Awhile back I took a spare server and setup Proxmox on it. At the time I didn’t plan on more than having a play to learn a VM system I had not used before. I found I liked the overall system and it quickly expanded to host my home DNS, Plex, and Home Security DVR servers.
Shortly after I decided I wanted PFSense running as my firewall. However, I wanted it on a VM, not dedicated hadware. I wanted this VM to be the first thing traffic hits when coming off my modem. This proved to be difficult since we are putting a VM in front of the VM host on the network.
To make this more difficult I also needed to pass the connection out to a switch to feed access points and wired devices in my house.
To solve this we needed 3 NICs. 2 for PFSense, one being LAN and the other WAN. The 3rd for Proxmox to use to access the network. My server only had 2 so I picked up a cheap 2 port Intel NIC online.
Once we have all 3 NICs running we need to bridge them in Proxmox. In my case I bridged eth0 to vmbr0. This will serve as Proxmox’s network access once we setup PFSense. You then bridge the remaining NICs per the screenshot.
You can now create the PFSense VM within Proxmox. When you create it, assign the remaining to NICs to it. In my case I assigned vmbr1 and vmbr2. Launch into the PFSense installer and follow along, it should be pretty clear. It will ask you to pick which NIC to use for LAN and which for WAN. If you get it backwards you can swap cables later.
Make sure you remember the LAN IP address you assign PFSense.
Once the install is complete you won’t have any network access in PFSense. You will now need to swap some cables around. As a result, you will lose access to the Proxmox web interface for the time being.
Take the cable from your modem and connect it to one of the 2 network ports for PFSense. Then take another cable and run it from the other network port to a PC (I used my laptop to make it easy).
Once you do this try to access the PFSense web interface via the LAN IP you assigned it. If you cannot reach it, you may have put the cables in wrong ports. Switch them around. If it still does not work try rebooting the PF VM. You can do this directly via the Proxmox host using qm shutdown VMID and qm start VMID
Once you get to the PFSense web interface navigate to Status > Interfaces. Ensure that you are assigned an external IPv4 at a minimum. If you are not it may be a configuration issue with your modem.
Once you have an internet connection you can connect everything else.
In my case I pulled the cable from my laptop and connected it to a switch. From there I connect my access points and wired devices.
To get access to the Proxmox Web interface again you need connect the remaining network port on the VM host to the switch. Note, I gave PFSense the same IP/Subnet as my old router. This allowed Proxmox to pickup it’s network again without additional configuration.
If you had existing VMs in Proxmox you will need to change their network adapters to use the same bridge as the PFSense LAN connection.
That’s all there is to it. Once you do this all traffic coming into your network hits PFSense first. From there is is fed out to be distributed to your liking. I have had this configuration for almost 2 years and it has been mostly flawless.