@GomezAddams:

For your situation, since you will have Server 2012 anyway, you might as well install it on the hardware, then make pfsense and freenas Hyper-V virtuals. Caveat: I've never tried to install the Hyper-V role on a DC. I assume that's possible, but you'd want to verify.

I don't know how Server 2012 is going to look long term, but I know some of our Server 2008 R2 installs are taking large amounts of disk because of an ever growing c:\Windows\sxs folder. I predict that you'll outgrow that 60GB disk pretty quickly.

I've been running Server 2012 R2 for almost two years on a 30GB partition to service my home network and have around 8GB free. Bulk storage such as backups and WSUS repositories can go on the FreeNAS storage. 60GB isn't that much but it can be managed, particularly on a smaller network.

@Snailkhan:

II want to install esxi 6.1 on ssd and install a pfsense on this in a VM. Besides I will also install Windows server 2012 r2 and promote it to domain controller.. It will do dhcp and dns in my network. And pfsense will use it for radius or ldap (squid /openvpn/ wireless controller 802.1x)

Have you considered running radius on Server 2012? If you have NAP installed together with Active Directory Certificate Services then that can integrate 802.1x authentication with your domain login, as well as automated certificate enrolment and renewal for your domain joined computers. Each has its advantages and disadvantages.

Upgrades take no time at all, and you can always roll back to a snapshot (take a snapshot!) if it has any issues.

@johnpoz:

"on both VSwith I've created a vmkern so I can reach the host if the first vswich goes down"

If your vswitch goes down???  Never heard of such a thing..

–I've heard such things, and I don't see what wrong could it be if the ESXI has two Management interface on two different VSwitch.
this the way we configured the ESXI.
"do you mean I have to create a portgroup for each VLAN ?"

dude you need to create your vlans on pfsense assign those vlans to the vnic that is connected to the vswitch that is connected to your physical nick that is in trunk or tagging mode so that the vlan information is kept and you need to set your vswitch to 4095

---this exactly what I did as showed on the previous screenshot, have you seen them ?

This takes all of 2 seconds to setup..  Not sure what your doing wrong - but the fact that you created multiple vmkerns seems like your setup is a mess..  As to your nics in team mode - what attached you never show anything about how your nics are setup.  And how are the switch ports configured that connect to those - are they in a lagg, port group, etherchannel??  What is the switch your dealing with?
--I've showed on the previsouly post a screenshots how the NICS are attached. probably you didn't look to the post. i'll upload it again. ( see attached )

I don't understand why your creating more than 1 port group on the vswitch either..  Is that port group set to 4095?  Since you have tagged physical nics connected to it??

--- see attached thank you

[Screen Shot 2016-01-20 at 5.55.43 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-20 at 5.55.43 PM.png)
[Screen Shot 2016-01-20 at 5.55.57 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-20 at 5.55.57 PM.png)

The span port used to have a siem there, but it has since been removed, and now the SPAN has been removed.
I'm SPANNING on the physical switch to mirror all the WAN traffic to the SIEM so that part can be removed now.

At the moment, VLAN isnt really doing much as i am just starting to set it up, but not sure if im better off just subnetting for now and look a VLANNing in the future if the network gets a bit more busy.
Or have the DMZ and use the VLAN to seperate it out more in there, so i can have a DMZ with a VLAN for honeypots, a VLAN for XXX and a VLAN for XXX all in the DMZ zone.

Install a vcenter server and run it in eval mode. Remove the free license from your ESXi server so that you have full features for 30 days. Add it to your vcenter. Do storage migration. Remove ESXi server from vcenter, add free license back, decommission temp vcenter server.

Easy, if not trivial.

That's the only way (that I know of) to get a zero downtime storage migration.

Without vcenter, the next best option for low downtime is to use something like ghettoVCB to create a snapshot and copy the vmdk to the new location. Create the new virtual using the copied disk, power down the old virtual, and bring up the new. Probably less than a minute of downtime.

@johnpoz:

what??  So this wan network that your pfsense sees via this connection to the dmz switch??  Is this a private network..

Yes and no, it is a separate physical 16-port switch that connects our main pFsense router and also a sub-vendor of ours to have its own public IPs to their routers as well. So its a switch for WAN distribution to multiple routers more or less.

So your esxi host has this 1 gig physical connection, and your 2 different isp are via vlans?  And your trunking to esxi?

Its connected via a physical 1 Gig connection from the eski host to the WAN switch I should call it, not really a DMZ in the normal sense. No vlans on this switch.

As to not setting up an IP, but just gateways??  How the F would that work??

I would assume not assigning an IP on the interface page and then adding the two ISP gateways under System/Routing/Gateways and assigning the single WAN interface to both? I'm not a networking or pFsense Guru by any means, just looking on how to properly configure/reconfigure this from the old IT person.

@soccer08:

Another quick question for everyone:

Probably best to start another topic/post if you want to attract responses regarding CARP vs. Hyper-V and 2 LAN.

@gjaltemba:

Freebsd 10 needs esxi 5.5 u2 Build 2068190 or better.

Updating to 5.5 U3 seems to have cleared up the vast majority of the dropped packets. Only lost 1 in almost 4 days. Thanks for the help!

I agree with kesawi's assessment. The only thing I would add is that you could save one switch port (and one host NIC interface) by having the vswitch that NIC2 is part of shared with the host instead of forcing traffic between the host and your VMs to go through your physical switch.

What a great thread, I hope to setup a pfsense system one day and i will probably just over build and go with a hypervisor setup like you have done here.

I will perform some similar tests but will probably only report if there are differences to your findings.

Will be my first time messing with CentOS, I will probably start with esxi and hyper-v as those are what i am most familiar with.

By default, you can't access WebGUI from WAN.  Create a small VM on LAN and then access the WebGUI from that.

@Mats:

@JBNixx:

Where are you living? In Scandinavia somehwere as maybe the forum name might suggest? Shame about the lightening.

Bulls-eye :)
Middle of sweden. I got about 5 KM of phone-line runing on an aerial line so it's hit by lightning a couple of times each year.

Ah what a shame, ah well.

Shouldn't derail this thread anymore :)

Good talking to you.

Default gateway: 192.168.8.1
But I can't get out to the internet from my server 2008

Well your pfsense is "LAN- LE0- 192.168.8.20"  What is this gateway 8.1 your pointing too?

I'm sorry, it was the netmask on the proxmox set up, not in pfsense.  I thought that part at the screen REAL HARD, but it didn't make it for some reason.

lol

I'm not sure what you mean by:

the two physicals NICS on the virtual switch where the VLAN 20 and trunk port are connected to the port 2,3 on the physical switch.

@heper:

@GomezAddams:

Don't bring your VLANs into the virtual machine. Create a virtual NIC for each VLAN and let the vswitch handle the VLAN tagging.

Why?

Usually performs better because the host takes advantage of hardware VLAN offloading on the NICs.

if the load can handle it, there is no difference in the real world.

It's more about bad loads and licences today.

MS allows two cpu:s and unlimited cores on many products so even if i have four cpu:s with 8 cores each i can create a virtual machine with two cpu/12 cores each and run it on one license

You can edit the textfile that contains the VM config. There are more NICs in there, but disabled, so you can overwrite that. You can also mess up your VM config very much, so keep a backup of the original ready.