11

Running PFSense On a Proxmox VM

proxAwhile back I took a spare server and setup Proxmox on it. At the time I didn’t plan on more than having a play to learn a VM system I had not used before.   I found I liked the overall system and it quickly expanded to host my home DNS, Plex, and Home Security DVR servers.

Shortly after I decided I wanted PFSense running as my firewall.  However, I wanted it on a VM, not dedicated hadware.  I wanted this  VM to be the first thing traffic hits when coming off my modem.  This proved to be difficult since we are putting a VM in front of the VM host on the network.

To make this more difficult I also needed to pass the connection out to a switch to feed access points and wired devices in my house.

To solve this we needed 3 NICs.  2 for PFSense, one being LAN and the other WAN.  The 3rd for Proxmox to use to access the network.  My server only had 2 so I picked up a cheap 2 port Intel NIC online.

Once we have all 3 NICs running we need to bridge them in Proxmox.  In my case I bridged eth0 to vmbr0.  This will serve as Proxmox’s network access once we setup PFSense.  You then bridge the remaining NICs per the screenshot.

ss+(2016-03-07+at+07.07.15)

You can now create the PFSense VM within Proxmox.  When you create it, assign the remaining to NICs to it.  In my case I assigned vmbr1 and vmbr2.  Launch into the PFSense installer and follow along, it should be pretty clear.  It will ask you to pick which NIC to use for LAN and which for WAN.  If you get it backwards you can swap cables later.

Make sure you remember the LAN IP address you assign PFSense.

Once the install is complete you won’t have any network access in PFSense.  You will now need to swap some cables around.  As a result, you will lose access to the Proxmox web interface for the time being.

Take the cable from your modem and connect it to one of the 2 network ports for PFSense.  Then take another cable and run it from the other network port to a PC (I used my laptop to make it easy).

Once you do this try to access the PFSense web interface via the LAN IP you assigned it.  If you cannot reach it, you may have put the cables in wrong ports.  Switch them around.  If it still does not work try rebooting the PF VM.  You can do this directly via the Proxmox host using qm shutdown VMID and qm start VMID

Once you get to the PFSense web interface navigate to Status > Interfaces.  Ensure that you are assigned an external IPv4 at a minimum.  If you are not it may be a configuration issue with your modem.

Once you have an internet connection you can connect everything else.

In my case I pulled the cable from my laptop and connected it to a switch.  From there I connect my access points and wired devices.

To get access to the Proxmox Web interface again you need connect the remaining network port on the VM host to the switch.  Note, I gave PFSense the same IP/Subnet as my old router.  This allowed Proxmox to pickup it’s network again without additional configuration. 

If you had existing VMs in Proxmox you will need to change their network adapters to use the same bridge as the PFSense LAN connection.

That’s all there is to it.  Once you do this all traffic coming into your network hits PFSense first.  From there is is fed out to be distributed to your liking.   I have had this configuration for almost 2 years and it has been mostly flawless.

Proxmox

matt

11 Comments

  1. Excellent work Matt ! Great post, exactly what I was looking for and needed.
    I had this very idea myself !!!
    After recently being successful with installing pfSense on a physical-box as my Firewall/IDS/DNS Server etc.. I read up on Proxmox VE again and wondered if this was possibly and if so, would it be Stable ?
    Again, thanks for a great post that answers my questions !! Have a blessed one.
    FaRNaD aka l0k33y5

    • Glad it helped! It took me a lot of trial and error to get it working. I’ve had it running for about 2 years now and it’s been stable.

  2. Thanks Matt. The first is an apology for my bad English expression.
    I’m trying to make that configuration. Does the wan interface of pfsense is pppoe?
    There are some items not recommend exposing the vm directly to the Internet.
    What’s your opinion about it?

  3. Hi, I’ve only been aware of Proxmox for a few days. I thought I was having an original idea in wanting to visualise pfsense, but I see not!!!
    1. Don’t see why vmbr0 has a 192 address. Is it really a NAT Router?
    In my case it really is a cable modem and thus my vmbr0 would be DHCP from the ISP.
    2. I don’t see why three ethX are needed. Can’t Proxmox sit on the same vmbrX as the LAN side of the pfsense VM.
    Nevertheless, you’ve given me some thought provoking ideas. Thanks
    John

    • Hello,

      Looking again the diagram I made is incorrect. vmbr0 is connected to a switch and used by Proxmox as it’s main network interface.

      As for the 3 NICs.

      NIC 1: Connected to Cable modem and assigned as WAN interface in pfSense (WAN)
      NIC 2: Connected to LAN interface in pfSense
      NIC 3: Used to connect Proxmox to the LAN and WAN.

      The 3rd NIC is needed since the first 2 are used only by pfSense for WAN and LAN. The 3rd NIC connects proxmox to the LAN and internet via a switch attached to the pfSense LAN NIC. Without this 3rd NIC you cannot access Proxmox and Proxmox cannot access the internet.

      • Matt,

        Excellent write up and the easiest to understand I have found. For that, thank you very much. I just have a small question. If the ProxMox management IP is on the LAN side of the pfSense vm, would it be possible to assign the management interface to vmbr2 to keep the traffic between ProxMox and the pfSense router internal rather than having it travel through the switch? Or is that not able to be done?

        Again, thank you for the write-up!

  4. Great Article. I am trying to achieve the same setup with a dedicated hosted server with one public IP Address. Can you help please?

  5. Hi Matt,
    Thanx for the great article. I suppose Wake on LAN for the host will not work if it is put behind a pfsense guest?

  6. I been try work on proxmox recently. Looking at your diagram, my plan is to use 2 NIC’s. I read the comments on previous posts @John R. It is possible to connect proxmox under pfsense via NAT/VLAN. I just don’t know how. I have read few forums and blogs in which few were successful doing so with 2 NIC. Can you please help me out by any chance.

    Thank You!

  7. You could avoid the need for a third NIC by simply assigning an IP to the LAN bridge. For example, I have vmbr0 bridged with eth0, which is my WAN and vmbr1 bridged with eth1 which is my LAN. I assigned an IP of 192.168.x.2 and a default gateway of 192.168.5.x to vmbr1 on my proxmox box and 192.168.x.1 to my pfsense vm. That way, I can access proxmox by using 192.168.x.2 from any computer that is connected to the LAN. That works as long as you trust all computers on the network.

Leave a Reply

Your email address will not be published. Required fields are marked *