Building Virtual PfSense instance using vlan [solved]

Hi guys, at the moment I’m running a Sophos UTM in a virtual machine running on my proxmox server. The server I’m using is a Intel NUC (18 watts load) but the downside is only one NIC. I solved this problem with 2 extra usb 3.0 gigabit nics. Although it works fine most of the time this is far from ideal. Having seen the Pfsense videos from Wendell I wanted to rebuild my network and have a virtual PfSense box using vlans instead of the usb NIC. But I haven’t worked with vlans until now. I have a vlan capable switch. Being that the proxmox is on the same NIC as the LAN & WAN i’m not sure how to start with this. Any suggestions?

Have you searched Google for virtualizedd pfsense with vlans yet. Alot of people have gone this route but I'm dealing with mother's day and all so can't help at this moment. It can be done from what I have seen

I have searched on google and watched a lot of youtube videos. And the part of separating the LAN from the WAN i'm able to do. But then I cant get to my proxmox dashboard. Which is on the LAN but uses the same NIC. And in every tutorial/video I've seen they have at least more than 1 NIC

It's your lucky day since I'm running my setup the exact same way as this.

Let's say your switch has 5+ ports.

Port 3 LAN+WAN (plugged to your NUC)
Port 4 WAN (plugged to your modem)

VLAN configuration on your switch:

create VLAN3 for your LAN
Create VLAN4 for WAN

Port 3:
VLAN3 Tagged
VLAN4 Tagged

Port4:
VLAN4 Untagged

The rest of the ports:
VLAN3 Untagged

PVID:
Port 4: VLAN4
The rest: VLAN3

In yout pfsense, you should have created VLAN 3 and 4 and assigned VLAN4 to be WAN and VLAN3 to be LAN.

Edit: It's probably better to create virtio network interfaces for the pfsense VM, one tagget VLAN4 and one with 3.

This makes the Linux host handle the VLANing which is always better.

Give your proxmox an ip within your LAN
Example: your LAN is 192.168.3.0/24
Your pfsense is 192.168.3.1
Your proxmox is 192.168.3.2

You will be able to access proxmox now since it is on VLAN3 since it has PVID VLAN3 which makes any non-tagged network interface connected to port 3 automatically be on VLAN3.

Any newly created VMs or CTs on your proxmox will be on your LAN by default without further tuning.

(Tip: set your pfsense CPU to be host instead of KVM to take advantage of AES-NI encryption on your CPU if it support's it.)

Cheers!

3 Likes

Awesome!! I'm going to try this out next wednesday. I'll keep you posted :+1:

So basically:

L3 Managed switch -> PFSense -> L3 Managed switch -> Network

If I'm reading that correctly your L3 switch for your LAN is also internet facing. Should be fine since you're just a blip but that's terribly unsecure.

You're not confident in the ability of the switch in isolating VLANs from eachother?

That's the whole point of VLANs.

1 Like

I'm not confident enough to place my bets on it being internet facing, even if you have specified management interfaces.

Then you're just paranoid but it's pretty solid .

My profession is to be paranoid. I'd be more inclined to trust an enterprise solution with ongoing patches and good logging but not a consumer level device.

Alright, but calling it "terribly unsecure" is a bit too harsh don't you think?

A consumer device? These days? Not really.

What would your solution be in my situation?

I would just get a small form factor PC with two NICs and go from there, personally. Logically the endeavor is fine, I personally just wouldn't trust it.

Okay, so i have everything working on the pfsense side. :grin: But I seem to be unable to connect to the proxmox dashboard. If I plug the cable into a different port (still on same PVID) I'm able to connect. But not on Port3 (in your example). The ip sits inside the iprange of the network.

I meant in my situation without buying anything else

Make sure that port 3 is not untagged in any vlan. It should only be tagged in vlan3 (lan) and vlan4 (wan) and not untagged in anything. Also make sure the pvid is your lan vlan.

Read my first comment again as you may have read it before I edited some mistakes.

I had some problems before I saw you edited the port 4 tagging. This is my setup at the moment: VLAN But I'm still not able to access proxmox. What is it that I'm missing?

You have the default vlan (vlan1) untagged on all ports. This should be NotMember on all ports.

This should solve it.

I hoped it would be something simple as this. I changed the default to no member but no change :weary: is there something I have to change on the proxmox side of things?