Using pfSense as a router only for other VMs

I have pfSense running in a VM under Proxmox.

The pfSense VM has two NICs:
192.168.2.1 → WAN to the router’s GW and the internet
172.16.1.1 → LAN made to service other VMs in Proxmox

pfSense can ping:
192.168.1.1 - the default GW
1.1.1.1 - the internet
172.16.1.2 - another VM (running Mint)

the other VM can ping:
172.16.1.1 - the LAN interface in pfSense
Can’t ping anything else.

You’d think it would be simple to route the LAN thru the WAN (and I bet it is).

!!! Please note: This is a mostly naked install of pfSense in this new Proxmox VM. No rules or other configurations have been setup yet !!!

I plan on more complicated things for this, but for now I need to learn the basics. I’ve asked ChatGPT and followed some YouTube tutorials. No luck.

Looking forward to some insights.

Thanks!

Can you show us the networking section and the VM’s hardware section in PVE and your firewall rules in pfSense? That should give a sense of where things are now.

I’d imagine your default gateway on the Mint VM is wrong, should be 172.16.1.1

Output of ip r would be useful.

If that’s correct, I’d also look at turning off the firewall function of Proxmox on a per-VM basis and just let the pfSense router deal with that.

I assume it is a typo that pfSense has 192.168.2.1 and it actually is 192.168.1.2 (otherwise, the networks 192.168.1.0/24 and 192.168.2.0/24 share no router).

BTW, was there a reason not using OPNsense but pfSense?

Does you 192.168.1.0/24 (?) network know the 172.16.1.2 network, i.e. does every system has a route to 172.16.1.0/24 (?) via 192.168.1.2, or does at least does 192.168.1.1 has such a route?

Alternatively you could setup NAT on the pfSense, then given the pfSense IP is correct, from “behind” (172.16.1.0/24) you could reach 192.168.1.0/24 - but not vice versa (which often is good for security and less good for usability).

Please note that all you routers support tcpdump. You could run it showing the ICMP (ping) packets by using a command like tcpdump -n -i any icmp on each hop: the Mint VM, the pfSense and the PVE (!). Maybe also on your gateway. Then you can send a ping from the Min VM (ping -c 1 192.168.1.1 - Give me a ping, Vasili. One ping only, please) and watch it going through the network. Maybe you see the ping actually reach the target and also a ICMP Ping Reply which then gets lost. Also you see whether NAT is active or not.

OPNsense would be better?
This new learning is good for me.
Why are a fan of OPNsense over pfSense?

The pfSense VM has two NICs:
192.168.143.28 → WAN to the router’s GW and the internet
172.16.1.1 → LAN made to service other VMs in Proxmox

pfSense VM ping results:
192.168.143.1 - the default GW using the WAN or LAN - good
1.1.1.1 - the internet using the WAN - good
1.1.1.1 - the internet using the LAN - BAD - the LAN using the WAN - good

the other VM can ping:
172.16.1.1 - the LAN interface in pfSense
Can’t ping anything else.

You’d think it would be simple to route the LAN thru the WAN (and I bet it is).

Looking forward to some insights.

Thanks!

05/03/2024
********** EDIT *************

NOTE: As of late, the cable modem is not performing NAT. I got that disabled.

The Nighthawk RAX50 router behind the cable modem has DMZ server option.

I set the pfSense VM as the DMZ Server.

RAX50 DMZ server

I have taken many screen shots of pfSense configuration. I am sure I am just missing something fundamental now that will allow the LAN traffic to route thru the WAN and out to the internet.

If you did not have any NAT or rules configured for this yet, what would you do next?

Thanks again!