pfSense VLANs on Proxmox

pfSense VLANs on Proxmox

Proxmox is a server virtualization management platform. In many ways, it is an open-source version of ESXi for VMware. While Proxmox is growing on me, the documentation is a bit on the short side and/or in many cases flat out wrong because it has changed so much. I found this out when trying to virtualize pfSense and I was playing around with VLANs. One source said to do it this way, another said something completely different. The kicker is that it is *really* simple. These steps should work for Proxmox 5.2 and beyond.

Changelog
3Dec2018 – Originally posted

Click on the primary Proxmox “node” (known as a “host” in VMware-land). Go to the “Network” submenu. As you can see, this particular server had 4 physical interfaces (eno1-4).

proxmox network interfaces

In order to create VLANs within a VM, you need to have a Linux bridge. Go to create, Linux Bridge, and at a minimum fill out the name and bridge port as shown below. Note the bridge port corresponds to a physical interface identified above. The name for bridges must follow the format of vmbrX with ‘X’ being a number between 0 and 9999. I chose to have the bridge number the same as the physical interface number to help maintain my sanity. Last but not least, you also need to click ‘VLAN aware’ on the bridge. Though not required, if you need to manage Proxmox via the interface, then enter the necessary IP address information. 

proxmox linux bridge auto start

This is what my basic network setup looks like. As mentioned previously, the bridges correspond to their physical interfaces. Only vmbr4 uses VLANs so it is the only interface that is VLAN aware.

proxmox pve networking

Create your pfSense VM as you normally would through the ‘Create VM’ menu. You can only select one interface during the initial wizard setup. Thus, you need to click ‘Add’ to add another network device/interface afterward. Here are the settings I used, but the important ones in relation to this discussion are the two network devices. These devices correspond to the bridges above. Unless you need physical interfaces, you only need two regardless of how many VLANs you are going to configure, i.e. don’t do anything with VLAN assignment on the Proxmox hardware allocation settings. 

proxmox pfsense network configuration

The pfSense install should be fairly straightforward. When asked after reboot, I tend to answer no about creating VLANs so I can instead do it via the web interface. Initially, you should only have two interfaces — one WAN and one LAN. Next, go to Interfaces -> VLANs and add as many interfaces as you would like. As you add them, make sure you are using the LAN interface and not the WAN interface.

creating vlans on pfsense

Once done creating VLAN tags, go need to go back to the interface assignments tab to actually create the VLAN interfaces. Here you can add the available network interfaces (ports) as shown below.

pfsense available network ports

When you click ‘Add’ you can rename an interface, assign it an IP address, and make other configuration setttings. Don’t forget to change your subnet to something other than /32!

creating vlan interfaces on pfsense

Once you’ve done that for each of the new VLAN interfaces, you can see all of your interfaces on the assignments tab. If you’ve also enabled the interfaces as you created them, they will also show up on the pfSense dashboard interfaces widget.

vlan interfaces on pfsense

VLAN creation on Proxmox really is pretty simple and straightforward, but for some reason a lot of documentation has you making other configuration changes that are not necessary. Hopefully I can document some of my other Proxmox adventures as I continue to get more comfortable with it.

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

Leave a Reply

Your email address will not be published.