By Edward, Published January 14 2024, Updated March 1 2024
Overview
My network setup consists of a WAN link, a switch with several VLANS, a Ubiquiti access point, and the server itself. Proxmox runs several VMs, including the OPNSense firewall, and a Ubuntu server instance for serving Ubiquiti Unifi.
The overall setup of the system relies on OPNSense booting to activate the WAN link. From there, Proxmox connects to the management network and communicates online as needed.
VLAN 500: Guest – Gateway 192.168.1.1/24
VLAN 501: LAN – Gateway 192.168.2.1/24
VLAN 502: Management – Gateway 192.168.3.1/24
VLAN 1000: WAN – Gateway 172.16.0.1/24
WAN IP: 172.16.0.25
OPNSense IP: 192.168.3.25
Notes
If you plan on setting up this Proxmox instance into a cluster, you will want to set up the Corosync Quorum script. Otherwise, Proxmox will not boot the firewall VM due to a loss in server availability.
VLAN Setup In Proxmox
VLANs within Proxmox are fairly straightforward. From the switch, set up a trunk port with the allowed VLANS. Then set the native VLAN to the management network. That will allow Proxmox to communicate within the given VLAN instead of WAN.
It is recommended to hook up a computer to the appropriate VLAN with a static IP in order to reach the Proxmox server.
Select your node, then go to System > Network and change the bridge interface (typically vmbr0) to be VLAN aware. This will set Proxmox to trunk VLANs 2 through 4094, which can be reduced. Since I am handling all VLANs on the switch side, I left this alone. Once that is done, all that is left is to set up the firewall.
The interface configuration can also be modified directly through /etc/network/interfaces. I would recommend only modifying directly if changing the VLAN trunk.
Since OPNSense is being used as the main firewall, the Proxmox firewall can be turned off or ignored. Access control lists can be added as an additional security measure.
auto enp3s0
iface enp3s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.3.25/24
gateway 192.168.3.1
bridge-ports enp3s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094VM Firewall Setup
You will need to have a copy of the ISO or VM image on hand. To upload the image, go over to local > ISO images and select Upload. Select the ISO from your local computer and upload.
At the top-right of the screen, select Create VM. At this point, choose a numbering convention for your VMs. For my first network, I selected range 100-199 as the range for its unique VMs. In the case of my firewall, I used 401.
Name your VM appropriately, then select Next. Select your ISO Image, and set the guest OS type and version to the appropriate values. Using a Linux firewall, I leave the default Linux version 6.0-2.6 kernel option.
Under System, change the BIOS version to OVMF (UEFI) or leave as BIOS if preferred. UEFI will generally have better compatibility with modern operating systems. If UEFI is selected, either create and EFI storage or remove it. Either way, the firewall will still boot from disk with or without it. Select QEMU agent if supported by the OS. The rest can stay as the default
Under disk, select your storage location and disk size. Firewalls don’t require much space, but it can be used for logging. Choose a reasonable amount for your needs. Leave the rest at default.
CPU, choose an appropriate core count. I chose 2 for light to medium loads.
Memory, select an appropriate amount. For my firewall, I chose 4GB
Network, leave empty for now. We’ll get into more detail on that.
Confirm your changes and save.
Additonal Notes
If the VM does not boot after install, select your VM and go to Options > Boot Order and make sure your drive is checked and moved to the top.
Firewall VM Network setup
Select your firewall VM and go to Hardware. Select Add, then network device. Under Bridge, select the appropriate bridge. For the management VLAN, we will not specify a VLAN tag so that it hits the native VLAN on the switch. Leave the model and MAC address to its defaults. You can uncheck firewall, as we won’t be using Proxmox’s firewall.
Repeat the above steps as above for each interface needed.
Firewall VM Interface Assignment
Finally, go into your firewall and assign interfaces as needed. Each interface will have its own separate VLAN. If you need help figuring out which interface goes to which VLAN, reference the MAC address of the interface. In our example, net0 should sit at 192.168.3.1; net1 at 192.168.1.1;net2 at 192.168.2.1; net3 at 172.16.0.25 or DHCP.
Wrapping it up
At this point, you should have a functional firewall with VLANs set up. Communications within the firewall should be set up based on the type of firewall installed. Proxmox needs to communicate to the internet for updates, and can be set up either as an allowlist or as a denylist.
In the next page, I will go over setting up a firewall-hosting Proxmox instance within a cluster.