Proxmox through pfsense



  • Hello everybody,

    i have a big problem to setup proxmox server behind pfsense, all work quite good, but i can access to Host ssh, only from pfsense console, from other client i have this problem:

    @client:

    [ibanez89@archnote ~]$ ssh -v root@10.0.2.2
    OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Connecting to 10.0.2.2 [10.0.2.2] port 22.
    debug1: Connection established.
    debug1: identity file /home/ibanez89/.ssh/id_rsa type -1
    debug1: identity file /home/ibanez89/.ssh/id_rsa-cert type -1
    debug1: identity file /home/ibanez89/.ssh/id_dsa type -1
    debug1: identity file /home/ibanez89/.ssh/id_dsa-cert type -1
    debug1: identity file /home/ibanez89/.ssh/id_ecdsa type -1
    debug1: identity file /home/ibanez89/.ssh/id_ecdsa-cert type -1

    @serverside:

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Fri Mar 22 12:53:09 2013 from 10.0.2.1
    root@pve:~# netstat -a |grep ssh
    tcp        0      0 :ssh                  :                    LISTEN   
    tcp        0    42 10.0.2.2:ssh            192.168.1.100:51653    FIN_WAIT1 
    tcp        0      0 10.0.2.2:ssh            10.0.2.1:29506          ESTABLISHED
    tcp6      0      0 [::]:ssh                [::]:
                      LISTEN   
    root@pve:~#

    in this situation, i cant access to 8002 port from other client for manage proxmox from webgui, and the problem don't is finished, on proxmox host (10.0.2.2) i can ping every client of my network and WAN websites, but i cant download nothing… aptitude wont work...

    This is my network infrastructure:

    My server have only one NIC, eth0, and wlan0 accesspoint, all other interface are virtualized

    
    # network interface settings
    auto wlan0
    iface wlan0 inet manual
    
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet manual
    
    ####################
    #pfsense wan interface#
    ####################
    auto vmbr0
    iface vmbr0 inet manual
            bridge_ports eth0
            bridge_stp off
            bridge_fd 0
    
    ####################
    #hostapd Accesspoint #
    #LAN->pfsense           #
    ####################
    auto vmbr1
    iface vmbr1 inet manual
            bridge_ports wlan0
            bridge_stp off
            bridge_fd 0
    
    #####################
    #VM->pfsense interface#
    #####################
    auto vmbr2
    iface vmbr2 inet manual
            bridge_ports none
            bridge_stp off
            bridge_fd 0
    
    ######################
    #Host->pfsense interface#
    ######################
    auto vmbr3
    iface vmbr3 inet static
            address 10.0.2.2
            netmask 255.255.255.0
            network 10.0.2.0
            broadcast 10.0.2.255
            gateway 10.0.2.1
            bridge_ports none
            bridge_stp off
            bridge_fd 0
    
    

    this is my firewall configuration "sorry for dropbox folder":

    https://www.dropbox.com/sh/g7uhpgqkdmeh2gz/V33akEcqtm/pfsense problem#/

    Any help is appreciated  :)



  • Hello ibanez89

    I have Virtual environment with Proxmox (KVM based) and pfsense. I have a network with 7 virtual LANs and 2 (virtual) WANs. It works fine without any problem and I can access proxmox from any VLan (if the firewall rule let pass).

    Your configuration is completely wrong. You never can have a vmbr1 based on iface vmbr1. You need to define in "interfaces" one vmbr0 based on eth0 and provide a static ip address for vmbr0. This is the LAN and address for proxmox server. Whenever your client is in this network segment (my technical network is 192.168.70.0/23) proxox is reachable.

    Further I have generated for each other network including WAN a virtual LAN (vlan) with the entry eth0.xx in the vmbrxx defintion (vmbr40 iface eth0.40). I used bond0 instead of eth0. A bond is a link aggregation. I aggregate eth0 and eth1 to bond0. This aggregation is linked to my switches which let pass all vlans to the server. Don't provide ip addresses in other networks. This is done by pfsense DHCP server or statically in pfsense.

    Within pfsense I have assigned each vlan as a "normal" NIC adapter. Each interface must have an ip address which is the gateway between networks. Default gateway is the router for WAN (in your case 10.0.0.1)

    It's very important that your switch ports are managed and configured carefully. Example the port with the WAN connection must let pass the WAN vlan only (untagged). Ports with clients in vlan2 (on your case 10.0.1.1) is vlan2 allowed only (tagged or untagged). Proxmox Server connection is the only port which has open all vlans (technical LAN untagged, all others tagged).

    Attached you can find my interface definition on proxmox server and pfsense if assignments.

    ![pfsense assign if.JPG](/public/imported_attachments/1/pfsense assign if.JPG)
    ![pfsense assign if.JPG_thumb](/public/imported_attachments/1/pfsense assign if.JPG_thumb)
    interfaces.txt


Log in to reply