Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridged DMZ in VMware 6

    Scheduled Pinned Locked Moved Virtualization
    1 Posts 1 Posters 762 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZsZs
      last edited by

      I've been struggling with setting up a bridged DMZ in VMware environment and just wanted to share my findings, hoping that might help someone.

      Unfortunately it is not an option for me to have our public ip subnet routed to us, that is why I went for bridging the DMZ to WAN.
      The setup is quite standard with three interfaces:
      WAN: public /26 subnet, router managed by ISP
      DMZ: bridged with WAN
      LAN: private /24 subnet
      The ESXi host has two active interfaces between the vSwitch and stacked pair of core switches, but as it turned out that it is irrelevant.
      All vSwitches and portgroups have all three security settings disabled by default.

      All the guides I found regarding installing pfSense with bridge in VMware environment stated that the vSwitch for all interfaces involved in bridge should allow promiscuous mode, so this has been allowed on the relevant portgroup of the vSwitch.

      Everything worked well till the point I created the bridge in pfSense. Once this bridge is up, the gateway monitoring (with external IPs set) started to fail, but not completely. Sometimes is showed 100% packet loss, sometimes it recovered to On-line, but most of the time it was unstable.
      A continuous ping to the gateway was also very unstable.

      I found that accepting promiscuous mode is necessary but not enough. I also had to accept Forged transmits as well on the involved vSwitches/portgroups.
      Actually you do not need to enable promiscuous mode and forged transmit on the whole vSwitch but only on the portgroup where the WAN and DMZ interfaces are connected to.

      I would not consider myself as a network guy (just wanna-be) but I found that the managed switch connected to DMZ saw the mac address of the WAN interface of the pfSense VM only and not the mac of the DMZ interface of the same VM. I guess this is a Forged transmit from the VMware point of view however I found no traces of this setting got violated on VMware level.

      Long story short: enable Promiscuous Mode and Forged Transmits on all portgroups where the bridged interfaces are connected to.

      Hope that helps to spare some time to someone.
      Zsolt

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.