nth that. (oh hi danswartz, Zarathustra[h] here from over at the [h]) pfSense "just works" for me in ESXi.  Currently on 5.5U2, but been using it since the original 5.0 release. The web interface has a simple installer for the Open-VM-Tools package. Some people cringe at the thought of having a guest be your firewall, due to potentially added vulnerabilities, but I think that risk is relatively minor. Even so, I have direct I/O forwarded a dual port intel NIC to my pfSense guest, to further minimize the risk of exposing the VMWare virtual network.  (It also improved latencies a tiny bit)

Good luck.

Why do you need a physical nic to connect VMs?  think of your vswitch as just a normal switch with the physical nic just being a connection to the real world switch. All your VMs can talk as long as they are connected to the same vswitch, or if there is a router connected between the vswitches - pfsense with a  vnic in connected to each switch.  As long as one of the legs as tied to real world with physical nic, then even the physical world can connect to the virtual connected only vms via pfsense. I wouldn't worry too much about the discovered IP ranges.  Kind of a useless feature if you ask me ;)  But it determines it by broadcast http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006744 If you don't have cdp or llmr switch you could do this to get it set how you want it to your network,  etc.. http://sostechblog.com/2012/08/13/vsphere5-setting-the-observed-ip-range/ So back to your physical nic - do you have boxes that you want in this DMZ that are physical?  If not then why do have physical nic on that vswitch?  See my w7 box there in my dmz.. I can ping it from my lan segment from a physical machine C:\>ipconfig                                                            Windows IP Configuration                                                Ethernet adapter Local:                                                  Connection-specific DNS Suffix  . :                                    IPv4 Address. . . . . . . . . . . : 192.168.1.100                      Subnet Mask . . . . . . . . . . . : 255.255.255.0                      Default Gateway . . . . . . . . . : 192.168.1.253                    C:\>ping w7x64-vm                                                      Pinging w7x64-vm.local.lan [192.168.3.206] with 32 bytes of data:      Reply from 192.168.3.206: bytes=32 time=1ms TTL=127                    Reply from 192.168.3.206: bytes=32 time=6ms TTL=127                    Reply from 192.168.3.206: bytes=32 time<1ms TTL=127                    Reply from 192.168.3.206: bytes=32 time=1ms TTL=127                    Ping statistics for 192.168.3.206:                                          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                Approximate round trip times in milli-seconds:                              Minimum = 0ms, Maximum = 6ms, Average = 2ms                        C:\>tracert w7x64-vm Tracing route to w7x64-vm.local.lan [192.168.3.206] over a maximum of 30 hops:   1    <1 ms    <1 ms    <1 ms  pfsense.local.lan [192.168.1.253]   2    <1 ms    <1 ms    <1 ms  W7X64-VM.local.lan [192.168.3.206] And it can talk to the internet - but it can not talk to my other segments because I have that blocked. If you don't have a need for a physical devices to be on a specific segment you don't need a physical nic on it.  Which you could then prob put lan on its own vs sharing with your vmkern

If you're not going to go with a Type 1 hypervisor then you're stuck with a Windows or Linux host directly connected, which is bad unless you have experience hardening Windows/Linux servers for the Internet.  You can go with the option kejianshi suggested and put two boxes in serial, WAN <-> pfSense <-> LAN <-> Custom Server.  However, if you've only got the one router with no redundancy then no matter what someone does to it, you're hosed regardless of whether it's hosted on a Type 1 or physically installed.  Going with small PCs also has the hassle of failing fans and hard disks to maintain which can bring the house down when they fail.  It's going to be a challenge to get high availability on that budget.

check this: The "Realtek PCIe GBE Family Controller" NIC can be configured to not strip the vlan tags, by going to the Adapter Settings and setting "Priority & VLAN" to "Priority & VLAN disabled"

Do you have virtual switch in hyper-v? You have to assign static address in virtualPfSense, within same network, your LAN is configured. pfSense 192.168.1.1 Hyper-v 192.168.1.2 pfSenseVirtual 192.168.1.3 If you want more specifig answer you have to describe you network more specific (vlans etc).

t1.micro isn't going to happen, Amazon won't let it.

May be you should try virtio drivers instead of sr-iov?

Thank you very much.  Just after I posted this, I found instructions telling me to run setenv PACKAGESITE ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/Latest/ at which point I followed the instructions on the original instructions and everything installed.  Thank you very much for the answer! /random when i rebooted, I'd told vmware to conenct my VMXNET3 adaptors, and to NOT connect my E1000 adaptors - instead it connected the E1000, so I shut down, removed the E1000's, and booted back up with JUST the vmxnet3's connected and it worked.  in case anyone else tries to do what I did and hedge their bets by having both adaptor types installed at the same time :)

I've been using a few hundreds at a time. Managing/creating these was the biggest task. In the end i created an excelsheet in openoffice, exported it to csv, parsed it with a shellscript and generated the parts of the config i needed. After that i didn't bother with the GUI anymore because it wasn't really useable anymore, but always edited the config directly. But then, this was on a quilte old version. Not sure how the GUI behaves today in such a setup.

@KOM: As a workaround, you could create a second larger vdk and then using cloning utility to copy the logical sectors from your old disk to the new disk.  I haven't tried it, but it may be an easier solution if you happen to have a copy of Acronis (or equivalent) laying around. "problem" is only that it must support UFS filesystems… For instance www.gparted.org ISO image has no such support (it can only copy/move but no resize and in my case he also didn't recognize the created partition table by pfSense) ;) => therefore my suggestion for this option. Myself I have tested the mentioned solution in my first post successfully. It's only a "nice to have" as common task for all pfSense users.

not by itself, but can be implemented in some way. Thanks for your support. I will try to gather the informations for a bugreport.

Yeah I don't think so - when would that rule even be used.  Why would clients talk to their gateway to talk to devices on their own segment?  That rule would never see any packets.

ok, i will install it, in the future i will check in this forum if there are some news, ok? Tnx kom and BBcan177, it was a pleasure Regards Alex

The equipment I'm using as stated above is a Proliant DL360 G4p.  the highest ESXi version is can run is 4.1u3.