Malleum Knowledge Base

Proxmox setup

3 min read

Proxmox Setup Guide with Open vSwitch and VLANs

https://benheater.com/proxmox-laptop-cybersecurity-lab/

1. Access the Web Console

  • Navigate to: https://<proxmox-ip>:8006 (e.g., https://10.0.0.100:8006).
  • Login:
    • Username: root
    • Password: Set during installation.
  • Ignore the “no subscription” warning.

2. Initial Configuration

  1. Update APT Repositories:

    sed '/^[^#]/ s/^/# /' -i /etc/apt/sources.list.d/pve-enterprise.list
sed '/^[^#]/ s/^/# /' -i /etc/apt/sources.list.d/ceph.list
 
echo -e '\n# Proxmox community package repository' >> /etc/apt/sources.list
echo "deb http://download.proxmox.com/debian/pve $(grep CODENAME /etc/os-release | cut -d '=' -f 2) pve-no-subscription" >> /etc/apt/sources.list

  2. Install Dependencies:

    apt clean && apt update
apt install ifupdown2 openvswitch-switch -y

  3. Disable Lid Suspend (for laptops):

    • Edit /etc/systemd/logind.conf:

      HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore

    • Restart login service:

      systemctl restart systemd-logind.service

  4. Apply Pending Upgrades:

    pveupgrade

    ⚠️ Reboot if a kernel update is installed.

3. Switch to Open vSwitch (OVS)

  1. Backup Current Network Configuration:

    cp /etc/network/interfaces /etc/network/interfaces.bak

  2. Remove the Default Linux Bridge:

    • Navigate to [Node Name] > Network in the web UI.
    • Select vmbr0 and click Remove.

  3. Create New OVS Components:

    • Production Switch (ovsbr0):

      • Create an OVS Bridge and attach the physical NIC (e.g., enp0s31f6).
      • Use this for external access (e.g., Proxmox management and internet).

    • Management Interface:

      • Create an OVS IntPort for Proxmox management.
      • Assign a static IP (e.g., 10.0.0.100/24) and gateway (e.g., 10.0.0.1).

    • Internal Switch (vmbr1):

      • Create another OVS Bridge without a physical port.
      • Use this for pfSense and VLANs.

4. VLAN Configuration

  1. Create VLANs on Internal Switch (vmbr1):

    • VLAN 333: For Root Domain VMs (e.g., domain controllers).

      • Create OVS IntPort: Name vlan_333 with VLAN tag 333.

    • VLAN 666: For Red Domain.

      • Create OVS IntPort: Name vlan_666 with VLAN tag 666.

    • VLAN 999: For Blue Domain.

      • Create OVS IntPort: Name vlan_999 with VLAN tag 999.

  2. Verify Configuration:

    • Check that vmbr1 has the VLANs listed as ports.

5. pfSense Integration

  1. Assign two NICs to the pfSense VM:

    • NIC 1 (WAN): Connect to vmbr0 for internet access.
    • NIC 2 (LAN): Connect to vmbr1 for internal routing.

  2. Configure pfSense:

    • WAN Interface:
      • Set to DHCP to get an IP from the router.
    • LAN Interface:
      • Assign a static IP (e.g., 10.0.1.1/24) and enable DHCP for VMs on VLANs.

  3. Test:

    • Ensure VMs in different VLANs can communicate only through pfSense.

6. Network Topology Overview

  • vmbr0 (Production Switch):
    • Physical NIC connected to external router for internet.
    • Proxmox Management (via vmbr0_mgmt IntPort).
  • vmbr1 (Internal Switch):
    • VLAN 333: Root domain.
    • VLAN 666: Red domain.
    • VLAN 999: Blue domain.
  • pfSense:
    • Routes traffic between vmbr0 (WAN) and vmbr1 VLANs (LAN).

Troubleshooting

  • If connectivity issues arise:

    cp /etc/network/interfaces.bak /etc/network/interfaces
ifreload -a

  • Reapply changes step by step.

Graph View