pfsense vm no traffic on lan for other VMs
-
hi there,i have implemented a physical pfsense as my home router and firewall, my isp router is set in modem mode. i have a desktop setup as a proxmox ve server on my home lan, i have setup a pfsense vm to act as firewall and router for my lab environment. If i turn on manual outbound NAT and add a rule to pass traffic on the pfsense vm in proxmox the vms on the lan of the pfsense vm have internet connection as i can browse the internet and do tracert but when i disable the outbound nat no network traffic flows and can no longer browse. reading online it is not advised to have a double nat config,
so my topology is:
ISP modem>physical pfsense FW>proxmox>pfsense vm>LAB vms
can someone advise how i can have the network flowing without a double nat issue. i tried creating rules but none worked.
ps i am a noob to this.
-
@assadj Double-NAT is only really a problem if you're trying to forward inbound traffic. It should work just fine out of the box. You should not have to fiddle with outbound NAT rules. Your physical pfSense is the upstream gateway for your virtual one. I have a similar config except with KVM on my desktop instead of proxmox on another box.
-
@kom oh ok i thought it may cause problems as i was having an issue trying to join a vm to domain but it couldnt llocate the dc
-
@KOM should i use hybrid outbound or just leave with one manual outbound rule?
-
@assadj said in pfsense vm no traffic on lan for other VMs:
i thought it may cause problems as i was having an issue trying to join a vm to domain but it couldnt llocate the dc
That's exactly the point.
For a separated home lab, the NAT should be no problem. But if you want your VMs behind the virtualized pfSense to talk with your LAN, you need another setup. In this case you should set up a transit network between you physical and virtualized pfSense, separated from your LAN. This could be a VLAN using the same Hardware as your LAN. Then you have to add a static route to the phys pfSense for the network behind the virtual pfSense.On the pfSense VM you can deactivate the outbound NAT and add a rule for the lab to the physical instead (hybrid mode).
-
@viragomann so are you saying i should setup a vlan on my physical pfsense, the dc is in proxmox behind the pfsense vm so the win 10 vm should be able to see the dc and join it even if outbound nat is set no?
-
@assadj
So the DC and the VM you want to join are both VMs and reside in the some network segment?
I was talking about communication between devices in front and behind the pfSense VM.
These cannot talk together, because the device in front might not have a route the the network behind the pfSense VM.With a transit network you simply set the routes on the router and the devices have only to use their default route to communicate with the other network and the world.
-
@assadj If the dc and win10 vms are on the same network then pfSense is not involved at all. In that Windows domain config, it's usually best to let the dc handle DNS and DHCP. You probably have pfSense set to do that.
As for outbound NAT, hybrid is what I use. However, we don't know what you have done for rules etc so maybe its best to restore a default pfSense config and move forward from there now that you know outbound NAT rules are not your problem.
-
@kom so the vms and pfsense vm are setup with bridge for wan to my private home network and a seperate lan which pfsense vm is managing for the vm in proxmox. yes i have set dhcp and dns to be pfsense should i turn both off on pfsense vm?
-
@assadj I would. While you can get it working wit pfSense handling those, it seems to cause fewer problems if you let Windows do it when in an AD environment.
-
@kom how can i turn off dns from pfsense, do i just disable dns resolver? and how can i allow dns to be provided by the dc. sorry just a noob asking loads of questions.
-
@assadj You don't need to turn it off, you just need your clients to not use it for DNS. Turn off the pfSense DHCP server, turn on & configure the Windows AD DHCP and DNS.
-
@kom ok great thanks
-
@assadj You can tell Windows DNS servers to forward to pfSense so you can still take advantage of packages like pfBlocker.
-
@kom ok great yeah ive set a dns forwarder for my windows dns server.
