Proxmox & Home lan -> PFSense lan
-
Hi,
I have a little or big? problem with home lan and pfsense lan communication.
For virtual machines I would like to have a different subnet, on various forums everyone recommended pfsense for such solutions when it comes to the network but I can't get this works ;/I want to achieve something of this (access from 192.168.1.x to 192.168.2.x and reverse)
![[https://imgur.com/a/SfCPM5W]](https://i.imgur.com/lI3Lx00.png)
but vm #2 can access internet and whole home network but pve host or PC in home lan can't access vm #2.
PC -> proxmox (works)
PC -> pfsense (works)
PC -> vm #2 (didn't work)proxmox -> whole home lan (works)
proxmox -> pfsense (works)
proxmox -> vm #2 (didn't work)pfsense -> whole home lan (works)
pfsense -> vm #2 (works)vm #2 -> whole home lan (works)
vm #2 -> internet -> (works)
vm #2 -> pfsense (works)My proxmox confiuration:
https://imgur.com/a/ZYcPlRBMy pfsense configuration:
https://imgur.com/a/kHlPitlI want virtual machines to get ip from dhcp pfsense lan also
Does anyone know where I made a mistake or what I didn't do? -
- pfsense is a router/firewall. It is best placed at network boundary.
- If your network boundary physical interface is not Ethernet then you will need a modem (not router or switch) first.
Doing so will remove double Nat and simplify your network design.
Note I use a similar setup and have saved a ISP physical router/modem configuration as a fall back should a Promox update fail (resulting in the pfsense VM not running).
-
@patch Is there any simpler method for virtual machines to have a different subnet with dhcp and home lan connection behavior?
For example without pfsense or with change to only bridge mode in pfsense?
I don't want to use pfsense as my main router / firewall and only "separate" vm's from home network to another while maintaining connection to both -
@daffyy said in Proxmox & Home lan -> PFSense lan:
Is there any simpler method
- Pfsense is a router.
- The communication problems you are having is pfsense Wan devices accessing pfsense Lan devices, communication normally blocked by default.
A simpler method is to use a router / firewall / DHCP at your network boundary to control traffic between your LANs / VLANs and assign addresses.
Your main router or pfsense could be used at the network boundary to provide this function. Having two devices providing the same functional adds complexity, so not normally done without a reason.
-
The reason things outside of vm #2 can't reach vm #2 is there is no defined route. In the setup you have, machines on the 192.168.1.x network will not know how to contact the 192.168.2.x network that is behind pfSense. That's because your 192.168.1.x network devices will have 192.168.1.1 as their "default gateway". I assume that device at 192.168.1.1 is a typical wireless home router. In the setup you currently have, any traffic destined for any address outside of 192.168.1.x is going to be sent to 192.168.1.1, and that device is going to say "I don't have a 192.168.2.x network defined, so I'm just going to send this request upstream to my default gateway and let him figure it out". That next default gateway is at your ISP, and it certainly won't know where your 192.168.2.x network resides (and that address space should never appear on the public Internet anyway).
You will need to create a routing table entry on the 192.168.1.1 device that instructs it to send requests for anything in 192.168.2.x to the pfSense box at 192.168.1.61, because that network lives "behind" the pfSense machine.
