Virtualized pfsense - how does ip of host and VM relate?

Hello All.
I’m switching my current ISP so that I can go from a lousy 50Mbit to 600Mbit speed (working from home on 50Mbit just doesn’t cut it). With the upgrade in internet speed I decided to get into the whole homelabing business - get a proper rack, some server equipment, install xcp-ng, virtualize pfsense, split my network into a couple of vlans etc.

Sadly, I’m a complete novice when it comes to networking and virualizing, so I will definitely have a lot of basic questions (that’s the main reason to having a home lab - to learn as I go).

The first thing I would like to ask is this:
During the instalation of xcp-ng I am prompted to specify a static IP or use DHCP (machine is a Dell R210II with additional 4-port intel nic). Since this xcp-ng instance will be running only pfsense and xen-orchestra and will be the router for my whole LAN it seems obvious to me that xcp-ng should have a static IP. But how does the IP set for xcp-ng relate to the IP adress of the virtualized Pfsense that will be installed later? I know that I need one port on the NIC for WAN and another for LAN and that I will need to somehow map those physical ports to the virtualized pfsense machine (bridging is the correct term to use here i guess?) , but if I assign - for example to xcp-ng, will pfsense also be available on the same address but just on a different port? Or Will I need to assign an additional IP address to pfsense later and xcp-ng will be accessible on and pfsense on whatever other IP address I set?

Also - if additional info is needed, to my best knowledge I will be getting a fiber connection to the house, which will be terminated with a GPON, from which i will have a standard RJ-45 connection to the router (above described xcp-ng box). The ISP uses 3 separate vlans on their side for providing internet, tv and phone and I will be getting a static public ip from them

Sorry for the long post and thank you in advance for your support :slight_smile:

Physically, your pfSense will live on the virtualization host, but logically, you can think of it as a standalone, individual server. What goes for “bare-metal” machines goes for virtual machines as well: No two machines in the same network should (under normal circumstances) have the same IP address. Therefore, your pfSense will have a different IP than your xcp-ng server. And yes, a static IP makes sense because you want to be able to connect to it even the pfSense VM is down.

In fact, since pfSense is your router, it will have multiple IP addresses - one for each network. It must be reachable from within each network so that it can function as the gateway for that network. The xcp-ng host will not need to have an IP address in all of these networks, it is enough to have one. For example, often times there will be a dedicated management network that servers, switches, APs, etc are in.

Virtualization software always has switch functionality built in as well (“virtual switch”). It can have ports connected to the phsyical ports on the physical NIC and to the virtual NICs of the VMs. That way, you can bridge the physical ports to interfaces on a VM if desired.

That said, you could totally use one physical port for one network each, e.g. WAN and one LAN. But when you only have two physical ports, how would you get networks other than these two in and out of the virtual switch (say, a IoT net or a guest net)? I think a more useful thing to do is to aggregate these two ports into a higher capacity link and trunk all networks as VLANs on this link.

That explains it all - thank you very much Paolo :slight_smile: