2

I have a computer running Proxmox, and it has 1 single NIC that is directly connected to internet and has a single public IP. Then, I have different VMs (KVM) running and one of them is pfSense.

What I want to do is to have the host (Proxmox) and pfSense in the DMZ zone while the rest of VMs would be inside an internal LAN where all the traffic has to pass through pfSense. However I am not able to make it work.

What I have done is setting up a bridge br0 (containing the public address, gateway...) connected to eth0 (iface eth0 inet manual). This works from the host as I have full connectivity, not so with pfSense or any other VM.

The main problem here is that I am not sure what IP should I use in pfSense since the public IP is already defined in the bridge. Setting up the same IP in pfSense will not work (seems logical). How should I proceed?

user125498
  • 23
  • 1
  • 3

1 Answers1

2

You will need to

  1. create a virtual adapter (ie, tap0) that belongs to the bridge and give it an IP (say 192.168.1.1)
  2. then connect all the VMs to that bridge and have them use 192.168.1.1 as their gateway, and
  3. setup the Proxmox host to do NAT by enabling ip forwarding:
    1. add net.ipv4.ip_forward=1 to /etc/sysctl.conf
    2. run sysctl -p
    3. add in the NAT rule with iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The Proxmox docs cover this pretty well (and in more detail).

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Charles Tassell
  • 146
  • 3
  • Thanks for the response. I know the process to set up NAT and that has been covered. The virtual adapter part is however new. If I understood it correctly, `br0` contains the public IP defined in the host, and then a virtual adapter `tap0` (with ip 192.168.1.1) would belong to this bridge. VMs would then use the bridge and set the `tap0` IP as gateway, right? The provided link does not offer information about this virtual adapter setup, could you provide an example? Googling "Proxmox virtual network adapter" didn't yield anything useful. Is it defined as a standard interface? – user125498 Mar 26 '15 at 07:38
  • Ah, okay, I see the confusion. The public IP doesn't need to be on a bridge for your case, but the virtual one does. A bridge works by letting a bunch of different VMs share the same physical NIC (it's a bit more complicated than that, but for our purposes that works.) So if your VMs were also going to use public IPs they would need to attach to a bridge with the public IP. However, since you want NAT for the VMs you would create a bridge with a virtual adapter since you can't NAT some devices on a bridge through another device on the same bridge. (continued) – Charles Tassell Mar 26 '15 at 19:11
  • The VMs would attach to that bridge, and then get NATed out eth0. The "auto vmbr0" block that is in the Masquerading (NAT) section of that link I sent above is actually what you want to add to /etc/network/interfaces. Leave the eth0 stuff in that file alone and then attach your VMs to the vmbr0 device and give them IPs in the 10.10.10.2-254 range with a gateway of 10.10.10.1. Note that after you edit /etc/network/interfaces you have to run the command "ifup vmbr0" as root to start the new virtual adapter. Sorry I can't format this a bit better, but the comment editor here is rather limited – Charles Tassell Mar 26 '15 at 19:16