Can you show us the networking section and the VM’s hardware section in PVE and your firewall rules in pfSense? That should give a sense of where things are now.
I assume it is a typo that pfSense has 192.168.2.1 and it actually is 192.168.1.2 (otherwise, the networks 192.168.1.0/24 and 192.168.2.0/24 share no router).
BTW, was there a reason not using OPNsense but pfSense?
Does you 192.168.1.0/24 (?) network know the 172.16.1.2 network, i.e. does every system has a route to 172.16.1.0/24 (?) via 192.168.1.2, or does at least does 192.168.1.1 has such a route?
Alternatively you could setup NAT on the pfSense, then given the pfSense IP is correct, from “behind” (172.16.1.0/24) you could reach 192.168.1.0/24 - but not vice versa (which often is good for security and less good for usability).
Please note that all you routers support tcpdump. You could run it showing the ICMP (ping) packets by using a command like tcpdump -n -i any icmp on each hop: the Mint VM, the pfSense and the PVE (!). Maybe also on your gateway. Then you can send a ping from the Min VM (ping -c 1 192.168.1.1 - Give me a ping, Vasili. One ping only, please) and watch it going through the network. Maybe you see the ping actually reach the target and also a ICMP Ping Reply which then gets lost. Also you see whether NAT is active or not.
The pfSense VM has two NICs:
192.168.143.28 → WAN to the router’s GW and the internet
172.16.1.1 → LAN made to service other VMs in Proxmox
pfSense VM ping results:
192.168.143.1 - the default GW using the WAN or LAN - good
1.1.1.1 - the internet using the WAN - good
1.1.1.1 - the internet using the LAN - BAD - the LAN using the WAN - good
the other VM can ping:
172.16.1.1 - the LAN interface in pfSense Can’t ping anything else.
You’d think it would be simple to route the LAN thru the WAN (and I bet it is).
Looking forward to some insights.
Thanks!
05/03/2024
********** EDIT *************
NOTE: As of late, the cable modem is not performing NAT. I got that disabled.
The Nighthawk RAX50 router behind the cable modem has DMZ server option.
I set the pfSense VM as the DMZ Server.
I have taken many screen shots of pfSense configuration. I am sure I am just missing something fundamental now that will allow the LAN traffic to route thru the WAN and out to the internet.
If you did not have any NAT or rules configured for this yet, what would you do next?
Create a bridge in Proxmox, but don’t assign it any NICs, and don’t give it an IP. That’s the bridge you should connect your OPNSense “LAN” port to, as well as any VMs you want to be behind the OPNSense instance. Then connect your OPNSense “WAN” port to the main bridge that’s shared by your other systems and has internet access. After that it’s like any other firewall situation, set up a DHCP server on OPNSense if you want to provide an IP to your VMs, set up whatever routing rules you want to get traffic out of these VMs and to the rest of the network/world, etc.
