pfSense VLANs on Proxmox
Proxmox is a server virtualization management platform. In many ways, it is an open-source version of ESXi for VMware. While Proxmox is growing on me, the documentation is a bit on the short side and/or in many cases flat out wrong because it has changed so much. I found this out when trying to virtualize pfSense and I was playing around with VLANs. One source said to do it this way, another said something completely different. The kicker is that it is *really* simple. These steps should work for Proxmox 5.2 and beyond.
Changelog
3Dec2018 – Originally posted
Click on the primary Proxmox “node” (known as a “host” in VMware-land). Go to the “Network” submenu. As you can see, this particular server had 4 physical interfaces (eno1-4).
In order to create VLANs within a VM, you need to have a Linux bridge. Go to create, Linux Bridge, and at a minimum fill out the name and bridge port as shown below. Note the bridge port corresponds to a physical interface identified above. The name for bridges must follow the format of vmbrX with ‘X’ being a number between 0 and 9999. I chose to have the bridge number the same as the physical interface number to help maintain my sanity. Last but not least, you also need to click ‘VLAN aware’ on the bridge. Though not required, if you need to manage Proxmox via the interface, then enter the necessary IP address information.
This is what my basic network setup looks like. As mentioned previously, the bridges correspond to their physical interfaces. Only vmbr4 uses VLANs so it is the only interface that is VLAN aware.
Create your pfSense VM as you normally would through the ‘Create VM’ menu. You can only select one interface during the initial wizard setup. Thus, you need to click ‘Add’ to add another network device/interface afterward. Here are the settings I used, but the important ones in relation to this discussion are the two network devices. These devices correspond to the bridges above. Unless you need physical interfaces, you only need two regardless of how many VLANs you are going to configure, i.e. don’t do anything with VLAN assignment on the Proxmox hardware allocation settings.
The pfSense install should be fairly straightforward. When asked after reboot, I tend to answer no about creating VLANs so I can instead do it via the web interface. Initially, you should only have two interfaces — one WAN and one LAN. Next, go to Interfaces -> VLANs and add as many interfaces as you would like. As you add them, make sure you are using the LAN interface and not the WAN interface.
Once done creating VLAN tags, go need to go back to the interface assignments tab to actually create the VLAN interfaces. Here you can add the available network interfaces (ports) as shown below.
When you click ‘Add’ you can rename an interface, assign it an IP address, and make other configuration setttings. Don’t forget to change your subnet to something other than /32!
Once you’ve done that for each of the new VLAN interfaces, you can see all of your interfaces on the assignments tab. If you’ve also enabled the interfaces as you created them, they will also show up on the pfSense dashboard interfaces widget.
VLAN creation on Proxmox really is pretty simple and straightforward, but for some reason a lot of documentation has you making other configuration changes that are not necessary. Hopefully I can document some of my other Proxmox adventures as I continue to get more comfortable with it.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.
4 thoughts on “pfSense VLANs on Proxmox”
Great information!
Have you tried this with OVS? There’s no vlan aware option for OVS so I assume you have to edit the conf file manually?
OVS was my next avenue to try if I couldn’t get this to work. 😉 I haven’t tried it with OVS, but OVS sees everything as a trunk port. This how-to on OVS/VLANs seems like it would be a good starting point. Good luck!
http://docs.openvswitch.org/en/latest/howto/vlan/
Hi:)
Two questions:
– On your screenshot, we see that you are adding a physical interface with the e1000 driver, it’s a mistake, right? You wanted to put virtio instead?
– I read on other tutorials that virtual interfaces should not be added directly to an existing logical interface (LAN here) because this will cause problems with pfSense.
Basically, delete the physical “LAN” interface in your example.
This will inevitably cause access problems to the Pfsense interface but it is easily bypassable.
On the doc pfsense (https://docs.netgate.com/pfsense/en/latest/book/vlan/pfsense-vlan-configuration.html#figure-vlans-interface-list), we see that it adds VLANs on the physical interface igb2 which is not used in WAN (igb1) and LAN (igb0).
What do you think of that?
Good question! I found a Reddit post from a while back and it seems to come back to *potential* speed issues more than anything else. In the comments, some say pfSense recommends using virtio. Others say *BSD related OSes should *not* use virtio. Even later, several posters state their issues may have been the result of prior versions (Proxmox or pfSense) and those issues may have been fixed. All I know is that I’m running this config on multiple systems without any issues. I will say that I don’t have a need to test speed so I may “notice” everything discussed. As always, YMMV. Holler back if you see or hear anything definitive and I’ll make the necessary changes. Thanks for the feedback!
https://www.reddit.com/r/PFSENSE/comments/842unp/having_an_issue_with_virtualized_pfsense_speeds/