Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense on ESXI - unable to connect from LAN to Homelab interface port group

    Firewalling
    esxi switchports firewall
    3
    5
    737
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      laatmaarzien62
      last edited by laatmaarzien62

      I would like to move from a dedicated Xeon pfSense machine (I know) to a VMWare ESXI host. I followed the tutorials, and did my research.

      I have a 4 port Gbps NIC on my ESXI host.

      I created three virtual switches -

      • LAN (mapped to a physical uplink port) - will connect to Unifi Switch https://imgur.com/lMtNTEq
      • WAN (mapped to a physical uplink port) https://imgur.com/BhSTfEx
      • DMZ (no uplink) - will be assigned to other ESXI VM's which host my servers https://imgur.com/SE4xdNV

      Next I created six Port Groups

      • LAN (vLAN 0) -> LAN vSwitch https://imgur.com/JFKgsVv
      • IOT (vLAN 100) -> LAN vSwitch (assigned to "smart" devices to keep them away from main LAN).
      • GUEST (vLAN 200) -> LAN vSwitch (assigned to guests via Unifi AP)
      • ALL (vLAN 4095) -> LAN vSwitch https://imgur.com/L5NIVE0
      • WAN (vLAN 0) -> WAN vSwitch
      • DMZ (ORANJE) (vLAN 0) -> DMZ (ORANJE) vSwitch https://imgur.com/tuCzE8i

      pfSense installed correctly, with the three port groups assigned as

      • vmx0 -> WAN
      • vmx1 -> LAN
      • vmx2 -> DMZ (ORANJE)

      I went through the install, and set up DHCP on vmx1, vmx2, and I was able to connect to the web interface, and configure the firewall, etc. I connected my Surface to the LAN interface, and got an immediate IP in the right range.

      I also added the DMZ Port Group to an existing ESXI VM, and immediately got the right IP, and i was able to ping google.com.

      At this point, no rules exist for either interface, other than just to allow traffic through.

      IP4, Any, Pass.

      BUT I cannot connect from my LAN to the DMZ IPs. I try to ping, ssh, nothing works. While I know these are separate port groups, I thought pfSense would do the routing between the interfaces.

      Is my understanding wrong? How can I bring this plan to life?

      EDIT
      This is the NON working ORANJE config (DMZ):
      https://imgur.com/29cAxL8

      This is my "working" pfSense (Xeon) box config for the same interface setup. This works flawlessly - I am able to SSH from LAN to ORANJE and access Portainer on ORANJE (9443) etc. The only difference is that LAN, and ORANJE are actual NIC ports in the Xeon setup.

      https://imgur.com/GgAcaO6

      XPosted from Reddit where I initially asked this question.

      F 1 Reply Last reply Reply Quote 0
      • F
        flat4 @laatmaarzien62
        last edited by

        @laatmaarzien62

        No help here but had a question, is there a problem with running pfsense on xeons?

        L 1 Reply Last reply Reply Quote 0
        • L
          laatmaarzien62 @flat4
          last edited by

          @flat4 Nope no problem - just overkill - 135W CPU for a firewall is a bit much. I'd like to reduce my electric bill :)

          I got the Xeon PC free a while back. But I'd rather not continue on with it

          F 1 Reply Last reply Reply Quote 0
          • F
            flat4 @laatmaarzien62
            last edited by

            @laatmaarzien62
            OH !

            1 Reply Last reply Reply Quote 0
            • ipeetablesI
              ipeetables
              last edited by

              vlan 0 is reserved

              1 Reply Last reply Reply Quote 0
              • First post
                Last post