In this case you want to use 1:1 NAT settings and not the Virtual IP settings.

with the Virtual IP settings you have, you're telling pfSense to respond to the global IP addresses, but there's nothing to corolate them with the internal IP addresses.
with 1:1 NAT, i believe you shouldn't need the Virtual IP settings (although you may)

Hello

After some research i found a workaround for this problem.
I want to share this if somebody else encounters my problem.

I added the following line in /boot/loader.conf
kern.hz="100"
I rebooted the machine and after that cpu usage is 10-14% from 50-60%

@mali:

I have installed Pfsense on Vmware esx server 4 with 2 Physical Nic.
(WAN) em0–-->vswitch0-----Pfsense
(LAN)  em1---->vswitch1-----Pfsense

VM1-----vswitch1
      VM2-----vswitch1
      VM3-----vswitch1
      VM4-----vswitch1

I want to Protect my 4 Virtual Machines whcih are behind Pfsense.
All 4 Virtual Machines having Public IP Address .

Pfsense (Wan) ----- 202.61.42.15

VM1 ---202.61.42.18
VM2 ---202.61.42.19
VM3 ---202.61.42.20
VM4 ---202.61.42.21

I want to protect these VM through Pfsense.

I donot want NAT or Port Forwarding.

Can any body help me in configuring or designing this.

Not sure if you figured it out yet, but I will answer your question in case anyone else searches for this :)

There are 2 scenarios:
1: Using pfsense as a router/firewall with NAT (internal IP's behind pfsense)
2: Using pfsense as a transparent firewall (external IP's behind pfsense)

You are talking about scenario #2. For both scenarios, the VM and vSwitch configuration is actually the same. The exception of how you setup pfSense.

First of all, you will need to configure pfsense as a transparent firewall, which includes bridging the LAN interface with the WAN. There is a good tutorial on how to do this located at http://pfsense.trendchiller.com/transparent_firewall.pdf

On the ESX server you will need to create the following:
vSwitch-1 (connected to a physical NIC)
vSwitch-2 (not connected to any physical NIC)

For vSwitch-1, connect the pfsense WAN interface
For vSwitch-2, connect the pfsense LAN side interface

Put all your VM's on vSwitch-2.

You may need to configure the actual vSwitches to be in "Promiscuous Mode" - you do this inside ESX in the "Configuration" tab via the VI Client.

Now add all your firewall rules accordingly. That's it!

Hope this helps.

-Sean

Well, this is my setup that I have under testing and seems to work.

Physical Hardware:

Laptop with 1 Ethernet and 1 Wireless built in.
1 dir-825
1 dir-655
1 dwa-160 (usb 2.4/5Ghz card)
Siemens Gateway

I have the Seimens gateway outward facing as it is being used as the ADSL modem > dir-825 as access point > dwa-160 > laptop > ethernet > dir-655 as second access point.

Stupidly complex setup but all i have is a laptop which I use for everything and the dir 655 is only in the equation to test how pfsense works as a NAC/router and AP.

As for software typology, I have pfSense as a guest OS inside VMWare 7. (versioning doesn't matter, I originally intended to try and figure out how I could fit esxi into the equation to eliminate all hardware routers and strictly have everything running as softawre and virtualised). Anyway, pfSense as a VM only has two Virtual adapters. The WAN and LAN (for now). On Windows 7, I had VMware create only 1 Vmnet adapter that I will be using.

In VMware (not pfSense webgui), I bridged what would be pfSense's WAN interface to my dwa-160 which is connected to the DIR-825. So now pfSense connects directly to my physical network and obtains the physical internal network ip address of 192.168.0.xxx

I set vmware to also bridge what would be pfSenses LAN interface to my physical LAN adapter. I put the ethernet cable into anything but the WAN port of the dir-655 (since i am still double nated this way) after turning off DHCP in the router. With both virtual adapters bridged to physical adapters, I am able to test pfSense outside the virtual environment. IE: how physical computers will be affected by pfSense. I did however have to set static IP address for the LAN adapter within pfSenses network segment.

Now, to test the network as an access point, I just connect my built in wifi adapter (not the dwa-160, remember I listed I had 2 wifi cards) to the dir-655 which is now successfully hardwired to the laptop and see if the wifi adapter gets an IP address from pfSense, which is a success. However I can't test against pfSenses functionality because Win7 will be using my dwa-160 as it's internet connection and any changes to it will affect network connectivity with the AP and pfSense. For THAT, I load up Win7 in VMware and connect the laptops built in Wifi card directly to it. Once the Virutal Win7 see's the card as a real device, I then do the same, connect it to the dir-655. I get an IP address from pfSense, great, AND I get internet as expected. Traffic is flowing through pfSense as it should and so is the L7 and other QoS rules and the portal. I am sure that it will communicate just fine with the radius server as well.

So in terms of a wireless router hardwired to the machine that is running pfsense as a vm and having it act as an AP, yes it's do-able.

