vlan Pfsense VLAN setup for Proxmox Container VLAN

[buzzkillb]

Decided to try out Pfsense to compare to the Ubiquiti USG with VLAN's. Pfsense seems a bit easier, but a few more steps to setup. With that in mind I wanted to see how to VLAN a Proxmox Container. I am using a small celeron - 2 Intel NIC mini PC for Pfsense, a Ubiquiti Edgeswitch 24, and for Proxmox - Threadripper 16core on an x399 motherboard with 2 Intel NICS. I think you want 2 NICS for Proxmox, and a managed switch.

First setup the VLAN on Pfsense. I am calling mine DockerProxmox and using vlanid 600.

Go to Interfaces -> VLANs click Add and change to something like below
Parent Interface is your LAN, VLAN tag is 600, Description Docker Proxmox. LAN is important and the rest is up to you.

Go to Interfaces -> Assignments and find the one at the bottom, your new VLAN and click Add. Then Click OPT or whatever the Description is.

Once you click Description change the fields below. Pick an IPv4 address for the new subnet, I chose 192.168.60.1

Go to Services -> DHCP Server and find your new VLAN at the top and click that. We now want an IP range to hand out. I like to choose between 100-200 like below.

Go to Firewall -> Rules. A quick firewall rule to to allow traffic and also block traffic to the rest of the network which will look like this.

Allow All Rule

Block LAN Rule

Then go into your Switch to configure the Tag Port, this is going to vary but here's an example on my Port 20.

So you already have Proxmox setup with a static IP on one of the NICS. Now lets use the 2nd NIC to bring the VLANs through. The above shows I have my management Proxmox port on 19, and the 2nd VM NIC will be in Port 20.

This is the goal of what we are about to change.

enp4s0 is plugged into port 19 like normal and was setup through Proxmox as vmbr0 when I setup the server. So then I would click create Linux Bridge and make a vmbr1 with VLAN aware and bridge port of the other NIC, enp6s0 like this.

Now create a container using vmbr1 and use VLAN ID of 600 or whatever number you used and the container will get the new IP range from DHCP and can't ping any other IP's outside of the range.

On the Container creation, it would look like this for Network tab.

For DNS tab, I am using my pihole IP address which I made 2 separate rules for, otherwise I could not get out to the internet because of the above rules and basically blocking my pfsense IP. Looks like this below. Eventually would tune everything down to correct ports only, so I am not passing everything to the pihole. Or just use 8.8.8.8 or whatever you use in the DNS tab.

And a successful ping to google.com so big brother knows we are here, but can't ping internal network. Good enough for a somewhat quick Pfsense VLAN into a Proxmox Container to start locking things down.

 

 

 

 

 

[Ghost]

Epic guide bro this will come in handy at some point for myself