Setting up Proxmox for a Home Lab with VLANs and pfSense

Setting up Proxmox for a Home Lab with VLANs and pfSense

2025-11-08

Introduction

A homelab is more than virtualization—it’s about network design. With only one network interface card (NIC) it’s tempting to keep a flat network, but flat networks mix all devices together and are hard to secure. Virtual LANs (VLANs) carve a physical network into isolated broadcast domains; a VLAN‑aware switch tags frames so VLAN 10 stays separate from VLAN 20virtualizationhowto.com. In this tutorial you’ll build a virtual router with pfSense on Proxmox using a single Ethernet port. By enabling VLAN tagging on Proxmox’s bridge, configuring a trunk port on your switch and setting up pfSense to route between VLANs and the internet, you’ll create a flexible segmented network on compact hardware.

Prerequisites

  • Hardware: A Proxmox VE 8.x host with a single Ethernet port. The default bridge (vmbr0) functions as a virtual switch virtualizationhowto.com.

  • Managed switch: Must support 802.1Q tagging; configure the port to Proxmox as a trunk carrying multiple VLANs while leaving other ports as access for individual devices virtualizationhowto.com.

  • pfSense ISO: Download the latest pfSense Community Edition and upload it to Proxmox.

  • VLAN plan: Decide which VLANs you need (e.g., 10 = management, 20 = servers, 30 = IoT) and align your IP addressing scheme accordingly (10.1.10.0/24 for VLAN 10, 10.1.20.0/24 for VLAN 20, etc.)virtualizationhowto.com.

  • Physical network: Tag the Proxmox switch port for all VLANs you intend to use and ensure the WAN VLAN reaches your internet gateway; trunk ports carry tagged traffic while access ports send untagged frames virtualizationhowto.com.

Installing Proxmox (brief recap)

If you’re starting from scratch, download the Proxmox VE installer and install it on your hardware. During installation you assign a static IP to the default Linux bridge (vmbr0). This bridge ties your physical NIC to the Proxmox host and its virtual machines. Once installed, log in to the Proxmox Web UI.

Tip: The network configuration lives in /etc/network/interfaces. The default entry for the bridge looks similar to:

auto vmbr0

iface vmbr0 inet static

address 10.1.149.52/24

gateway 10.1.149.1

bridge-ports enp1s0

bridge-stp off

bridge-fd 0

The key is that vmbr0 bridges the physical port (enp1s0) to the rest of the system virtualizationhowto.com. We’ll modify this file later to make the bridge VLAN‑aware.

Creating VLANs and Making the Bridge VLAN‑aware

Proxmox can forward 802.1Q traffic when its bridge is VLAN‑aware. In the web UI, edit vmbr0 and tick VLAN aware virtualizationhowto.com, then restart networking. This turns vmbr0 into a trunk that accepts VLAN IDs 2–4094virtualizationhowto.com. You can define specific VLANs by editing /etc/network/interfaces and adding bridge‑vlan‑aware yes with a list of allowed IDs virtualizationhowto.com. Create sub‑interfaces such as vmbr0.10 for the management network and assign IPs there. Once configured, restart networking or reboot.

Configure the switch port

Your Proxmox host connects to a managed switch. Configure the switch port as a trunk, tagging all VLANs you plan to use. Without matching tags on the switch, frames carrying VLAN IDs will be dropped virtualizationhowto.com. Access ports on the switch should be set to the appropriate VLAN for devices that don’t tag frames (like a laptop on VLAN 20).

Installing pfSense on Proxmox

pfSense will act as your virtual router, receiving tagged traffic from vmbr0 and routing between VLANs and the internet. Upload the pfSense ISO to Proxmox, create a VM using the ISO with the q35 machine type and VirtIO drivers docs.netgate.com, and allocate around 2 vCPUs and 2–4 GB RAM. Add two network devices: one WAN interface attached to the untagged VLAN (the native network) and one LAN/trunk interface attached to vmbr0 so pfSense sees the VLAN tags. Boot the VM, skip VLAN assignment by typing n and assign vtnet0 to WAN and vtnet1 to LAN docs.netgate.com. After installation, disable hardware checksum offload under System → Advanced → Networking docs.netgate.com. You can then browse to pfSense’s web interface at 192.168.1.1 and run the setup wizard.

Creating VLANs in pfSense

In pfSense, each VLAN is treated like a separate interface with its own IP and DHCP scope. Open Interfaces → Assignments → VLANs and add a VLAN for each network by selecting the LAN/trunk interface (vtnet1), entering the VLAN tag (e.g., 10 or 20) and giving it a description docs.netgate.com. After adding your VLANs, return to Interface Assignments and assign each VLAN from the Available Ports list docs.netgate.com—this creates OPT interfaces. Enable each interface, name it (e.g., LAN10_MGMT), assign a static IP (10.1.10.1/24 for VLAN 10, 10.1.20.1/24 for VLAN 20) and optionally enable DHCP. pfSense will now route traffic between VLANs, but inter‑VLAN traffic is blocked by default. To allow communication, add firewall rules under Firewall → Rules on each interface: create a pass rule that allows traffic from the network to any destination. You can refine these rules later to restrict IoT devices or servers from accessing management networks virtualizationhowto.com.

Connecting Virtual Machines to VLANs

When you create virtual machines for your homelab, their network interfaces need VLAN tags so they attach to the correct subnet. Proxmox exposes a VLAN Tag field when adding a NIC to a VM. For example, to place a web server on VLAN 20:

  1. In the VM’s Hardware tab, click Add → Network Device.

  2. Choose Bridge: vmbr0 and set VLAN Tag: 20. Keep the model as VirtIO.

  3. Boot the VM and set its IP (or let pfSense’s DHCP hand one out). The server will now be on the 10.1.20.0/24 network and pfSense will route its traffic through the VLAN‑aware bridge virtualizationhowto.com.

Repeat the process for other VMs, assigning the appropriate VLAN tag. Ensure the switch port remains a trunk so all VLANs reach the host virtualizationhowto.com.

Testing and Conclusion

At this point your homelab networking stack is fully virtualized and segmented. You’ve enabled VLAN tagging on Proxmox, configured the Linux bridge to accept multiple VLANs, and created VLAN subinterfaces for management. pfSense runs as a VM with a trunk port, and you created VLAN interfaces inside pfSense for each subnet docs.netgate.com. Firewall rules now allow or restrict traffic between those networks.

To test the setup:

  1. Spin up a new VM, attach its NIC to vmbr0 and tag it for VLAN 20. Confirm it receives a 10.1.20.x address from pfSense’s DHCP.

  2. Ping pfSense’s gateway (e.g., 10.1.20.1) and verify connectivity. Then ping another VLAN gateway (e.g., 10.1.10.1) to test inter‑VLAN routing—this should succeed or fail depending on your firewall rules.

  3. Access the internet from the VM to ensure pfSense is correctly routing outbound traffic through the WAN interface.

By combining Proxmox with pfSense and VLANs, you’ve created an efficient homelab using a single NIC. This setup mirrors enterprise network design—segmented, secure and highly flexible. You can easily add more VLANs, services or even VPNs without adding more physical hardware. Enjoy exploring your new homelab!

© 2025 PacketDegree. All rights reserved.