Proxmox PfSense Router On A Stick Guide
Hey everyone, welcome back to the blog! Today, we're diving deep into a setup that many of you have been asking about: how to set up a pfSense router using the 'router on a stick' method within Proxmox. If you're looking to virtualize your network firewall and routing, and want to do it efficiently, this guide is for you, guys. We'll break down this potentially complex topic into easy-to-digest steps, making sure you understand every bit of it. Getting your pfSense virtual machine humming in Proxmox, especially with this specific networking configuration, can seem like a beast, but trust me, with a little patience and this walkthrough, you'll have it up and running in no time. We'll cover everything from the initial Proxmox setup to the final pfSense configuration, ensuring you get the most out of your virtualized network. So, grab your favorite beverage, and let's get this network party started!
Understanding the 'Router on a Stick' Concept
Alright, so what exactly is this 'router on a stick' thing, and why would you even want to do it in Proxmox? In the physical world, 'router on a stick' is a network configuration where a single physical network interface on a router is used to handle traffic for multiple VLANs. This is achieved by trunking all the VLANs over a single Ethernet cable (the 'stick') to a managed switch. The router then uses sub-interfaces, one for each VLAN, to route traffic between them. Now, when we bring this concept into Proxmox, we're essentially doing the same thing, but in a virtual environment. Instead of a physical router and a physical switch, we have a virtual pfSense router and virtual network infrastructure within Proxmox. The 'stick' in our case is a virtual network link, often a single virtual NIC (vNIC) attached to a Proxmox bridge, that carries all the VLAN traffic. This is super efficient because you don't need multiple physical NICs dedicated solely to your pfSense VM. It simplifies hardware requirements and makes managing your virtual network cleaner. Plus, for home labs or small businesses, it's a cost-effective way to achieve robust network segmentation and routing. We're talking about creating a virtual firewall that can handle multiple subnets and firewall rules, all from a single virtual machine, and using a clever networking trick to make it all happen with minimal virtual hardware. This setup is particularly useful if you're running multiple VLANs for different purposes – maybe one for IoT devices, another for your work-from-home setup, and a third for guests. Each VLAN can be treated as a separate network, and pfSense will be the gateway for all of them. So, in essence, 'router on a stick' in Proxmox means using a single virtual network interface on your pfSense VM to manage routing and firewalling for multiple virtual VLANs, all thanks to the magic of Proxmox's networking and pfSense's VLAN capabilities. It's a powerful technique for network virtualization, enabling advanced features without overcomplicating your virtual hardware setup. We'll explore how Proxmox bridges and VLAN tagging work together to make this a reality, so stick around!
Pre-Requisites and Initial Proxmox Setup
Before we jump into setting up pfSense on Proxmox with the 'router on a stick' method, there are a few things you need to have squared away, guys. First off, you'll need a Proxmox Virtual Environment (PVE) installation up and running. This could be on a single server or a cluster, but for this guide, a single node is perfectly fine. Make sure it's updated to the latest stable version. Secondly, you need the pfSense Community Edition (CE) ISO image. You can download this directly from the official Netgate website. Make sure you grab the correct architecture, usually amd64. Now, let's talk about Proxmox networking. This is crucial for the 'router on a stick' setup. You'll need at least one physical network interface on your Proxmox server that will act as your uplink to your physical network. We're going to create a Linux Bridge in Proxmox that this physical interface will be attached to. Let's call this bridge vmbr0 for simplicity, and assume your primary physical NIC is eth0. So, vmbr0 will have eth0 as its interface. This vmbr0 will be the gateway for your internal networks and will also carry the VLAN traffic. You might want to assign an IP address to vmbr0 for management purposes, but importantly, this IP should be on the network that your physical switch is connected to and configured to route traffic. Think of vmbr0 as the central hub connecting your virtual machines to the physical world. The key here is that vmbr0 will not have VLANs directly assigned to it at the Proxmox level initially. Instead, we'll create VLAN-aware Linux bridges or configure the pfSense VM's NIC to handle VLAN tagging. We'll get into the specifics of creating these virtual interfaces shortly, but the foundation is a stable Proxmox install and a properly configured network bridge (vmbr0) that your physical NIC (eth0) is attached to. This bridge will essentially be the 'uplink' for all your virtual network traffic, including the trunked VLANs that pfSense will manage. If you're unsure about Proxmox networking basics, I highly recommend checking out the Proxmox documentation first. Getting this network bridge right is paramount for the 'router on a stick' to function correctly. So, ensure your physical NIC is recognized by Proxmox, create vmbr0 and attach your physical NIC to it, and you should be good to go. Don't forget to test your connectivity to ensure vmbr0 is indeed connected to your physical network. This initial setup is the bedrock upon which our virtualized pfSense router will stand.
Creating the pfSense Virtual Machine in Proxmox
Now that our Proxmox environment is prepped, it's time to create the virtual machine that will host our pfSense router, guys. This is where we lay the groundwork for our 'router on a stick' setup. First, log in to your Proxmox web interface and navigate to Create VM. Give your VM a memorable name, like pfSense-Router. For the Operating System, select 'Use CD/DVD disc image file (iso)' and choose the pfSense ISO you downloaded earlier. Set the Guest OS Type to 'Other' and the Version to '2.7' or the latest stable version available. For the System settings, we'll stick with the defaults for now, but ensure you have UEFI enabled if you plan to use it (though BIOS is also fine). The Hard Disk size can be relatively small; 32GB is usually more than enough for pfSense, as it doesn't store much data. Use the default bus type, VirtIO, for better performance. For the CPU, allocate at least 1 vCPU, but 2 is recommended for better performance, especially if you plan to run packages or handle significant traffic. For Memory, 2GB is a good starting point, but 4GB is even better if your server has the resources. Again, use VirtIO ballooning if available. Now, for the Network configuration, this is where things get interesting for our 'router on a stick' approach. We'll initially add one virtual network interface (vNIC) to the pfSense VM. This vNIC will be connected to our main Proxmox bridge, vmbr0. We'll set the Model to VirtIO (paravirtualized) for optimal performance. Crucially, we will not be configuring any VLANs on this vNIC at the Proxmox level just yet. This single vNIC will act as the initial point of connection for pfSense to our network. During the pfSense installation, we'll identify this NIC as the one that will eventually carry all our VLAN traffic. We'll add a second vNIC later, which might be used for a dedicated management interface or WAN if you decide to deviate from the pure 'router on a stick' for WAN. However, for the core 'router on a stick' functionality where WAN and LAN are managed via VLANs, one vNIC is sufficient for the initial setup. After configuring these settings, review the summary and click Finish. Proxmox will create the VM. Once created, do not start the VM yet. We still need to make a small but important adjustment to the VM's network configuration in Proxmox before booting it up for the first time. This adjustment ensures Proxmox understands how to handle VLAN tags for this specific VM's interface, which is key to our 'router on a stick' strategy. So, hang tight, and we'll cover that critical step next!
Configuring Proxmox Network for VLANs
Alright, guys, this is a super critical step for making our 'router on a stick' setup work. We need to tell Proxmox how to handle VLAN tags for the network interface we just assigned to our pfSense VM. Remember that single vNIC we attached to vmbr0? We need to make it VLAN-aware. There are a couple of ways to achieve this in Proxmox, and the most common and arguably the cleanest for 'router on a stick' is by creating VLAN-aware Linux bridges or by directly assigning VLAN tags to the VM's interface. Let's focus on the VLAN-aware bridge method first, as it's generally preferred for clarity and scalability. In your Proxmox web UI, go to Datacenter -> Your Node -> System -> Network. Here, you'll see your existing network configuration, including vmbr0. We need to create new bridges, one for each VLAN you intend to manage through pfSense. For instance, if you plan to have a LAN VLAN (say, VLAN 10) and a guest VLAN (say, VLAN 20), you'll create two new bridges: vmbr10 and vmbr20. When creating these new bridges, do not assign an IP address to them. Crucially, under the 'VLAN aware' checkbox, make sure it is ticked. This is the magic ingredient. Also, you don't need to add any physical interfaces or existing bridges to these new VLAN bridges. They are purely virtual constructs meant to handle tagged traffic. Now, for the pfSense VM's network interface, we'll modify its connection. Go back to your pfSense VM settings (Datacenter -> Your VM -> Network). You'll see the vNIC we added, connected to vmbr0. We need to change this. Instead of connecting it to vmbr0, we'll now select the VLAN ID field and enter 1 (or 0, depending on Proxmox version/preference for untagged management traffic). This tells Proxmox that this interface will handle tagged traffic. We then associate this vNIC with vmbr0. Essentially, vmbr0 acts as the trunk, and the pfSense VM's NIC, when configured with a VLAN ID, will process tagged traffic arriving on vmbr0. The alternative method is to directly tag the VLAN on the VM's NIC itself within the VM settings, without creating separate VLAN bridges. You'd select the vNIC, click 'Edit', and then in the 'VLAN Tag' field, you'd enter the VLAN ID (e.g., '10' for your LAN). This is simpler if you only have one or two VLANs. However, creating VLAN-aware bridges (vmbr10, vmbr20, etc.) offers better organization, especially as your network grows. For the 'router on a stick' scenario where pfSense handles multiple VLANs, we want pfSense itself to do the VLAN tagging and untagging. So, the approach is often to have the pfSense VM's primary NIC connected to vmbr0 and then configure VLANs within pfSense. Proxmox's role is to pass the tagged traffic from vmbr0 to the pfSense VM. You might need to configure your physical switch to send tagged traffic for all relevant VLANs to the port connected to your Proxmox server's eth0. Yes, this is a bit nuanced, but the goal is to allow vmbr0 to pass tagged frames, and pfSense will sort them out. So, double-check that 'VLAN aware' is ticked for vmbr0 if you're not creating separate VLAN bridges, or ensure your dedicated VLAN bridges are set up correctly. This configuration primes Proxmox to pass tagged traffic transparently.
Installing and Configuring pfSense
With Proxmox network configured, it's time to install pfSense itself, guys. Boot up your pfSense VM. You should see the familiar pfSense installer. Follow the on-screen prompts for installation. When you get to the point where you need to select the network interface, this is where we start applying our 'router on a stick' logic. Since we configured pfSense to use vmbr0 (our trunking interface), it will see that single vNIC. Let's assume this is em0 during installation. We'll install pfSense onto this interface. After the installation completes, pfSense will reboot. Do not connect to pfSense via its web GUI immediately. The default IP address assigned during installation might not be what you want, or it might not be accessible yet. We need to configure the VLANs first. Log in to the pfSense console (you can do this directly from the Proxmox VM console). You'll be presented with a menu. Option 1 is usually to Assign Interfaces. Select this. You'll see your physical interface (em0). Now, we need to create virtual interfaces on top of this physical one, one for each VLAN. Choose 'VLANs' from the interface assignment menu or use option 4 if available to create VLANs. You'll create a new VLAN interface, specifying the Parent Interface (your em0) and the VLAN Tag (e.g., 10 for your LAN, 20 for guests). Repeat this for each VLAN you need. Once you've created your VLAN interfaces (e.g., em0_vlan10, em0_vlan20), go back to the main menu and select Assign Interfaces again. Now, you'll see your newly created VLAN interfaces listed. Assign them to logical names like LAN, GUEST, DMZ, etc. For your primary LAN, assign em0_vlan10 to the LAN network. For other VLANs, assign them accordingly. Ensure you enable these interfaces. After assigning interfaces, you'll typically want to configure IP addresses for each of these interfaces. Go to Interfaces -> [Your Interface Name] (e.g., Interfaces -> LAN). Assign a static IP address and subnet mask to each interface. This IP address will be the default gateway for devices on that specific VLAN. For example, on your LAN interface (em0_vlan10), you might assign 192.168.10.1/24. On your GUEST interface (em0_vlan20), you might assign 192.168.20.1/24. Once these interfaces have IP addresses, you can access the pfSense web GUI by navigating to the IP address of your LAN interface (e.g., https://192.168.10.1). Log in using the default credentials (admin/pfsense) and proceed with the rest of the pfSense setup, including firewall rules, DHCP servers for each VLAN, and NAT. This is where the 'router on a stick' truly comes alive, with pfSense managing traffic across all your virtualized VLANs.
Client Configuration and Testing
So, you've got pfSense installed, interfaces assigned, and IPs configured. Awesome job, guys! The next crucial step is to ensure your client devices can actually use this 'router on a stick' setup. This involves configuring both your physical network and your client devices correctly. Remember that single physical port on your Proxmox server (eth0) connected to your managed switch? That port on the switch needs to be configured as a trunk port. This means it must be configured to allow tagged traffic for all the VLANs you've set up in pfSense (e.g., VLAN 10, VLAN 20). Your managed switch will then tag outgoing traffic destined for specific VLANs and expect tagged traffic coming back. For your client devices, they need to be connected to switch ports that are configured as access ports for their respective VLANs. For example, a computer that should be on your main LAN (VLAN 10) needs to be plugged into a switch port configured as an access port for VLAN 10. This port will typically strip the VLAN tag before sending traffic to the client, as most client devices (like standard NICs in PCs and laptops) don't natively understand VLAN tagging. If you have a specific device that does support VLAN tagging (like a Proxmox host itself, or a more advanced workstation), you could configure its network interface to be VLAN-aware and assign it directly to a specific VLAN tag. Testing is key! The best way to test is to create a virtual machine within Proxmox that you want to place on a specific VLAN, say your main LAN (VLAN 10). When creating this VM in Proxmox, you'll connect its vNIC to vmbr0 but crucially, you'll specify the VLAN Tag as 10 in the VM's network settings. Assign this VM a static IP within the subnet of your LAN (e.g., 192.168.10.100). Then, try to ping the pfSense LAN interface (192.168.10.1). If that works, try pinging an external IP address (like 8.8.8.8). If that also works, congratulations! You've successfully routed traffic through your pfSense 'router on a stick'. Repeat this testing process for other VLANs and client types. You should also test DHCP – ensure clients on each VLAN are receiving IP addresses from the correct DHCP scope configured in pfSense. If you encounter issues, double-check: 1. Switch Configuration: Is the port connected to Proxmox truly a trunk port allowing all necessary VLANs? Are client ports correctly assigned to access VLANs? 2. pfSense Interface Configuration: Did you assign the correct VLAN tags to the correct interfaces within pfSense? Are the IP addresses and subnets correct? 3. Firewall Rules: Are there any firewall rules in pfSense blocking inter-VLAN or internet traffic? Remember, pfSense, by default, blocks traffic between interfaces unless explicitly allowed. So, you'll need rules to permit traffic from your LAN VLAN to the internet, and potentially rules for inter-VLAN communication if desired. This thorough testing ensures your 'router on a stick' setup is not just configured but actually functional, providing robust and segmented networking.
Advanced Considerations and Troubleshooting
As you get more comfortable with your Proxmox pfSense 'router on a stick' setup, guys, you might want to explore some advanced configurations or run into common troubleshooting scenarios. One common consideration is WAN configuration. In a pure 'router on a stick' setup, your WAN interface might also be a VLAN. This means your ISP's modem or router would connect to a specific VLAN on your switch, and pfSense would have a WAN interface assigned to that VLAN. This is great for segmentation but requires your ISP to support VLAN tagging (PPPoE often does). If your ISP doesn't use VLANs, you might dedicate a separate physical NIC on your Proxmox server just for WAN, bypassing the 'router on a stick' for that single interface, which is a compromise but sometimes necessary. Performance is another area. While VirtIO drivers and careful VM resource allocation generally provide excellent performance, heavy traffic loads or complex firewall rules can tax your pfSense VM. Monitor CPU and RAM usage on both Proxmox and your pfSense VM. Consider upgrading vCPUs or RAM if needed. Ensure your underlying hardware is capable. High Availability (HA) is a more advanced topic. pfSense supports HA configurations, but setting it up in Proxmox with 'router on a stick' requires careful planning, possibly involving shared storage for configuration sync and duplicate network paths. Troubleshooting common issues often boils down to network misconfigurations. If clients on a specific VLAN can't get an IP address, check the DHCP server settings in pfSense for that interface and ensure the VLAN is correctly configured and assigned. If clients can't reach the internet, verify: 1. pfSense WAN connectivity: Can pfSense itself ping external IPs? 2. Firewall Rules: Are outbound rules allowing traffic from the client's VLAN to the WAN interface? 3. NAT configuration: Is NAT set up correctly to translate internal IPs to your public IP? If you can't access the pfSense web GUI, ensure the interface you're accessing it from is on the correct subnet and that the pfSense interface itself has an IP address configured. Sometimes, a simple reboot of the pfSense VM or even the Proxmox host can resolve transient issues. Always check the pfSense system logs for error messages – they are your best friend! Remember, the beauty of this setup is its flexibility. You can easily add or remove VLANs, adjust firewall rules, and segment your network further as your needs evolve. Mastering the 'router on a stick' in Proxmox is a significant step towards a highly customizable and powerful home or business network.
