Best Practice for Connecting Physical Machines to Proxmox LAN Managed by pfSense

seyed

Hello,

I am looking for recommendations on the best way to connect physical machines to a LAN network managed by a pfSense virtual machine running on Proxmox. Below is a summary of the current setup:

Host: Proxmox 8.2.2 on a server with four physical NICs
Virtual Machines: pfSense, serving as the firewall and gateway, is running as a VM
Network Configuration:
    vmbr0 – Proxmox management bridge (Public IP)
    vmbr1 – pfSense WAN interface (Public IP)
    vmbr2 – pfSense LAN interface for internal VMs

Goal:
I have two physical machines, each with public IP addresses assigned to their primary NICs. I would like to route these machines through pfSense by connecting their secondary NICs to the Proxmox LAN (vmbr2), effectively placing them behind the pfSense firewall.

Proposed Solution:

The Proxmox host has two unused NICs.
I am considering connecting the secondary NICs of the physical machines to the unused NICs on the Proxmox server.
These unused NICs would be bridged to vmbr2, allowing the physical machines to communicate with pfSense and other internal resources.

Questions:

Is bridging physical machines to the LAN via unused NICs on the Proxmox host considered a best practice, or is there a more efficient and scalable solution?
Are there specific Proxmox or pfSense configurations that could simplify or optimize this integration process?
Would isolating the LAN traffic of the physical machines on a dedicated bridge (separate from vmbr2) improve security or overall network architecture?

I appreciate any insights or alternative approaches that could help streamline this setup.

Thank you in advance for your time and assistance

Firewalling
proxmox
switch

Gblenn

@seyed said in Best Practice for Connecting Physical Machines to Proxmox LAN Managed by pfSense:

Network Configuration:
vmbr0 – Proxmox management bridge (Public IP)
vmbr1 – pfSense WAN interface (Public IP)
vmbr2 – pfSense LAN interface for internal VMs

Goal:
I have two physical machines, each with public IP addresses assigned to their primary NICs. I would like to route these machines through pfSense by connecting their secondary NICs to the Proxmox LAN (vmbr2), effectively placing them behind the pfSense firewall.

What do you mean with Public IPs, especially wrt vmbr0 and your 2 physical machines? Does your ISP provide multiple IP's and are these machines not behind some firewall (other than perhaps the built in one in Proxmox)?

Proposed Solution:

The Proxmox host has two unused NICs.
I am considering connecting the secondary NICs of the physical machines to the unused NICs on the Proxmox server.
These unused NICs would be bridged to vmbr2, allowing the physical machines to communicate with pfSense and other internal resources.

This sounds like you would connect one interface to the internet and the other to your LAN, and only having the "machine" in between? Do you trust that solution? What is your intent with pfsense here?
To connect anything to the LAN side of pfsense, I'd use a physical switch rather than trying to use the switching in Proxmox. It will work but may suffer performance wise and it sure makes life more complicated...