Pfsense protecting vm's on esxi 5.1
-
Here is the setup i would like to have.
Public ip address –-> vmware esxi 5.1 ---> pfsense ---> VM's
I only have a single public ip address and single physical nic, i would like to nat some ports through to the VM's such as port 80.
I have looked around the forums/internet and found many people trying to accomplish the same thing except they always have a secondary ip address or a second physical nic.
Any help is appreciated.
Cheers
-
Second physical NIC is definitely worth the investment.
If you do it with one NIC you'll need a managed switch and VLANs.
The managed switch is likely to cost you the price of two or three pre-loved Intel NICs.
-
Apologies i should have mentioned that this is in a hosted environment so a second physical nic is not possible, nor a second ip address.
We also won't have any access to switches except the ones we can create in vmware itself.
Cheers -
OK. If the one Physical NIC is your WAN and you virtualize pfSense as well you can do it with just vSwitches.
Seen this? http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5
No reason your pfSense LAN can't be on a virtual NIC, along with your other servers.
-
I could have put that a bit better ::) You would have in your ESXi host:
Physical NIC -> vSwitch 0 -> pfSense WAN vNIC (w/ public IP) -> pfSense LAN vNIC -> vSwitch 1 -> other VM vNICs
-
^ yup that is exactly how you would do it.
But how are you going to access the vmkern for esxi?? That would need to be another IP..
Guess you could put that behind the pfsense on a private IP. Might be a pain to try and get setup remotely though.
-
But how are you going to access the vmkern for esxi?? That would need to be another IP..
I had the same thought. Perhaps vmkernel access via a separate management network is part of the hosting arrangement.
-
To access the vmkern, would adding a secondary management port on the internal vswitch do the job? Then just nat through some different ports in pfsense?
I have done some additional testing tonight and i'm just at the point now where i want to set the wan address of pfsense the same as my public ip address. Is it just a case of setting the ip address manually on the pfsense box?
I only ask because i've tried this several times with no joy and its pretty much a wipe of the box when i lock myself out! no console access :\
Cheers
-
you can have the vmkern port group part of the same vswitch and share the same physical nic to the real world. But your not going to be able to put the same IP you use for vmkern on pfsense wan interface connected to that vswitch.
you need 2 public Ips, or you would have to put the vmkern behind pfsense on a private IP.
-
Thanks for your help guys. Managed to get it sorted in the end, i've put the management interface on a private switch. This allows pfsense to use the external ip address.
To remotely manage it i am going to setup a VPN connection and use vsphere like that.
Seems to work fine, only problem is i'm a bit screwed if pfsense decides to fall over….but then again, it is linux so thats unlikely to happen ;) -
"it is linux so thats unlikely to happen"
No its BSD, not linux – pfsense runs on freebsd, bsd and linux not the same animal.. But get what your saying, its stable platform..
take a look here
http://www.techrepublic.com/blog/10-things/10-differences-between-linux-and-bsd/ -
I did the same on my ESXi box, management interface on a private vSwitch with pfSense public IP facing.
I'd suggest that once you get the pfSense box configured how you like it that you set the disk to non-persistent mode and that in the VM startup/shutdown options you set that VM as being the first to automatically start upon reboot. With non-persistent set then if anything gets messed up in pfSense, bad configuration, it gets hacked, etc. you just have to remotely reboot the entire machine and you should come back up with a good working setup.
