VM-Only Network
Setting Up a VM-Only Network (VMLAN) with pfSense on Proxmox
Introduction
In this guide, I will walk through the steps to set up a dedicated VM-only network (VMLAN) using pfSense as the router on Proxmox. This setup allows VMs to have their own subnet while being managed by pfSense for DHCP, firewall rules, and potential VLAN segmentation in the future.
Network Setup Overview
Current Network Configuration:
- ISP Router:
172.16.0.1
- Proxmox Host:
172.16.0.5
- pfSense VM (WAN Interface - DHCP on ISP Network)
- WAN:
172.16.0.x
(Assigned via DHCP by ISP Router) - LAN:
10.0.0.1/24
- WAN:
- Wireless AP:
10.0.0.2
- Range Extender:
10.0.0.3
- **Devices (Phones, Laptops) Connected to LAN via WiFi`
What We Will Add:
- VMLAN (Virtual Machine Network)
- Subnet:
10.0.1.0/24
- pfSense Gateway:
10.0.1.1
- Managed by pfSense
- DHCP Server Enabled
- Proxmox VM Bridge:
vmbr1
- Subnet:
This setup allows for isolation of virtual machines while maintaining control over their network access.
Step 1: Create a Virtual Network Bridge (vmbr1) in Proxmox
- Login to Proxmox Web UI.
- Go to:
Datacenter → Node (Your Proxmox Host) → Network
. - Click Create → Linux Bridge.
- Configure:
- Name:
vmbr1
- Autostart:
Enabled
- IPv4 Address: Leave Empty (pfSense will handle routing)
- IPv4/CIDR: Leave Empty
- Bridge Ports: Leave Empty
- Name:
- Click Create, then Apply Configuration.
Step 2: Add a Virtual Network Interface for pfSense
- Shutdown pfsense VM in Proxmox Web UI.
- Go to → pfSense VM → Hardware.
- Click Add → Network Device.
- Configure:
- Bridge:
vmbr1
- Model:
VirtIO
(Recommended for performance) - VLAN Tag: Leave Empty
- Bridge:
- Click Add, then Start pfSense to detect the new NIC.
Step 3: Assign the New Interface in pfSense
- Login to pfSense Web UI.
- Go to:
Interfaces → Assignments
. - In the Available Network Ports dropdown, select the new interface (e.g.,
vtnet1
,igb1
, orvmx1
). - Click Add, then click on the newly added interface (e.g.,
OPT1
). - Configure:
- Enable Interface: ✅
- Name:
VMLAN
- IPv4 Configuration Type:
Static IPv4
- IPv4 Address:
10.0.1.1/24
- IPv6 Configuration Type:
None
- Click Save & Apply Changes.
Step 4: Enable DHCP for VMLAN
- Go to:
Services → DHCP Server → VMLAN
. - Enable DHCP and set:
- Range:
10.0.1.100 - 10.0.1.200
- Gateway:
10.0.1.1
- Range:
- Click Save & Apply Changes.
Step 5: Configure Firewall Rules for VMLAN
Since pfSense blocks all traffic by default on new interfaces, we need to allow traffic on VMLAN
.
- Go to:
Firewall → Rules → VMLAN
. - Click Add Rule.
- Set:
- Action:
Pass
- Interface:
VMLAN
- Protocol:
Any
- Source:
10.0.1.0/24
- Destination:
Any
- Description:
Allow All Traffic from VMLAN
- Action:
- Click Save & Apply Changes.
Optional: If you want to isolate VMLAN from LAN (
10.0.0.0/24
), add a Block Rule above the Allow Rule with Destination10.0.0.0/24
.
Step 6: Assign VMs to VMLAN
- Go to Proxmox → VM → Hardware → Network.
- Edit or add a new network device, and select:
- Bridge:
vmbr1
- VLAN Tag: Leave Empty
- Bridge:
- Start the VM and configure networking:
- Set to DHCP (pfSense will assign an IP from
10.0.1.x
). - OR set manually (
10.0.1.50
, Subnet:255.255.255.0
, Gateway:10.0.1.1
).
- Set to DHCP (pfSense will assign an IP from
Testing the Setup
- From a VMLAN VM, try:
ping 10.0.1.1
(should work - testing gateway access).ping 10.0.0.1
(should work if not blocked).ping 1.1.1.1
(should work if internet access is enabled).
- From a LAN device (e.g., laptop, phone):
ping 10.0.1.x
(should work if not blocked).- Try using
nslookup google.com
to test DNS resolution.
Conclusion
You now have a dedicated VMLAN (10.0.1.0/24) routed by pfSense, managed separately from LAN. If needed, you can restrict access between these networks while still allowing shared services. This setup is flexible and scalable for future VLANs, additional firewall rules, or advanced routing.
🚀 Next Steps: Consider VLAN tagging for enhanced security, adding VPN access, or setting up separate subnets for different VM roles.