Pfsense+HA on one proxmox box

Hi all,
I know that i can install pfsense and home assistant, both on proxmox.
My question will I be able to have HA in pfsense firewall?
Or are they going to be isolated?

My goal is to do this

ISP cable ---->proxmox---->Pfsense -----> everything else routes through including HA.

Instead of this below:

ISP cable ---->proxmox----> Pfsense -----> everything.
|--------> HA

The aim is to have one server to provide automation and routing. The automation is in separate vlan with iot.
I hope I made my question clear.
Thanks for your help

Having (any) other application on a firewall is a no-no if you ask me… It’s an attack factor and kind of defeats the whole purpose of having the firewall in the first place.

Then again, looking at your diagrams maybe it’s not what you want. If your question is: Can I access HA if it’s “behind” (or next to) pfsense, then your answer is yes.

You can use NAT and port-forwarding to make HA accessible behind the pfsense firewall…

I fully agree with @sj3fk3 you shouldn’t have your firewall on your proxmox box with other VM (HA or else).
Nevertheless, if you decide to do so, I assume you have two LAN interfaces on your proxmox host. Say eth0 being the WAN side and eth1 being the LAN side.
In proxmox pfsense should use both interfaces and your HA VM (like any other) should only use eth1. With this from the outside, HA will be “behind” pfsense.

@greengolfer @sj3fk3

Thank you guys. I know that it is not the greatest idea but I have one spare I5 PC, it is perfectly capable of running HA and Pfsense.
I have Intel pro 1000 card in it so no shortage of ports.

Having read your recommenations I may need to find another old PC to buy :slightly_frowning_face:

the netgates are damn expensive

I’ve been using this approach for the last months, rock stable.

Although I understand the arguments presented, in my case this is the perfect solution. For some folks this is like a ideology/religion position. For me is a personal decision that everyone have to decide if fits, considering the risks (that I don’t think are relevant for me).

Proxmox is very very stable, and pfsense is also very stable, the less stable one is actually HA, each update is like and adventure. But anyway, you can always do a snapshot of HA before updating (I always do) and it will be fine.

Regarding your goal, yes it is possible, with a simple config in proxmox.

Thanks Andrew, I’m rocking new amd athlon 200ge mini pc for pfsense since march.
It’s being Rick solid with no glitches, still a lot to learn though.
The whole system cost me about £180, so it’s not the cheapest but amd has great upgrade path so may turn to be my server in few years time :grimacing:

Good to see this works.
I had some issues where HA became unavailable, even though everything else works, when I ran with PFSense. I have to work out what I did wrong there.
My goal is to have it all virtualised as well, like the OP. I know some will say security issues and all that, but each VM is sandboxed and should be pretty secure, if configured correctly. Containers are obviously different, but containers should also be just as secure as a physical machine on the same subnet, which is how most home users would be setup anyway. It should be more secure than the average consumer router.

Edit: For those that say it is a no-no to have PFSense on a VM. Can you please point to the data that says a VM is less safe than having a physical server in the same subnet? Where is the data that says it defeats the purpose of a firewall or that it is an “attack factor” whatever “attack factor” means.
Quite a lot of large enterprises do actually virtualise their firewalls in datacentres.
On the Netgate site they actually have a complete tutorial on how to virtualise PFSense with ProxMox.
There is no mention about security concerns there.They do have tutorials for other hypervisors too, but I run ProxMox :slight_smile:

I am embarking on this same quest. I am moving to a NUC8i5 with 32gb memory and 1Tb storage. The software I’d like to merge on to this NUC:

  1. KODI with sound over HDMI. I don’t believe I can assign audio to a Proxmox container on a NUC…so this forces me to run Proxmox under Debian.

  2. Home Assistant…I’d like to run supervised and not have to manage all the supervisor addon’s myself.

  3. I want to run PfSense and route everything through it, providing a secure VPN for all devices on my network (using openvpn). PfSense requires it’s own system so this is what’s forcing me to Proxmox.

  4. I run piHole today in a docker container…not sure where to put it in this new, more complex environment…docker under debian or it’s own container?

Complicating all this is that the NUC only has one ethernet port. I have a startech dual gigabyte ethernet over USB adapter, so I need to configure that as well…or maybe I can use managed ethernet switches and forget the startech??

Fortunately, all this is a hobby…none of it is critical and I have enough backup systems to run everything independently (nuc7, Rpi, Wyse 5070 and 5020). This is my attempt to now combine everything on to a single NUC.

My plan is to install Debian 11 then proxmox, then pfsense in it’s own VM. Once that works (or maybe I should say IF), I’ll install KODI on Debian and then home assistant supervised under (not sure…debian docker or proxmox VM).

Any thoughts on this much appreciated.

I will continue to use my Verizon router as my firewall.