@johnpoz:

Yes or you need to use vlan to break them out - you have 3 ports groups on the same vswitch0.. Unless you create tags for these port groups or setup them to 4095 and set the tags before the traffic hits the pfsense you have placed all of those networks on the same layer 2.

I have moved away from esxi.. Just recently wiped that box.. I have hardware pfsense now and just running the few vms I Need on my synology nas.

You can do it with port groups on the same vswitch if you set the tags correctly on your physical network.  But its more complex setup.

He is right. Unless you are really good with esxi just make different vswitches.

1. Leave your vmk on vswitch0 (this is for mgmt)
2. Make a new vswitch, call it WAN, assign a NIC to it and make a port group called WAN.
3. Make a new vswitch, call it LAN and assign it a NIC, make new port group called LAN.
4. Plug your modem into the WAN NIC, plug your inside switch or whatever into the LAN NIC, and your good.

I had to restart my modem for the WAN interface to pull a public IP, once it does I've never had a problem since (including using ipv6 if your ISP supports this)

Only replying because I had a (possibly) similar problem recently.  Maybe it will help a Googler from the future…

I had pfSense 2.4.3 64-bit running in a 2012R2 VM just fine, but then the Meltdown/Spectre exploits were announced, so I reverted to my old 32-bit Via hardware box.  I decided to give the VM another shot, but when I booted it up it would occasionally get a WAN IP (but mostly not) but no Internet.  After much hair-pulling, including rebuilding and restoring several times, I disconnected the WAN vSwitch and deleted/recreated it.  Got a WAN IP, no issue.  Then I faced a strange problem that I could not get Internet access from my 2 wireless access points (on the same net as the wired).  I was unable to resolve any DNS addresses from devices behind the wireless, even though I could ping through the pfSense (to, say, www.google.com) by IP.  Nothing in the Unbound logs (Forwarder did not work either).  I could RDP to another wired box across the wireless, and get Internet fine.  Ended up disconnecting the LAN vSwitch from all my VMs and deleted/recreated it as well.

All fine now.  Bits, gotta love 'em...  ::)

Hope this saves someone some grief.

By default, you can only access WebGUI from LAN.

https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN

@MrTiberius:

Hey guys,

I am setting up a virtual security lab environment as part of a senior project at my school using  a VMware esxi host (mostly managed via vcenter).

Currently, I have three separate networks I am configuring, a LAN network, a DMZ network, and an external network (this one is outside the firewall and internet facing). The idea is to have students on the external network us Kali Linux VMs to attempt to penetrate the two internal networks (DMZ & LAN).

There would be a second group of students on the inside of the network, monitoring traffic on the firewall as wells as hardening and maintaining the internal servers. The internal networks are made up of a mix of windows and Linux servers.

I was wondering what would potentially be the steps to configure the firewall for this type of environment? Also I have limited experience with pfSense and was wondering if this could also function as a router?

I have also attached a diagram of the lab environment.

Ok, some more feedback.
I have been playing with this on my own lab and came to some conclusions. I haven't tested NAT yet so nothing there yet.
If your networks are composed of just one IP subnet per color then you have a lot less work. The routing will be setup automatically.  Automatic outbound NAT rules as well.
The firewall management will be activated on the lan interface so assign interfaces and then only configure the LAN interface's IP address. This will give you access to the webconfigurator (it will show you the ip you can connect to). It will ask you if you want to convert the protocol to http. Don't, https is better for security reasons.
Connect on the webconfigurator and go through the wizard. At this point you will probably need to configure the rest of the interfaces ip addresses. If internet access is indeed on the red side, then the next hop on that path should be your default gateway, configured on the WAN interface (red) and on the same ip subnet.
Routing should now work between the different ip segments connected to the firewall interfaces. But to access services you need to configurre firewall rules.
From what I figured through testing you need to configure floating rules. Make things as specific as possible (use the any option as less as possible).
Monitor the firewall logs (provided you checked the logging option in the rules) to see what is passed and what is dropped. The logs are under status->system logs->firewall
In case you need more complex static routing, check what you currently have in Diagnostics->Routes, and then add more if necessary in system->Routing.
If you can configure the firewalls own internet access correctly, you can check for available packages (addons). These include a lot you may find usufull such as snort, ospf routing, ntopng, etc.
Let me know if you need any specific help.

We run multiple sites using pfSense clusters all done in ESXi. Works great.

No reason what so ever to use esxi in your case. You will loose a lot of functionality and the only thing you ll get is a built in representation of the virtual networking which you will still have great difficulty in understanding. Unless you are in a corporate environment and need a dedicated machine (let me say that again: dedicated) for your server virtualization, stick to workstation and the virtual network editor.

FYI- The errors go away with ESX 6.7 and VM version 14 set for "FreeBSD 11 (64-bit)".

So maybe the tools got a little bit ahead of themselves.

Your physical pfSense must know that the 172.16.10.x networks are behind 10.0.0.10, otherwise it will direct traffic to these networks to its default gateway.

So you have to add static routes for the 172.16.10.x networks and set 10.0.0.10 as gateway. That can be done in System > Routing.
On the Gateways tab add 10.0.0.10 as gateway on the LAN interface. Then go to the static routes tab and add a route for each of your 172.16.10.x networks and select the gateway you've added before. If you don't have other subnets in that range you may also conflate all subnets in 172.16.0.0/19.

the OVA appliance comes already with open-vm-tools installed, but no joy. I can't get VMXNET3 to show under interfaces

There should be no difference in hardware support, regardless of license level.

Thanks Marv21, that works

Your not the OP… Are you... Your saying your running the same hardware as him without any issues?  I doubt that to be honest since the board he mentions supports at max 64GB of ram..  And your stating you have over 100..

It's quite possible his box just can not push gig while yours can..  Ram not really the limiting factor here anyway.

I've been running pfSense on ESXi for many years and I've never seen anything like that.  Perhaps the ESXi host is rebooting and you have it configured to do a guest shutdown on your VMs?

That's somewhat similar to what I'm seeing and I'm using Xeon cores. When I'm going full gig from my LAN to WAN I sit around 10-15% CPU usage. You using an i3 would be a bit higher.

Just part of virtualizing routers/firewalls. You figure they have to handle every single packet that passes through its interfaces.

Hello,
The machine has one nic up and the first IP is assigned to that nic. I am not sure where the second IP is assigned but the following is the detailed network info for the vmnic1 adapter:

Makes sense.

I'm an amateur to most this, so my thought process was "if my VM (ubuntu) is compromised and someone directs its default gateway from 172.16.100.1 (physical router) to 172.16.100.2 (my pfsense), they now have some way to access my pfsense management interface." I was hoping to have my physical router do the vlan packet inspection and drop the packets that aren't generated from a certain vlan for no other reason than the router is built to be a very low resource/efficient router.

I thought my vsphere config would cause all traffic to route to the physical router due to a separation of vlan, but that doesn't seem to be the case.

Good info, thanks. Gives me some direction. Still a lot to learn. I appreciate the help.