It is very possible.
There are many ways to attack this.
You can use the managed switch VLAN capabilities to create networks that cannot speak to each other.
You can use the pfsense Firewall Rules TAB to accomplish the same thing.
Pfsense can be used as a DHCP for the internal network it can also act as a DNS

With pfsense alone you can make the firewall rules where no device can touch the internal network and vice versa. You can also make a rule in pfsense to not access the adsl router for the exception of one machine or subnet(usually an internal LAN) etc,..

With pfsense you can make VLAN with Tags on them and you can then use the managed switch to distribute the tags to the correct networks.

All possible with your setup and more.

Can you post your setup. I tried this and failed badly. I have one pc that runs win7 and run vm wrkst 11 on it that has pfsense as host installed on it.
I have intel Pro server dual nic and chose bridge on both vmware nics but I could not get comcast ip in pfsense. My win7 pc would get the ip.
I got it once but then i couldn't access the web interface of pfsense. My plan is also to browse the web and use this win7 box as pc on lan but behind firewall.

The link btw only addresses accessing pfsense but not setting it up as firewall as there is no two nics and Nat won't work for wan ip.

@stanj:

I have a general setup and usage question for vSphere 6.0 for a test system we are working on in a lab.

Not being familiar with pfsense, I thought this would be the place to start.

In vCenter, in the networking, we have two vSwitch’s that are not connected to physical nics.
In vSwitch1, we have VMs set up with addressees  in 10.60.117.1/24 and in vSwitch2, addressees  in 10.60.115.1/24.

We need to allow access between the VMs.

What are the steps required in loading pfsense and setting up routing  to allow the interaction between the VMs?

Thanks

Just create a virtual with three vnics - one attached to each virtual switch and one not connected. Install pfsense on the virtual. Configure pfsense's LAN interface on the vnic that connects to the 10.60.117.0/24 network, and connect the OPT interface to the 10.60.115.0/24 network. Create rules accordingly. Connect the WAN interface to the unconnected vnic.

If you just want routing between the two networks (no rules and no NAT), you might find a plain linux virtual easier to deal with.

Alright :D

This took long time to fix that problem…
Thank you, anyway. You helped me ;)

@heper:

i guess it is because the virtualmachine can't know the overhead the hypervisor gets.

this is true in every OS you run in a virtual machine. the type of OS will generate different amounts  of overhead, depending on task its doing.

First of all, thanks for your reply, what you're saying makes sense. I thought that passing-through NICs would minimize the overhead, but if you're right - then I have 50% of overhead. This doesn't sound right to me, but I'm not an expert :) Do you have any ideas why pfSense shows that the current frequency is 412 MHz?

I was running 2.2.6 on my bare metal install and ran a full system backup using /etc/rc.create_full_backup. I then did a new install into my hyper-v VM using pfSense-LiveCD-2.2.6-RELEASE-amd64.iso.gz and restored using /etc/rc.restore_full_backup so that I would have all my logs, settings, etc from the bare metal installation. I then recreated the VLANs and reassigned the interfaces from the console.

Once I detected the high CPU load I created a separate clean VM install from scratch using pfSense-LiveCD-2.2.6-RELEASE-amd64.iso.gz creating just a LAN and WAN interface and not changing any other settings. I then ran some iperf tests using both other test VMs and external PCs. Still had high CPU load.

I currently have around 40MBps load on my WAN and the CPU usage is sitting at 24%. I note Microsoft indicates TCP Segmentation and Checksum Offloads aren't supported by FreeBSD 10.1 in Hyper-V, so I don't know whether this makes a difference (https://technet.microsoft.com/en-au/library/dn848318.aspx).

I know its also not technically relevant, but for anyone looking at using vmware workstation in the future should be aware of this: http://blog.chipx86.com/2016/01/26/a-tribute-to-vmware-workstation-fusion-and-hosted-ui/

@SnowGhost:

This is your problem.
This will only allow VMs to talk to each other.  The VMs can't talk to the host or other clients on other switches.

Set it to external.

You are not talking about the same thing.  I say "private" in response to DDennisS, referring to Windows NLA, which has three options: private, public, and domain.  I believe you are talking about virtual switches, which are either external, internal, or private.  Obviously my virtual switch settings are external, otherwise I wouldn't have any connection to other devices like my cable modem or switch.

Dude what nics (network adapters and type?) did you assign to pfsense so it has something to setup???

See pfsense vm has 4 adapters given to it… See the one in the dmz it has no physical nic tied to the real world.. Still works..

Also why do you have 2 vmkerns??  If you can get to console of pfsense... What does it show for your nics if you do ifconfig ??

networkadapters.png
networkadapters.png_thumb

That'd be em0 (zero) not "emo". Your interfaces aren't cutting themselves and writing dark poetry.  :D

The 'a' is really only applicable to physical hardware where you can unplug and replug the NICs to identify them.

OK, thank you for the investigation. I have to sniff the packets exchanged beetween the firewall and the client machine. I will come back to you soon with the trace.

Thanx again.

@BillBraskey:

Hahaha, I knew the UPS issue would come up.

With all due respect - I would never run a hypervisor without a UPS (if my time is worth something to me)

According to your post you had these problems more than once. May I suggest you look for an embedded install where the file system is usually mounted read-only and more robust to power outages.

Yes you are right. I should have mentioned that the measurement was between two VLANs.
Now the problems are gone and I'm happy with my pfsense :)
Thank you again to bring me to the right way!

As a note of caution, make sure that in the Virtual Switch Manager for the Internet (WAN) connected NIC that you do NOT check the "Allow management operating system to share this network adapter".  This could also be part of the issue too in that it's not making it "in" to Pfsense because the host has an IP address and connectivity on that VirSwitch.

Thanks, and I don't quite understand your reply.

Set the default VLAN to 1 and then not use it.  So at the moment the whole network before I started with VLANs was using the default of 1.  PFSense was set up with all the rules on the LAN interface.

What I think you are suggesting is that I create a new VLAN, move all the ports on the switch to that VLAN (effectively not using VLAN1) add that to pfsense and change all the firewall rules and DHCP server to match the new interface created on the new VLAN.

The server is connected to port 48 because it is a guest in the ESXi system, hence using the same physical card as pfsense on the LAN - thus it will be untagged when it leaves the NIC.  This is where the switch is suppose to tag with the default ID (for that port) when an untagged packet arrives - so I am led to believe.

Thanks a lot! I'll try to get that to work with Xenserver.

Create another lightweight VM on your LAN intnet and use that to access the firewall's admin page.  You can't get there from WAN.

@afloria:

Problem fixed: Upgrade Proxmox to new Version: 4.1 … due to newer virtio driver. Pfsense cannot good with old one.

Can I ask what type of throughput you are seeing now, and at what CPU loads?