Need some help installing PfSense in ESXi5.5 VM using 3 nics(two networks).
-
I'm running 2.1-RELEASE (i386), the latest one from the FTP. I read that 64bit was buggy and not worth running since PfSense doesn't require enough RAM to justify running 64bit.
I'll get those traceroute results from this rig on LAN1 of PfSense here in a few mins. Got a big update finishing up on something and I need that before I can swap the modem around. ;)
-
What adapter you using - I use just e1000 it works fine. What settings do you have on your vswitches? This is my wan vswitch and lan vswitch
-
I'm using whatever the defaults were. I know for sure the adapter type is E1000.
Here is a screencap of ipconfig /all and tracert -d 4.2.2.2 from this rig plugged directly in to LAN1-
-
I notice in the DNS field it's pulling the gateway/LAN IP of PfSense rather than the two DNS Mediacom usually gives me.
If I run an ipconfig /all on my rig on the firebox network right now I get…
DNS Servers . . . . . . . . . . . : 97.64.183.164
97.64.209.37This seems like a step in the right direction unless I'm misunderstanding something here.
-
see hop 3.. Did you set a gateway on your lan or something?
You do not set gateways on lan interfaces!
-
There was one set and I removed it after finding out that I shouldn't.
-
Dude there is no possible way it should ever say that in a traceroute - unless it thought it needed to go out that interface to get somewhere. Can you post up your route table – here is mine.
See the default going out my ISP connection.
-
Sure, give me a few mins.
-
Ok so, I'm currently posting while online from PfSense.
Even though there were no gateways set on the LAN1 or LAN2 pages, on the Gateways page there were two different LAN gateways there for some reason. I deleted those, rebooted PfSense to continue towards getting you that screenshot and I hear Teamspeak say "Connected."
I'm going to connect my wrt54gs and see if all my stuff on my home network comes online. Brb.
-
My home network is now online and working. Full network and internet connectivity.
Still need to set those firewall rules for the second LAN which I'm not really sure how to do yet, but I'll cross that bridge when I get to it. I don't even have my switches here yet and currently have no hardware to play with on that "lab network" so it's no big deal right now. I just wanted my home network running and not being hindered by that firebox's 12 user limit.
Thank you so much for your help!
-
Meh, I was on a roll so I decided to do the LAN2 firewall rules before bed. Do these look ok? I want internet connectivity on LAN2 but I don't want it to see or access LAN1. However, I do want LAN1 to see and access LAN2 since I administrate most stuff on LAN2 from my rig on LAN1.
-
You only need one rule on LAN2:
PASS
Proto: IPv4+IPv6
Source: ANY
S/Port: ANY
Dest: NOT LAN net
D/Port: ANYThis allows through any traffic coming in on pfSense's LAN2 interface as long as it does not have a destination address somewhere in the LAN subnet.
-
Are my rules set up properly for what I wanted on LAN2? Curious to know if I got anywhere close on those since I've never messed with firewall rules before, outside of Windows. :-[
Here is what I have now for LAN2…
Pass
ID: None
Proto: IPv4+6 TCP
Source: *
Port: *
Destination: ! LAN net
Port: *
Gateway: *
Queue: None
Schedule:
Description: Allow LAN2 to any except LAN. -
So does your lan2 have ipv6 on it, if not prob want to just say ipv4, your source could be just lan2 net since what else would be coming into your lan2 interface?
But other than that looks right..
So example here are my wlan rules, this is is like a lan2 in your case - but I have another segment dmz besides my lan.
So the couple of pin holes I have - so ipad at the 2.230 address can go anywhere, lan, internet and dmz
so wlan can talk to my printer on lan at 1.50
so wlan can talk to my ntp server on lan at 1.40
so wlan can talk to internet and dmz, but not the lan network.Hope that gives you some ideas how you would do rules that allow some traffic to start from your lan2 into your lan for exceptions, etc.
Now from my other segment the dmz, I have an alias called locals which has my lan and wlan network segments 192.168.1.0/24 and 192.168.2.0/24 in it
So this rules says dmz can go anywhere as long as its not either of those networks. Now if I want to allow dmz to talk to my printer or ntp I could put the same kind of rules I have in my wlan segment above that rule. So currently it can go to the internet, it could talk to my openvpn clients etc. But could not create traffic to either my lan or wlan segments.
Keep in mind both wlan and dmz could answer traffic that comes from lan.. Since my lan rules are allow any.
-
I'm curious about adding wifi(for home network) in to this thing and possibly doing away with my wrt54gs. My PE860 has one empty PCI slot. What are my options? Is there a compatible card list? The wrt54gs is B/G and WPA2/AES so I'd at least want those specs with the card. I'd lose my 'switch' on my home network but I've got two Netgear GS108's coming in that'll go on each network.
This weekend I'll be attempting a PfSense install and config on a Watchguard Firebox X-Core x700 for a friend. Currently trying to find a good mini-PCI wireless adapter to throw in it so I can do wireless for him as well. He was the original owner of this PE860 and ran PfSense on it(standalone, not VM) but his wife didn't like the noisy fans in it. This x700 should work nicely for him especially if I can get wireless going on it. ;)
-
I would never do wifi directly on pfsense - doing wireless in my mind is not the role of firewall/router - its is to firewall traffic and route.. Wireless is job of AP..
-
Wireless is job of AP..
Agreed. You should be able to turn your WRT into an AP for the short term.
-
I have a mini-pci adapter in my firebox at home. It's this:
http://wikidevi.com/wiki/Toshiba_PA3458U-1MPC
Any similar Atheros card of that age should be good. It cost me nothing, I had it gathering dust, it provides useful out of band access when I unplug the wrong cable somewhere and also means I can see channel usage via the webgui. But.. I also have external APs that are much faster and give much better coverage.Steve
