Pfsense + vmware
-
I use vmware player.
I wanted to configure pfsense as a proxy, just add a machine to test the proxy.
Using Internet Explorer, set the proxy IP and port (bridge interface).
And redirect to the NAT interface.
Without touching the router (SonicWALL), a proxy is not official, it's just for testing.
The company has the VMware ESXi, but is on the server, where I do not have permission to access.
-
I'm using the IP range 192.168.0, 192.168.1, 192.168.2
-
Ah, well you may be able to do that. I've never tried it though.
If you setup pfSense will only a single interface (an interface bridged to the real NIC) then it will be given an IP by the Sonicwall (or use static IP). Then install the Squid proxy. Point your clients at the proxy IP/port. Install Squidguard if you want to filter traffic by URL.A setup like that works for testing purposes but offers nothing by way of security.
If that's not what you're trying to do perhaps draw a diagram. ;)
Steve
Edit: Just read the FreeBSD thread. Are you wanting to proxy all clients on your LAN or just the Win 2008 VM?
-
Traffic on the local network is very high.
If everything is going through pfsense, I have to use fiber optics.
I have several servers on the network. file server, sql, tecnix, etc..
pfsense will only filter the internet connections.
em0 - WAN - interface NAT - 192.168.248.128 (DHCP)
em1 - LAN - interface bridge - 192.168.0.128 (DHCP)configure the browser to connect to the proxy.
-
Ah, so the Win7 host machine has two NICs?
Steve
-
No, only one interface.
Edit: changed the picture.
-
I can modify the vmware.
I have to create more interfaces? or remove.
-
The easiest way to test the proxy would be as I described above. Have only a single interface on pfSense. Install Squid on pfSense. Since you have only one interface it will be open to any connection so can then just point any of your external clients browsers at it.
You could use the the Win2008 VM as your test client inside VMware. See Case1 pic.
You could create a new VM to use as a test client, Windows * or Linux, whatever. See Case2 pic.
A better but much more complex setup would be to use VLANs to bring two interfaces into the VMWare environment. That way you could truly separate some, or all, clients and force them to use the proxy. See Case3 pic.
What are you wanting to test?
Steve
-
in case3.
what setting I have to do?
LAN to WAN and WAN to LAN?
I have to do NAT 1:1?
-
The settings required for case 3 would depend on how you want the network to function. For example by default a two interface setup like that, WAN and LAN, will NAT between the two interfaces and serve DHCP and DNS requests on the local LAN. A pretty standard soho router setup. However your Sonicwall device is likely already doing that and you may not want a double NAT setup. In that case you may want to disable NAT altogether.
If you have never used pfSense before I suggest you first simply add another VM as in case 2. When you are happy with the proxy setup and more familiar with pfSense in general then you can move to a more complex setup.
To be honest this is outside my expertise. I only chimed in here because no-one else was and it was in 'General Questions'. Anyone more familiar with VLANs in VMWare please feel free to contribute. ;)
Steve
-
I need to connect PCs in the proxy.
the more difficult it is to redirect to another interface (NAT) to access the internet.
-
Can i just tell you how I virtualise my Pfsense installation.
So the internet goes into a router provided by the ISP….
Ok one cable from there goes into my server into a pysical NIC
I then create a Virtual switch Called "WAN" and assign the phsical Nic to that network.
I then create another Virtual Switch called "Network" and assign a phsical NIC to it. This NIC is plugged into a switch where the rest of computers reside.
Now i create a Pfsense Virtual machine add 2 V Nics. One is called WAN And assigned to the WAN VSwitch and another called LAN assigned to the Network VSwitch.
All my other virtual servers would just get assigned to the Vswitch "Network" so they can all route and go out via Pfsense.
That i think is simple!. Doing what you are doing could be a waste of time Because as soon as a device or new computer joins the network, it maybe able to skip the PFsense proxy. By doing my setup your forcing everyone through the pfsense proxy.
-
craigduff's setup works, but needs two physical interfaces. The cost of the extra interface may be worth the headaches it saves.
So does stephenw10's case 3. If you have some real, critical reason to stay with only one physical interface to the machine running the VMs, you need a smart switch, with VLAN ability as part of its smarts. Here is some detail about how you'd set up version 3 if not running in fear of VLANs.
If WAN is port 1, VM is port 2, and ports 3 to n are the other machines,
VLAN 1 is ports 1 & 2. Port 1 is untagged. [this is set up ON THE SWITCH]
VLAN 256 is ports 2 through n, and ports 3 through n are untagged. [this is set up ON THE SWITCH]
Port 2 is the only port that is tagged (VLAN information leaves the switch.) That's because it's the only physical port carrying two virtual networks. [this is set up ON THE SWITCH]
Ports 3 through n cannot see the WAN, so they have to speak to the pfsense on port 2.
1 and 256 could be 1 & 2, 1 & 257, doesn't matter, but most switches like one of the VLANs to be 1. I suppose it would be more secure for many switches to set up VLAN1 as only applying to the port you'd like to manage the switch from, so you might want 3 VLANS, or not to use VLAN1 for the WAN port.
On the VM you connect VLAN1 to the pfsense WAN, and VLAN 256 to the pfsense LAN, and the Windows LAN [this is set up ON THE VM and in pfsense on the VM]
You cannot do this (at least not well and securely) with a dumb switch.
-
if only 1 interface is used
bridge that nic to vmware and then in your settings add two network adapters
and select that bridge nici'm not familiar with vmware player.
but in workstation this is what i do.1. go to network editor, bridge nic in vmnet0
2. assuming you finish creating a vm, go to settings and add two network adapters
3. select custom, and point to vmnet0 where the pysical nic is bridged to both network adaptersnetwork adapter1 -> custom - vmnet0 - bridged to physical nic
network adapter2 -> custom - vmnet0 - bridged to physical nic -
How are you suggesting the two virtual NICs be connected to the pfSense VM? If they are both bridged to the same real NIC then they can't be assigned as WAN and LAN as they would both be in the same subnet.
Steve
-
I have set up pfsense as a dynamic SOCKS proxy, OpenVPN server and PPTP server long ago using VMplayer for testing and it worked fine, although adds zero security. I was just in it to test out the various functions at that point. I assume squid will work also this way. (also a good way to send someone a ready made VPN if you have no physical access to their system but do have remote desktop)
What I did is install wmplayer.
Install the latest full release (like 2.03 today)
Make the VM so that :
Network is bridge and replicating physical NIC state for WAN.
Another virtual network interface to use as lan. (Not Bridged!)
1 core (2 is better)
512MB ram (you can experiment with less)After I booted, I'm locked out because I only have a WAN but no LAN I can access unless I make another VM of windows or something to use a virtual interface. More resources… So, no.
I went into the VM shell command interface.
pfctl -d
Now the firewall is down, so I can go in at the WAN interface of your pfsense (assigned by DHCP by your other router) and deactivate "block private IPs on WAN" and I can also open my port 80 and 443 3128 and whatever other service ports you will need in the firewall rules under the WAN interface tab.
Disable DNS Rebinding Checks also.Back to the pfsense command line interface
pfctl -eNow your PFsense VM interface is accessible through its wan via your physical computers. You can set up VPN, Proxy or whatever services you like.
You can use it as a proxy for anything on the LAN or from outside on the internet also. If you plan to access your vmplayer install of pfsense from the internet, you can you just have to forward ports from your first router to whatever IP pfsense gets from it.
Stephenw10's way is better than this if your hardware supports VLANs and his way also frees up some hardware.
But you will need a better hypervisor than vmplayer.For me this worked fine but it was just for testing for me until I decided to just install pfsense on hardware as my router/firewall.
Try that last part out. It works best. Just replacing sonicwall with pfsense in the end is better.