Pfsense + vmware
-
I have two virtual interfaces, nat and bridge.
em0 - WAN - interface NAT
em1 - LAN - interface bridgehow to share internet from wan to lan?
-
I will put my network structure in more detail.
2x modem <–----> router(sonicwall) <----> switch <-----> servers/computers
All machines are connected to the switch.I have a machine with VMware. In VMware I have Windows 2008r2 and pfSense. The pfSense has just been installed, has not been configured. My goal is to use pfSense as a proxy, but it is not permanent. I will eventually replace the SonicWALL with pfsense. And I will not need the pfSense in VMware as I have with a physical machine. When the physical machine is available, it will provide DHCP, proxy and firewall. But for now, only the proxy.
The pfSense needs to be the only means of internet connection. But I can not do NAT interfaces. I'm testing at home and at work, so everything is working, I'll install pfSense in all branches spread out over the country.
In two months, I will not have the SonicWALL anymore. By the end of the year, I will connect all branches with VPN, also using pfSense.
I have no problem with Linux/iptables/Squid, but I want to use pfSense in this project.
-
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forwardHow do I convert it to pfSense?
eth0 = em0
-
It's easy enough to use the virtualized pfSense to proxy connections to the virtualized Win 2008 server. Just create a virtual switch and connect the pfSense LAN interface and the server to it, all within vmware. However to proxy/firewall external clients you need to somehow connect the pfSense LAN interface to them and to do that you would need, at the very least, two NICs in the vmware host machine. Alternatively you could use VLANs to create the two interfaces but that is far more complex.
The default configuration of pfSense will NAT connections between its WAN and LAN interfaces.
How is your VMware configured internally? How is the Win7 machine connected?
Steve
-
http://forums.freebsd.org/showthread.php?t=38937
vmware not been modified.
win2008 has a bridge interface
the pfsense has two interfaces, NAT and bridgedI want the pfsense is only used when connecting the Internet.
I do not want to pass through the firewall on the local network. -
Hi, Abhay here from FreeBSD forums.
Here is my working NAT Config, Check out Picture. :)
But in your situation it will not work because traffic will not come on your firewall that is destined for Windows machine in first place.
How you will filter it?In order to use it to when connecting to internet you will have to configure it as default gateway for your machines either via dhcp(which pfsense) can handle.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forwardFrom pfSense web interface Under firewall settings NAT outbound you will be able to configure that.
This will not work sinse All traffic will directly come to Windows 2008 server and not pfsense.vmware not been modified.
you will have to modify VMWare settings in order to achieve desired result.
-
I use vmware player.
I wanted to configure pfsense as a proxy, just add a machine to test the proxy.
Using Internet Explorer, set the proxy IP and port (bridge interface).
And redirect to the NAT interface.
Without touching the router (SonicWALL), a proxy is not official, it's just for testing.
The company has the VMware ESXi, but is on the server, where I do not have permission to access.
-
I'm using the IP range 192.168.0, 192.168.1, 192.168.2
-
Ah, well you may be able to do that. I've never tried it though.
If you setup pfSense will only a single interface (an interface bridged to the real NIC) then it will be given an IP by the Sonicwall (or use static IP). Then install the Squid proxy. Point your clients at the proxy IP/port. Install Squidguard if you want to filter traffic by URL.A setup like that works for testing purposes but offers nothing by way of security.
If that's not what you're trying to do perhaps draw a diagram. ;)
Steve
Edit: Just read the FreeBSD thread. Are you wanting to proxy all clients on your LAN or just the Win 2008 VM?
-
Traffic on the local network is very high.
If everything is going through pfsense, I have to use fiber optics.
I have several servers on the network. file server, sql, tecnix, etc..
pfsense will only filter the internet connections.
em0 - WAN - interface NAT - 192.168.248.128 (DHCP)
em1 - LAN - interface bridge - 192.168.0.128 (DHCP)configure the browser to connect to the proxy.
-
Ah, so the Win7 host machine has two NICs?
Steve
-
No, only one interface.
Edit: changed the picture.
-
I can modify the vmware.
I have to create more interfaces? or remove.
