Have a few questions abut running a firewall/router in Proxmox VM

First of all let me say right off the bat that I do not want to start a discussion on the whole merits of running a firewall/router in VM.
I have my reasons and did my research.

what I have:

I have a Lenovo SFF PC with 6GB ram and dual 120GB SSDs.
Proxmox 5.1.3 setup and updated.

3 NICs, enp0s25, enp17s0f0 and enp17s0f1.
one is an on-board port 2 others are dual Intel PRO card.

enp0s25 is dedicated Proxmox management port connected to vmbr0 with static IP.

enp17s0f0 and enp17s0f1 are router VM dedicated interfaces WAN and LAN respectfully
but I created a bridges vmbr1 and vmbr2 for them. vmbr1 is DHCP as it will get all seting from ISP
vmbr2 manual for now as I am not sure how to proceed.

my questions are as follow:

My current lan uses 192.168.x.x /24 schema. I would like to switch to 10.10.x.x/?? schema.
what is the good way of doing this with my setup?

Install VM and configure pfSense or nethserver than change the host IP to 10.10.x.x before switching the router?

or this is a bad way to do it.?

the machine will be dedicated to router duty, the only reason I want to run router in VM is that I will have a all in one server where I can clone the VM for a kind of hot backup. SFF fails I would switch the cables and start the backup VM on the second server.

also I may want to try couple of others distros that using VM makes it easier to do so.

the connections I plan will be
From ISP modem ==> to WAN port ==> from LAN port to main switch
and from management nic to main switch.

how do I need to configure this setup?

thanks

There wouldn’t be much configuration involved, just set it up the way you’ve described and it will work. If all your devices use dynamic IPs then whatever subnet you set for the dhcp server will be what everything gets.if you do have static IPs for anything then you will want to change them manually. I’d suggest setting a static ip for the proxmox management manually as well so you can still ssh in if the VM goes down.

thanks, that is always the case. it is much easier to remember static IP for a couple of servers than guess.

I only will have 2 Proxmox host on the network.
the one for router(s) and one for all other uses, like file server, downloading/torrent/media management machine . maybe a Plex or Emby server. personally I lean towards Emby server.

so realistically should only be 3 static IP and several DHCP reserved IPs.

I went and setupthe pfSense already, need to configure and should be ready to deploy.
want to try setting up Neth Server too and see which I like more.

pfSense is proven and popular but since it is BSD it gives me a headache, Neth is based on CentOS so should be much easier to manage and I can load a webmin alongside of it too so very little command line needed. but it is not strictly a router/firewall distro so I am a bit apprehensive about using it as one.

will see.

ok, so far so good. all is up and testing in progress.
I have 2 VMs setup.(running one at a time)

one is pfSense 2.24
one is NethServer 7 final.

the only kink in the testing is that until I actually swap my router for the new setup I have to use 192.168. IP instead 10.10 I want and in Neth server I am using DHCP for green interface (red is DHCP by default as I use optimum and it is not static IP)

have a new question though.
I want/need to setup FQDN.

so right now I have “NS1.home.lan” “home” is the schema leftover from my Verizon FIOS days and I added “.lan” to make it look like proper url.

my question is can I use my NO-IP.net “[mydomain].ddns.net” domain instead?

if I understand thing correctly it would look like “NS1.mydomain.ddns.net

will this create any issues down the road?

thanks

If you are familiar enough with iptables… You can use whatever linux flavor OS you want for a router.

I am not soo good with Linux to attempt this.
I would like to have a distro with a nice WebUI that would hold my hand a little :slight_smile:
so I only look on distributions that already exists to fulfill my needs.
psfSense and NethServer I was already familiar with. and I know that both of them can be used for this role.

Yeah you can. You can use anything you want as a domain name on your local network. As long as the dns entries on your local dns match what you have set up on no-ip (except using the internal addresses) then you shouldn’t have any issues.

thnaks, will see where it gets me :slight_smile: