Proxmox = pfsense + NethServer

Hi,

Maybe someone will tell me.
I want to have pfsense and NethServer based on Proxmox.
How to set it?
How to set up network cards? (I have two physical enp1s0f0 and enp1s0f1)
I would like it to work like this:
Wlan -> pfsense -> NethServer -> Lan
Can you do it?

Thank you and best regards,

Sure, it’s possible (though I prefer to keep my router as a separate device). But this seems like a question better posed to the Proxmox forums, not here.

I do not have such a possibility :slight_smile:
Probably you are right :slight_smile:
I just always find helpful people here.
Thanks,

Hi,

What pfsense can do that Nethserver gateway cannot?

I ask this besause putting Pfsense and Nethserver on Proxmos, tree systems on one hardware… Perhaps putting Netserver only can simplify a lot!
One system on o e hardware, less sork, less security hole, less update, less manutention…
For more eficiency, more tranquility, simplier.

1 Like

Proxmox supports Open VSwitch. This makes your network options inside proxmox a lot more flexible
https://pve.proxmox.com/wiki/Open_vSwitch
If you have a managed switch, you can isolate the external (pfSense) interface from the rest of your network and make it the first line of defense for your internal network

I have pfSense running as VM in plain KVM on an Ubuntu server. There I VT-d eth0 dedicated to external interface of pfSense. With openVSwicth you can mimic this on proxmox.

More info on OpenVSwitch: https://www.openvswitch.org/

An extra device for the firewall would be more secure…

If you must use a virtual firewall, you just need two NICs (red and green)

This should do the trick, install Proxmox and create a 2nd bridge (vmbr1) and use it as the red interface in pfsense.

Configure all VMs to use the green (vmbr0) IP of pfsense as GW-Address, also Proxmox. You dont need to give vmbr1 (red) an IP, under Proxmox.

Configure pfsense to use the IP-Address of the edge-Router as GW. By the way, there is OPNsense and IPFire as alternativ for pfsense…

Thank you. Does not this solution make NethServer in the style of FreeNAS, NAS4Free, Open Media Vault? :wink:


Hope this help :wink:
eth0 and eth1 are physical, eth2 is virtual.

2 Likes

I know it is a old subject but since nobody gave an real answer and I did this setup (locally, remotely and in the Cloud) I decide to try one.

It is possible to make it with one card, on the Proxmox community you have plenty of guide.
Personally I see 2 possibilities.

Scenario 1

Harder but more a real “professional” setup

  1. The most common is you pass the control of your NIC to your firewall (Red Interface of Nethserver or pfSense) which will become your WAN, your public interface. You could even PCI-Passthrough this physical interface but this is another level.
  2. than on Proxmox you create a new virtual interface not attached to any physical interface which become your Green interface for Nethserver or pfSense).
  3. reboot proxmox than install your firewall (Nethserver or pfSense)

Hints:

  • You have better chance with Nethserver since the WebUI is accessible via the RED Interface.
  • Usually I spin a Live-CD which is connected to the Green network so I could configure pfSense (in my case OPNsense). Also I usually PCI-Passthrough a video card to this machine.
  • Configure an IP available on the Green Network for your Proxmox.

Scenario 2

Easier but more it is more security through obscurity

  1. In Proxmox create two virtual interfaces attached to the same physical network, while vmbr0 = RED, vmbr1 = GREEN, so you only define an IP on the GREEN interface to reach your Proxmox than reboot.
  2. Install your firewall (Nethserver or pfSense) with 2 virtual NIC one for RED and one for GREEN

Hints:

  • vmbr0 or RED should have an IP in the same subnet of your router/modem, for a little bit more security you could force this subnet to only have 2 IP with a /30 mask.
  • vmbr1 or GREEN should be in a new subnet such as 192.168.100.0/24
1 Like