Basic Network Setup - pfSense with multiple ESX Servers and VLANs
-
Wanted to pass this by the forum and see if I have missed anything. We have a pair of pfSense firewalls (1.2.3-RELEASE) ready to deploy to our new datacenter rack. The purpose of this deployment is to host a number of ESX Virtual machines behind the firewalls using VLANs. I need the pfSense boxes to be the gateway for each VLAN (10.1.1.1, 10.1.2.1, 10.2.3.1, etc) and trunk the corresponding VLANs down to the ESX servers. The VMs would be configured in the appropriate VLAN and use the pfSense firewall as their gateway. Each VLAN will get one or more public IPs (via VIPs) and NAT'ed.
For example, VLAN 1005 will run 3 VMs using a single external VIP NAT'ed to an internal VLAN 1005 IP address (web server, etc). Note: not all VMs need external addresses.
So, my questions:
-
What is the max number of VLANs supported by pfSense?
-
Will VLANs automatically deny traffic to all other VLANs (just like physical interfaces)?
-
If I have to add additional VLANs on the fly, will other VLANs get affected (will the pfSense box need to get rebooted/reloaded)?
-
Is there a better way to design the network?
If anyone else has deployed this topology, can you provide any gotchas?
Thanks,
-Ron
-
-
BUMP
-
I don't have any experience of vlans on pfSense.
What is the max number of VLANs supported by pfSense?
Go to http://www.freebsd.org/cgi/man.cgi and type vlan in the box to see the FreeBSD vlan man page. The vlan architecture imposes a limit of 4095 vlans per physical interface.
Will VLANs automatically deny traffic to all other VLANs (just like physical interfaces)?
Vlans are just another interface.
If I have to add additional VLANs on the fly, will other VLANs get affected (will the pfSense box need to get rebooted/reloaded)?
You might hit a bug that forces a reload.
-
Thanks for the info. I will play around with the configuration and post some results. Perhaps others will find this useful…