Can't get VLANs to work in pfsense on proxmox
-
Hello! I've been trying to figure this out for days and I don't know what to do anymore.
I've been running pfsense within proxmox for about a week now and everything runs great. My setup is like this:
- There are 5 ethernet ports on the machine. The port on the motherboard and 4 ports on an i350-t4 from 10Gtek
- The port on the motherboard is assigned to the linux bridge vmbr0. This is the one I used to install proxmox and the one that has the IP address I use to access the web ui
- There are two other linux bridges (vmbr1 and vmbr2) Using one port from the i350-t4 each.
- pfSense uses vmbr1 as WAN (connected straight to my ISP modem) and vmbr2 as LAN.
- The pfSense LAN (vmbr2) is connected to a manged switch from tp-link which distributes connection to all of my devices.
- vmbr0 is connected to port 2 on this switch.
In pfSense I set up a VLAN for testing with VLAN ID 16. I put its parent interface as LAN, and added it to the interface assignments. I then enabled it, set an IPv4 addr for it (192.168.16.1) and enabled the DHCP server for it, specifying a range as well (192.168.16.10-192.168.16.245).
I then spun up an ubuntu vm and set vmbr2 (pfSense's LAN) as it's network device and placed tag=16 on it. IT DOESNT WORK WOMP WOMP. As soon as I remove the tag it works and I get an IP (192.168.1.X). For some reason when I try using the VLAN it doesn't connect it just stays on connecting the whole time. It should be connecting and assigning an IP from of the form 192.168.16.X.
Please help I've tested many things already and don't know what to do. I think my problem is within proxmox or pfsense. My main suspect is the way I'm using the linux bridges or the fact that proxmox uses vmbr0 which is connected to the switch that pfsense sends traffic to?
I'm very new to all of this so I really just don't even know what could be going wrong.
-
@elcalzado
Did you enable VLAN awareness on the Proxmox bridge?Did you disable Hardware Checksum Offloading in pfSense?
Consider to let Proxmox do the whole VLAN stuff.
Generally, there is no need to configure VLANs on a virtualized machine. Instead you could assign virtual interfaces to pfSense for each VLAN and configure the VLAN on it.@elcalzado said in Can't get VLANs to work in pfsense on proxmox:
My main suspect is the way I'm using the linux bridges or the fact that proxmox uses vmbr0 which is connected to the switch that pfsense sends traffic to?
The switch port should be in a separated network segment, of course.
You can also configure an IP on the LAN bridge for accessing Proxmox. -
I have turned on the VLAN aware box but haven’t changed the checksum thing. Would you mind giving me a basic explaination of what that does?
I also don’t really understand the concept of letting proxmox handle vlans. I tried but I dont understand how it would be structured.
-
@elcalzado said in Can't get VLANs to work in pfsense on proxmox:
I have turned on the VLAN aware box but haven’t changed the checksum thing. Would you mind giving me a basic explaination of what that does?
It's recommended in the pfSense docs: Virtualizing with Proxmox VE
And I had bad issues without it in the past.I also don’t really understand the concept of letting proxmox handle vlans. I tried but I dont understand how it would be structured.
Say vmbr2 is your trunk with 3 VLANs, connected to the switch.
So in Proxmox you can add virtual interfaces for each of these VLANs to pfSense, each connected to vmbr2 and with the respective VLAN ID.
Then Proxmox tags packets from the VM, and let only pass the respective VLAN packets to the VM, while removing the tag.
So in pfSense you only have to configure normal interfaces.It's just a thought to have things simple in pfSense. But do be honest, I manage VLANs also in a virtualized pfSense.
-
@viragomann said in Can't get VLANs to work in pfsense on proxmox:
It's just a thought to have things simple in pfSense.
I've no vlans exposed in pfsense nor any vlan-aware bridges in proxmox. Instead, just regular pve bridges, each with one ethx.nnn assigned bridge port.
Whilst you have to edit your PVE network config (and possibly reboot) whenever you want to add/modify vlans, the benefits outweigh the loss of convenience IME. There are certain things that do not work as you might hope when vlan tags are visible to VMs. With pfsense for example, vlans complicate suricata use.
Having said all that, networking in Proxmox has evolved quite a bit lately and I am not familiar with the new features yet. -
@viragomann
EDIT: I have changed nothing and it's sort of working now...? I'm getting an IP of 192.168.16.X in the Ubuntu VM! I'll test and see if everything is fine.Hello! Sorry for the late reply. I finally get to work with this. I'm still confused as to how to implement this but I understand the concept.
Would I create a Linux VLAN in proxmox and call it vmbr2.16 for example? If so would I then go into pfsense and delete my vlan interface I made in there? Or, would I pass in another vmbr2 w tag 16 into the vm and use that as the interface for vlan 16?
Also do I need to give the Linux VLAN a default gateway, ip, etc? If so, when I try to give it 192.168.16.1 It says vmbr0 (the one that I access proxmox through) already has it. But that interface is on 192.168.1.X. I don't get it...
-
@elcalzado
No clue why but its working for both wifi and wired. I have no clue what I did, not even rebooted the system. The only strange thing I notice is that I cant ping the 192.168.16.1 addr from the ubuntu vm so I can't access pfsense through it. Is that normal becasue I haven't set up firewall rules? But I can ping other devices on the same vlan -
@elcalzado said in Can't get VLANs to work in pfsense on proxmox:
Would I create a Linux VLAN in proxmox and call it vmbr2.16 for example? If so would I then go into pfsense and delete my vlan interface I made in there? Or, would I pass in another vmbr2 w tag 16 into the vm and use that as the interface for vlan 16?
All you have to do is to enter the VLAN ID in the virtual NIC settings for pfSense like this:
You can do this all in the Proxmox GUI.In your case it will be 16 for this one. For the next VLAN add an additional network device and state the respective VLAN ID.
In pfSense you would have to remove the VLANs and configure conventional interfaces.
Also do I need to give the Linux VLAN a default gateway, ip, etc?
No. This settings are for Proxmox only and would give it an IP.
Just check "VLAN aware" in the bridge settings.