Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense vm no traffic on lan for other VMs

    Scheduled Pinned Locked Moved Virtualization
    15 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AssadJ
      last edited by

      hi there,i have implemented a physical pfsense as my home router and firewall, my isp router is set in modem mode. i have a desktop setup as a proxmox ve server on my home lan, i have setup a pfsense vm to act as firewall and router for my lab environment. If i turn on manual outbound NAT and add a rule to pass traffic on the pfsense vm in proxmox the vms on the lan of the pfsense vm have internet connection as i can browse the internet and do tracert but when i disable the outbound nat no network traffic flows and can no longer browse. reading online it is not advised to have a double nat config,

      so my topology is:

      ISP modem>physical pfsense FW>proxmox>pfsense vm>LAB vms

      can someone advise how i can have the network flowing without a double nat issue. i tried creating rules but none worked.

      ps i am a noob to this.

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @AssadJ
        last edited by

        @assadj Double-NAT is only really a problem if you're trying to forward inbound traffic. It should work just fine out of the box. You should not have to fiddle with outbound NAT rules. Your physical pfSense is the upstream gateway for your virtual one. I have a similar config except with KVM on my desktop instead of proxmox on another box.

        A 1 Reply Last reply Reply Quote 0
        • A
          AssadJ @KOM
          last edited by

          @kom oh ok i thought it may cause problems as i was having an issue trying to join a vm to domain but it couldnt llocate the dc

          A V 2 Replies Last reply Reply Quote 0
          • A
            AssadJ @AssadJ
            last edited by

            @KOM should i use hybrid outbound or just leave with one manual outbound rule?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @AssadJ
              last edited by

              @assadj said in pfsense vm no traffic on lan for other VMs:

              i thought it may cause problems as i was having an issue trying to join a vm to domain but it couldnt llocate the dc

              That's exactly the point.
              For a separated home lab, the NAT should be no problem. But if you want your VMs behind the virtualized pfSense to talk with your LAN, you need another setup. In this case you should set up a transit network between you physical and virtualized pfSense, separated from your LAN. This could be a VLAN using the same Hardware as your LAN. Then you have to add a static route to the phys pfSense for the network behind the virtual pfSense.

              On the pfSense VM you can deactivate the outbound NAT and add a rule for the lab to the physical instead (hybrid mode).

              A 1 Reply Last reply Reply Quote 0
              • A
                AssadJ @viragomann
                last edited by

                @viragomann so are you saying i should setup a vlan on my physical pfsense, the dc is in proxmox behind the pfsense vm so the win 10 vm should be able to see the dc and join it even if outbound nat is set no?

                V KOMK 2 Replies Last reply Reply Quote 0
                • V
                  viragomann @AssadJ
                  last edited by

                  @assadj
                  So the DC and the VM you want to join are both VMs and reside in the some network segment?
                  I was talking about communication between devices in front and behind the pfSense VM.
                  These cannot talk together, because the device in front might not have a route the the network behind the pfSense VM.

                  With a transit network you simply set the routes on the router and the devices have only to use their default route to communicate with the other network and the world.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM @AssadJ
                    last edited by KOM

                    @assadj If the dc and win10 vms are on the same network then pfSense is not involved at all. In that Windows domain config, it's usually best to let the dc handle DNS and DHCP. You probably have pfSense set to do that.

                    As for outbound NAT, hybrid is what I use. However, we don't know what you have done for rules etc so maybe its best to restore a default pfSense config and move forward from there now that you know outbound NAT rules are not your problem.

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      AssadJ @KOM
                      last edited by

                      @kom so the vms and pfsense vm are setup with bridge for wan to my private home network and a seperate lan which pfsense vm is managing for the vm in proxmox. yes i have set dhcp and dns to be pfsense should i turn both off on pfsense vm?

                      KOMK 1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM @AssadJ
                        last edited by

                        @assadj I would. While you can get it working wit pfSense handling those, it seems to cause fewer problems if you let Windows do it when in an AD environment.

                        A 1 Reply Last reply Reply Quote 0
                        • A
                          AssadJ @KOM
                          last edited by

                          @kom how can i turn off dns from pfsense, do i just disable dns resolver? and how can i allow dns to be provided by the dc. sorry just a noob asking loads of questions.

                          KOMK 1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM @AssadJ
                            last edited by

                            @assadj You don't need to turn it off, you just need your clients to not use it for DNS. Turn off the pfSense DHCP server, turn on & configure the Windows AD DHCP and DNS.

                            A 1 Reply Last reply Reply Quote 0
                            • A
                              AssadJ @KOM
                              last edited by

                              @kom ok great thanks

                              KOMK 1 Reply Last reply Reply Quote 0
                              • KOMK
                                KOM @AssadJ
                                last edited by

                                @assadj You can tell Windows DNS servers to forward to pfSense so you can still take advantage of packages like pfBlocker.

                                A 1 Reply Last reply Reply Quote 0
                                • A
                                  AssadJ @KOM
                                  last edited by

                                  @kom ok great yeah ive set a dns forwarder for my windows dns server.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.