergency.