I’m setting up a VLAN on my Proxmox server to segregate test VMs from my home network. I’ve configured a VLAN with id 10 on my D-Link switch for the port that my Proxmox server is connected to.
I’ve followed the majority of the steps in this excellent guide here, and captured additional screenshots along the way (mostly for my own referenece).
In Proxmox, create a bridge with no IP, and enable ‘VLAN aware’:
Create a new VM for pfSense from the downloaded pfsense ISO from here. For the network, use the default/original network bridge (vmbr0), not the new one just created above – this will be your WAN NIC for pfSense:
One VM is created, don’t boot it yet, but add a second Network Device – for the bridge, use the new one created in the earlier step – this will be your LAN NIC for machines within the VLAN:
Boot the VM and select option to install:
Select option to configure networks. In Proxmox, look at the 2 network devices – the first one should be connected to your default Proxmox bridge (vmbr0) and the second one should be the new one we just added (vmbr99):
For your WAN interface, connect the one that is your default Proxmox bridge, in this case vmbr0:
I’ve left everything default for the WAN interface and then pressed Continue:
On the next screen it shows LAN connection as ‘not assigned’ – select it and press ‘Assign/Continue’:
Select the second interface (vtnet1) that is connected to the new bridge, vmbr99:
Configure your VLAN tags, I’ve set to 10 to match what I’ve already configured on my D-Link manged switch:
I’ve configure my CIDR range as 10.0.10.0/24 and DHCP range of 10.0.10.2 – 10.0.10.254 for this network:
Unless you have a pfSense Plus subscription, select the CE version:
To access the webConfigurator interface we need to temporily disable the pfSense firewall, which we’ll update shortly. In the Console for the pfSense VM, enter option 8 then enter ‘pfctl -d’. It should respond with ‘pf disabled’:
In a brower, go to the WAN ip shown in the Console, and logon with defaults admin/pfsense. Change your password when prompted.
Under interfaces, select your WAN interface and uncheck these 2 options (to enable access to IPs on your VLAN subsets from your local home network IPs:
After applying changes, go back to your Proxmox console for the VM and run ‘pfctl -d again, and the web interface should be accessible again.
To setup a firewall rule to allow access to the pfSense VM from your home network, go to ‘Firewall / Rules / WAN’ and set up a rule with source = ‘WAN subnets’ and destination = ‘This firewall’. Save and apply. Afer a couple of seconds you should have access to the webConfigurator, and the rule should appear like this:
To enable DHCP for your VLAN subnet range, go to Services / DHCP server. If you see this message:
… follow the link and enable ‘Kea DHCP’ backend.
Go back to Services / DHCP Server, check that DHCP is enabled, scrolldown to Primay Address Pool and configure the IP range your your subnet:
From this point you should be ready to go.
To configure a VMs to use the VLAN network and route through pfSense, instead of using the defaul vmbr0 bridge, select the new vmbr99 that you added:
As an example when setting up a new Ubuntu 24.04 server, during the install from ISO, under Network Configuration. you should see the VM magically gets a new IP allocated from your pfSense DHCP server:
In pfSense Status / DHCP Leases you should see this new allocated IP:
To allow access from your home lan to VMs within your new VLAN subnet, you need to:
a) add a pfSense firewall rule allow traffic from your WAN subnet (or a specific ip) to any specific IP destinations (or the whole VLAN subnet if you want to allow access to everything in the VLAN):
And then on the machine(s) that needs to access your VMs in the new VLAN, add a route where the gateway is the ip address of your pfSense VM that is going to handle routing the traffic between your WAN and the VLAN:
sudo route add -net 10.0.10.0/24 [gateway ip]
Where:
- 10.0.10.0/24 is the CIDR for the VLAN I want to access
- [gateway ip] is the IP of the pfSense VM that’s connected to your home network
I tested ssh’ing into my new Ubuntu server on VLAN 10 and it’s all good!