pfSense with wireguard on Proxmox. Client cannot access Proxmox host

astrolabius

Hi,

I was traversing through various of questions, but could not find the case I have.
I'm using a host on Hetzner (I guess this is unrelevant). The Host have a proxmox (8.2.7) installed on it. And a pfSense installed on Guest VM. (pfSense have own public IP). Proxmox have 2 bridges defined as:

#Physical Interfaces
iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
      address      78.46.AAA.BBB/27
      gateway      78.46.XXX.YYY
      bridge-ports eno1
      bridge-stp   off
      bridge-fd    0
      up           sysctl -p

auto vmbr2
iface vmbr2 inet static
      address      10.0.0.11/24
      bridge-ports none
      bridge-stp   off
      bridge-fd    0

both of them are provided to pfSense VM:

vmbr0 as a vtnet0 (WAN) -> public IP is obtained based on MAC address
vmbr2 as a vtnet1 (LAN) -> 10.0.0.21/24

additionally pfsense have wireguard installed:

tun_ip: 10.0.251.1/24
client ip: 10.0.251.100/32

Here what is happening:
pfSense VM can ping Proxmox host (I guess over vmbr2)
pfSense VM can ping other VM on same Proxmox host
Proxmox Host can ping all VMs

When I connect my laptop over wireguard to pfSense.
From my laptop, I can ping pfSense VM, and other VM on same Proxmox.
I'm not able to ping proxmox itself, from my laptop.

I guess I have something wrong with routing. For test purposes:
Proxmox firewall is totally disabled
pfSense firewall is set to allow everything on all interfaces
Hetzner firewall is totally disabled.

Can you help me? What I'm missing ?

Thanks in advance for help

viragomann

@astrolabius
I assume, there is a typo in one of the vmbr2 networks. I guess, they are the same.

You need to add on outbound NAT rule on the LAN for the destination of Proxmox IP. Otherwise Proxmox isvrouting out replies to the WAN.

astrolabius

@viragomann

I'm not sure about typo, so to better describe, here is configuration of vmbr2 on proxmox side

auto vmbr2
iface vmbr2 inet static
      address      10.0.0.11/24
      bridge-ports none
      bridge-stp   off
      bridge-fd    0

Same bridge is being added to the pfSense VM, cat /etc/pve/nodes/pve1/qemu-server/100.conf | grep vmbr2

net1: virtio=BC:24:11:16:44:4E,bridge=vmbr2

this creates vtnet1 interface in pfSense, and I've assigned address 10.0.0.21/24 in pfSense for it. Am I doing something wrong here?

About the outbound rule, I've found something like this working:

auto vmbr2
iface vmbr2 inet static
      address      10.0.0.11/24
      bridge-ports none
      bridge-stp   off
      bridge-fd    0
      post-up      ip route add 10.0.251.0/24 via 10.0.0.21

Adding last line:

post-up      ip route add 10.0.251.0/24 via 10.0.0.21

Is there a more cannonical way to do it?

Best Regards!

viragomann

@astrolabius
So you have different L2 subnets on a single virtual bridge?
This is generally not recommended.

Adding last line:
post-up ip route add 10.0.251.0/24 via 10.0.0.21

Adding a static route for the source IP to the destination device is as well a way to get it work. However, if you add an additional subnet to pfSense, which you want to enable to access Proxmox, you will also need a static route for it.

astrolabius

@viragomann
Thanks, I'd like to do it correct. I'm still not seeing why do I have to L2 subnets, perhaps do not know much about it. And can you also help me create an outbound rule, I had many attempts but no luck so far. The static route worked however.

viragomann

@astrolabius
I thought, I had seen different subnets on the Proxmox LAN bridge and pfSense LAN. But rechecked, seems all right. So I obviously was wrong with that.

astrolabius

@viragomann Thanks!