-
The easiest way to test the proxy would be as I described above. Have only a single interface on pfSense. Install Squid on pfSense. Since you have only one interface it will be open to any connection so can then just point any of your external clients browsers at it.
You could use the the Win2008 VM as your test client inside VMware. See Case1 pic.
You could create a new VM to use as a test client, Windows * or Linux, whatever. See Case2 pic.
A better but much more complex setup would be to use VLANs to bring two interfaces into the VMWare environment. That way you could truly separate some, or all, clients and force them to use the proxy. See Case3 pic.
What are you wanting to test?
Steve
-
in case3.
what setting I have to do?
LAN to WAN and WAN to LAN?
I have to do NAT 1:1?
-
The settings required for case 3 would depend on how you want the network to function. For example by default a two interface setup like that, WAN and LAN, will NAT between the two interfaces and serve DHCP and DNS requests on the local LAN. A pretty standard soho router setup. However your Sonicwall device is likely already doing that and you may not want a double NAT setup. In that case you may want to disable NAT altogether.
If you have never used pfSense before I suggest you first simply add another VM as in case 2. When you are happy with the proxy setup and more familiar with pfSense in general then you can move to a more complex setup.
To be honest this is outside my expertise. I only chimed in here because no-one else was and it was in 'General Questions'. Anyone more familiar with VLANs in VMWare please feel free to contribute. ;)
Steve
-
I need to connect PCs in the proxy.
the more difficult it is to redirect to another interface (NAT) to access the internet.
-
Can i just tell you how I virtualise my Pfsense installation.
So the internet goes into a router provided by the ISP….
Ok one cable from there goes into my server into a pysical NIC
I then create a Virtual switch Called "WAN" and assign the phsical Nic to that network.
I then create another Virtual Switch called "Network" and assign a phsical NIC to it. This NIC is plugged into a switch where the rest of computers reside.
Now i create a Pfsense Virtual machine add 2 V Nics. One is called WAN And assigned to the WAN VSwitch and another called LAN assigned to the Network VSwitch.
All my other virtual servers would just get assigned to the Vswitch "Network" so they can all route and go out via Pfsense.
That i think is simple!. Doing what you are doing could be a waste of time Because as soon as a device or new computer joins the network, it maybe able to skip the PFsense proxy. By doing my setup your forcing everyone through the pfsense proxy.
-
craigduff's setup works, but needs two physical interfaces. The cost of the extra interface may be worth the headaches it saves.
So does stephenw10's case 3. If you have some real, critical reason to stay with only one physical interface to the machine running the VMs, you need a smart switch, with VLAN ability as part of its smarts. Here is some detail about how you'd set up version 3 if not running in fear of VLANs.
If WAN is port 1, VM is port 2, and ports 3 to n are the other machines,
VLAN 1 is ports 1 & 2. Port 1 is untagged. [this is set up ON THE SWITCH]
VLAN 256 is ports 2 through n, and ports 3 through n are untagged. [this is set up ON THE SWITCH]
Port 2 is the only port that is tagged (VLAN information leaves the switch.) That's because it's the only physical port carrying two virtual networks. [this is set up ON THE SWITCH]
Ports 3 through n cannot see the WAN, so they have to speak to the pfsense on port 2.
1 and 256 could be 1 & 2, 1 & 257, doesn't matter, but most switches like one of the VLANs to be 1. I suppose it would be more secure for many switches to set up VLAN1 as only applying to the port you'd like to manage the switch from, so you might want 3 VLANS, or not to use VLAN1 for the WAN port.
On the VM you connect VLAN1 to the pfsense WAN, and VLAN 256 to the pfsense LAN, and the Windows LAN [this is set up ON THE VM and in pfsense on the VM]
You cannot do this (at least not well and securely) with a dumb switch.
-
if only 1 interface is used
bridge that nic to vmware and then in your settings add two network adapters
and select that bridge nici'm not familiar with vmware player.
but in workstation this is what i do.1. go to network editor, bridge nic in vmnet0
2. assuming you finish creating a vm, go to settings and add two network adapters
3. select custom, and point to vmnet0 where the pysical nic is bridged to both network adaptersnetwork adapter1 -> custom - vmnet0 - bridged to physical nic
network adapter2 -> custom - vmnet0 - bridged to physical nic