If your method of connectivity includes a modem that has wireless capabilities ie:Gateway, then the method I described above will work fine. Your physical machine will not be affected by pfSense but you will should still maintain access to the webconf without having to load up a seperate VM.

If you want to have VitualBox use a wifi usb as a passthrough device, you will have to check on the HCL if the wifi chipset is a supported device and if OpenSolaris supports it, otherwise VirtualBox won't detect it. My guess is that you may have a lot of device hacking and scripting that you may have to play with.

I'm using a similar setup in testing (just started testing pfSense about a week ago in a VM on ESXi 4). Started with 1.2.3 but I'm testing 2.0 Beta now. VLAN 4095 when marked on a virtual network interface in VMware indicates "pass through all VLANs into the virtual machine" so the VM handles the VLANs. Since you can only add four "physical" virtual NICs to one machine if you define each VLAN as a separate network adapter in ESXi, if you want more than four interfaces on your VM you need to passthrough most of your interfaces this way, per the example in the original post.

The only hitch I ran into is that I'm using ProCurve switches and I have ALL VLANs set to Tagged (no untagged VLAN 1) on my VMware hosts. When I pass these through, pfSense refuses to pass traffic on VLAN 1 if I define VLAN 1 and assign it to an interface. However, the other VLANs work fine. I added a VMware-level secondary NIC to my VM that is assigned to VLAN 1 so pfSense sees the VLAN 1 network as "physical" and the rest as VLANs, and that seems to work around the issue. This is in 2.0 Beta from Jan. 8th, I don't recall figuring that out in 1.2.3 so I haven't tested there.

However, while I can get to the WAN from multiple VLANs (and the "physical" VLAN 1 interface) behind pfSense, I can't seem to get the routing to work between interfaces (so VLAN 10 can access a webserver on VLAN 1 for example, both being internal networks). I suspect this is something I'm not fully understanding about the configuration though, and not a software issue, since WAN access works.

@ideaman007:

Any updates to your testing with the VM?  I'm having some issues myself using pfsense under vmware 2.0 on ubuntu 8.04.3 LTS server.

Sorry haven't posted in awhile…
I've been running several pbx servers each with pfsense inside vmware server 2.0 in CentOS 5.2 host, successfully.  Under standard Business DSL 5M/768K, these servers handle 25+ computers & extensions, >6 simultaneous external voip calls, and multiple RDP sessions through the vm-pfsense beautifully.  The clients have been very impressed with what they get from a C2D machine.

Its worth buying the book "The Book of XEN". Good read and has a good explanation of how things works. It is basically based on Red Hat but the idealogy in it is very good and easy to understand more of config files and stuff. Anyway just buy it.

alright. I cant access it with crome but can with IE. Very wired.

Ok I resolved this by changing the "Firewall Optimization Options" to conservative and it is running smoothly.

It works just fine. Finally I was able to combine 3x 20Mbit with just 1 NIC, 1 modem and one computer.  ;D

I've posted my, as yet incomplete, findings in this thread.

Cheers.

Yes, you can. See the pfSense VMware Appliance. There's some more info in the Installing pfSense in VMware under Windows how-to.

HI Sam.

Verify your address network, test if you can ping all hosts, but let me see if I understand you.

You plug in router -> WAN pfsense
You plug in Host -> Pfsense
You plug in ?

You´ve said that you have 3 real NIC, but you need to create 1 VSwitch on VMware ESXi and connect both Machines, if not you can until inside subnet network, but you can see both devices.

FIRST ping all hosts see if you got sucess.
SECOND verify your VSwitch created on VMware ESXi, if you want or can post it a screenshot of your VSwitch on VMware. But I was thinking that problem is here.

Regards,

Heitor Lessa

I've changed the NIC's to flexible instead of e1000, and now it doesn't report fragmentation problems, and I don't see any errors in transfers.
Apparently there's a difference in the handling of large packets there.

I tried Ubuntu Karmic64 9.10 + virtualbox + pfsense 2.0 RC3..  I had no problems getting the host to talk to the guest(pfsense).. Also I was able to recieve and IP, from pfsense DHCP.  I believe I used one of the PCNET adaptors in bridge mode..  I could also log into the pfsense console from the karmic host.

My only problem and I didn't have much of a chance to play around with it.. Was getting VLAN's to work.. I am doing this with only one NIC in the host.

Here's my attempted setup:
Pfsense Guest:
LAN = ln0
WAN = ln0_vlan99

I have this connected to a Dlink switch that supports 802.1q.

This setup worked right out of the box…

What version VMware that are you using?

I had similar problem few days ago running under vmware, the problem began when I was adding a new nic, when I started … pfsense not works anymore.

Resolution: Revert snapshot that i made when everything works fine.

For your case... did you create any snapshot for you VM before this happens?

Independent this, make a test, create a new VM under vmware and do a new install of pfsense and test the internet connection, if everything works fine, try to restore configuration in this pfsense box =).

Any doubt, post again.

Regards,
Heitor Lessa

Perfect.

Solved problem ^^.