Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proxmox through pfsense

    Scheduled Pinned Locked Moved Virtualization
    2 Posts 2 Posters 8.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ibanez89
      last edited by

      Hello everybody,

      i have a big problem to setup proxmox server behind pfsense, all work quite good, but i can access to Host ssh, only from pfsense console, from other client i have this problem:

      @client:

      [ibanez89@archnote ~]$ ssh -v root@10.0.2.2
      OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
      debug1: Reading configuration data /etc/ssh/ssh_config
      debug1: Connecting to 10.0.2.2 [10.0.2.2] port 22.
      debug1: Connection established.
      debug1: identity file /home/ibanez89/.ssh/id_rsa type -1
      debug1: identity file /home/ibanez89/.ssh/id_rsa-cert type -1
      debug1: identity file /home/ibanez89/.ssh/id_dsa type -1
      debug1: identity file /home/ibanez89/.ssh/id_dsa-cert type -1
      debug1: identity file /home/ibanez89/.ssh/id_ecdsa type -1
      debug1: identity file /home/ibanez89/.ssh/id_ecdsa-cert type -1

      @serverside:

      Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
      permitted by applicable law.
      Last login: Fri Mar 22 12:53:09 2013 from 10.0.2.1
      root@pve:~# netstat -a |grep ssh
      tcp        0      0 :ssh                  :                    LISTEN   
      tcp        0    42 10.0.2.2:ssh            192.168.1.100:51653    FIN_WAIT1 
      tcp        0      0 10.0.2.2:ssh            10.0.2.1:29506          ESTABLISHED
      tcp6      0      0 [::]:ssh                [::]:                        LISTEN   
      root@pve:~#

      in this situation, i cant access to 8002 port from other client for manage proxmox from webgui, and the problem don't is finished, on proxmox host (10.0.2.2) i can ping every client of my network and WAN websites, but i cant download nothing… aptitude wont work...

      This is my network infrastructure:

      My server have only one NIC, eth0, and wlan0 accesspoint, all other interface are virtualized

      
# network interface settings
auto wlan0
iface wlan0 inet manual

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

####################
#pfsense wan interface#
####################
auto vmbr0
iface vmbr0 inet manual
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

####################
#hostapd Accesspoint #
#LAN->pfsense           #
####################
auto vmbr1
iface vmbr1 inet manual
        bridge_ports wlan0
        bridge_stp off
        bridge_fd 0

#####################
#VM->pfsense interface#
#####################
auto vmbr2
iface vmbr2 inet manual
        bridge_ports none
        bridge_stp off
        bridge_fd 0

######################
#Host->pfsense interface#
######################
auto vmbr3
iface vmbr3 inet static
        address 10.0.2.2
        netmask 255.255.255.0
        network 10.0.2.0
        broadcast 10.0.2.255
        gateway 10.0.2.1
        bridge_ports none
        bridge_stp off
        bridge_fd 0

      this is my firewall configuration "sorry for dropbox folder":

      https://www.dropbox.com/sh/g7uhpgqkdmeh2gz/V33akEcqtm/pfsense%20problem#/

      Any help is appreciated  :)

      1 Reply Last reply Reply Quote 0
      • E
        Enrica_CH
        last edited by

        Hello ibanez89

        I have Virtual environment with Proxmox (KVM based) and pfsense. I have a network with 7 virtual LANs and 2 (virtual) WANs. It works fine without any problem and I can access proxmox from any VLan (if the firewall rule let pass).

        Your configuration is completely wrong. You never can have a vmbr1 based on iface vmbr1. You need to define in "interfaces" one vmbr0 based on eth0 and provide a static ip address for vmbr0. This is the LAN and address for proxmox server. Whenever your client is in this network segment (my technical network is 192.168.70.0/23) proxox is reachable.

        Further I have generated for each other network including WAN a virtual LAN (vlan) with the entry eth0.xx in the vmbrxx defintion (vmbr40 iface eth0.40). I used bond0 instead of eth0. A bond is a link aggregation. I aggregate eth0 and eth1 to bond0. This aggregation is linked to my switches which let pass all vlans to the server. Don't provide ip addresses in other networks. This is done by pfsense DHCP server or statically in pfsense.

        Within pfsense I have assigned each vlan as a "normal" NIC adapter. Each interface must have an ip address which is the gateway between networks. Default gateway is the router for WAN (in your case 10.0.0.1)

        It's very important that your switch ports are managed and configured carefully. Example the port with the WAN connection must let pass the WAN vlan only (untagged). Ports with clients in vlan2 (on your case 10.0.1.1) is vlan2 allowed only (tagged or untagged). Proxmox Server connection is the only port which has open all vlans (technical LAN untagged, all others tagged).

        Attached you can find my interface definition on proxmox server and pfsense if assignments.

        ![pfsense assign if.JPG](/public/imported_attachments/1/pfsense assign if.JPG)
        ![pfsense assign if.JPG_thumb](/public/imported_attachments/1/pfsense assign if.JPG_thumb)
        interfaces.txt

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.