I run pfSense under ESXi 5.5 without any problems.  However, if security is your top priority then I would avoid virtualizing it and instead buy an ALIX board or pfSense-ready router hardware between your ESXI boxes and your ISP's router.

@deagle: Another downside to VMware FT is you can only use one vCPU. Also keep in mind FT is not application aware and can't failover if something goes wrong inside the guest OS. That's another good point. Our HA will handle that, as well as other potential problems that FT may or may not detect. Like if there is a network connectivity issue on a single NIC or VLAN of the primary VM firewall, the secondary will take over. FT, and any other similar hypervisor-level HA, may have no means of detecting such issues.

Just solved it. Problem was a wrong Gateway. :-)

I don't virtualize pfsense but there seems to be more support for ESXi. I think there is also a vmware appliance prebuild available. Check out the Download section.

Sure your box has not been compromised and infect with some sort of redirect for searches and traffic? Why would you have changed over to manual nat?  There is rarely a need to do this, and not suggested unless you fully understand what your doing ;) If your install is pretty much default it should just work.  What I would suggest is do a sniff (packet capture) on pfsense - say the wan and lan at the same time via tcpdump watching the traffic.  do you see your dns queries and answers for sites that are not working?  Do you see the traffic come back after you do your http get to the site? Could you have some issue with using ipv6 vs ipv4?  Are you using ipv6?

viragomann, Indeed, it depends on what you're comfortable using and your environment. It is the old question of dedicated HW vs virtualizing, just applied to the firewall. While it is nice to have dedicated routers, it can get expensive to deploy server class HW for them. While using CARP might  forgo needing to implement some redundant HW (maybe no HW RAID, no teams), setup and ongoing maintenance might be simpler when virtualizing them. If you have HA requirements for your other VMs (ie, you likely implement a cluster with a SAN), moving the firewall into the cluster is a way to better allocate your resources. Instead of having to purchase separate and dedicated HW for the firewall that might be underutilized (or become obsolete over time while the rest of your network is being upgraded), you can just virtualize it and use the same HA infrastructure you are using for the rest of your network (with the same procedures for monitoring and maintenance, rather than an exception that might break or require tweaks when there are HW changes). If using a cluster (specially with a HW SAN), IMO a hypervisor solution is far simpler and as powerful as CARP. For planned failovers, live migration solutions don't miss a beat (CARP might), and in the case of an unexpected failover, the underlying OS logic should be sufficient - and while it might take longer to spin up the replacement VM, it also has to start your other VMs (ie, the cost of a nearly instant firewall failover might be too high considering the rest of the environment is down anyway).

Well, at least this is something, now I have an idea about why all this is happening. Thanks for clarifying tester :)

Your pfsense wan network is the same as the pfsense lan network??  That shouldn't be working at all to be honest.. if you wan network is 192.168.1.0/24 then lan should be say 192.168.2.0/24 As to connecting your lan of pfsense to your physical network.. Yeah that is how you would do it.  Can you post up your esxi network.. example here is mine minus seeing the dmz vswitch which is not tied to physical network at all. So my pfsense wan is public IP from ISP, that physical interface is directly connected to cable modem. lan is 192.168.1.0/24 and connected to my physical switch and all devices on my lan that are on 192.168.1.0/24 and use pfsense vm interface at 192.168.1.253 for their gateway. wlan is connected to my wireless APs I have broken out my vmkern portgroup to be on its own switch and connected to its own physical interface - just because I had the extra physical nic to play with on the esxi box, and breaking out makes it perform a bit better when moving files to and from the datastore.  This physical nic is connected to the same physical switch the lan nic is connected too. Post up your esxi networking setup and will fix you right up - but you have the same network on pfsense wan as you do lan – which is not correct to start with. [image: example-esxi.png] [image: example-esxi.png_thumb]

@ren22: i hope we get soon pfSense on freebsd9 or 10 running with better XEN support :D thanks I think the real strategy here is to wait until pfSense 2.2 (based on FreeBSD 10) for real Xen support.

I really don't know what happened, but eventually, the connection surfaces. I mean, I always have an internet connection, the bug came when I upgraded to 2.1. So did not tried to check as to why, I turned off teh manchine may for 3 days and when I restarted it it has an internet connection. But I dont know, despite ofthe lusca in place, the internet from its LAN is quit very slow so, I just decided to go bear metal installation. I have a problem though ans I posted it as another topic.

Well what IP did you put on the dmz interface in pfsense?  That would be the gateway for that network normally.  And normally you would block traffic from dmz to lan, not lan to dmz. dhcp can work on any  segment you want it to work on - you just have to enable it and set it up on pfsense.

Try to run the host in ACPI safe mode and then reboot and see of it stays online.

Please see the ESF response: https://forum.pfsense.org/index.php?topic=73258.msg402614#msg402614

vSwitch1 -> Properties -> Add Connection Type - VMKernel Name: Internal Management Network Use this port for Management Traffic - Tick Network Type - IP Add in dedicated info with pfsense ip as gateway I think that is what your looking for. I dont have a local Exsi to test on and my servers are remote in another country so cant mess around with these settings to confirm for you.

It sounds like you have a race condition. Something basic: did you shutdown your existing non-pfsense router? It sounds like pfSense and some other device are competing, each getting a DHCP address from your ISP in turn (ie, your ISP only allows one active device at a time, the last one that renewed the IP).