A poor man’s Proxmox VLAN configuration
Configuring VLANs with pfSense on Proxmox
Initial Configuration
In my Proxmox host I’ve two hardware NICs cabled to the ISP router which provides the connection (the home LAN connection).
One NIC is configured as vmbr0 which is the default network used by the VMs on the Proxmox host. The other one is just listed on the network section.
Let’s create a new Linux Bridge interface using the other NIC (enp5s0 in the image) with the following settings.
Enabling the “VLAN Aware” flag allows Proxmox to tag the packets in/out the vmbr1 interface if specified on the VM.
This is the /etc/network/interfaces file generated from the GUI:
auto lo
iface lo inet loopbackauto enp1s0
iface enp1s0 inet manualiface enp5s0 inet manualauto vmbr0
iface vmbr0 inet static
address 192.168.178.12/24
gateway 192.168.178.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0auto vmbr1
iface vmbr1 inet manual
bridge-ports enp5s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
Installing pfSense
- Download the latest ISO from: https://www.pfsense.org/download/
- Create a new VM:
- General -> Name:
pfSense - OS -> ISO imange: load the ISO
- OS -> Guest OS Type: Other
- System -> Graphic Card: SPICE (it should use less CPU)
- Hard Disk -> Disk size (GiB): 32 (at least 8)
- CPU -> Cores: 2
- Memory -> Memory (MiB): 2048
- Memory -> Minimum Memory (MiB): 1024
- Network -> Bridge:
vmbr0 - Network -> Model: VirtIO (paravirtualized)
- Confirm but do not start the VM
- Add a new Network Device from the VM Hardware configuration:
- Bridge:
vmbr1 - Model: VirtIO (paravirtualized)
- Start the VM
- complete the installation with the default settings
- reboot
- on the first boot the configurator will ask some settings:
- skip VLAN configuration for now (press
n) - enter
vtnet0for WAN - enter
vtnet1for LAN - press
Enter - enter
yto complete the interface assignment - Create/Edit a VM with the
vmbr1network to access the pfSense Web Gui
Configuring pfSense
Once the installation is completed and the Web Gui is accessible within a VM to login use:
- admin
- pfsense
Once logged in to access the Web Gui from the WAN (that is the home LAN) go to “Interfaces” -> “WAN” -> Remove the tick from “Block private networks and loopback addresses”; then create a rule from “Firewall” -> “Rules” -> “Add”:
Where NET_HOME is an alias for the LAN.
Configuring DNS
he integrated DNS resolver wasn’t working for me (no DNS resolution was performed) so turn it off from “Services” -> “DNS Resolver” and turn on the “DNS Forwarder” with the default settings.
From “System” -> “General Setup” insert the DNS server to query.
Configuring VLANs
From the “Interfaces” menù select “VLANs” to create the required VLANs.
Make sure to select vtnet1 as the "Parent Interface". Now assign the VLAN to the network interface from "Interfaces" -> "Assignment".
Now the binding is done but the VLAN and its DHCP must be configured.
Click on the VLAN name (i.e. “AD”) to enter its setup.
Make sure to:
- enable the interface
- select “Static IPv4” on “IPv4 Configuration Type”
- specify a IPv4 range and select a subnet mask (i.e. 24) for “IPv4 Address”
After saving the configuration a DHCP configuration tab with the VLAN name is visibile on “Services” -> “DHCP Server”.
Now the VLAN is usable so create a new VM on Proxmox, to specify which VLAN the machine must use when creating the network interface insert the VLAN Tag number.
Boot the machine and check if the IP is on the subnet 192.168.100.0/24.
Configuring the Firewall
As a rule of thumb VLANs should not comunicate to each other except for some required services so the following is a basic firewall configuration to allow traffic intra-VLAN, block the traffic from the VLAN to the others but allow internet navigation.
For a more strict configuration:
This setup blocks all intra-VLAN traffic also but permit the DNS traffic to the gateway.
