Pfsense with 3 NICS

podilarius

Its clear to me. You just don't need to bridge unless you are going to run LAN and LAN2 in the same subnet. Routing will work just fine. You don't need as physical NIC in the vswitch. Everyone else is just saying that you have to have something in there that is part of pfsense and another machine. I have used this setup in a lab and it works just fine.

Any more clarification would be good.

doktornotor

@johnpoz:

Physical nic?? What??

Hopefully he's not going to try to physically hammer the physical NIC to the virtual machine. :o

@OP: Remove the bridges nonsense. We won't move anywhere while it's still there in place. Plus, bridging on FBSD does not exactly work like you'd think it does when it comes to firewall behaviour, at least not unless you've flipped a couple of system tunables and assigned the bridge interface itself instead of its members, e.g. like here:


bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 02:5f:58:aa:bb:00
        inet 10.20.31.254 netmask 0xffffff00 broadcast 10.20.31.255
        inet6 2001:470:xx:xx::254 prefixlen 64
        nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 55
        member: vr2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 55
        member: vr1 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 55</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast>

(the above being an Alix box which serves pretty much as a dumb WiFi AP plus hotspot with captive portal), other than that, no firewall, routing only, all the physical RJ45 ports being bridged on a WAN - which is attached to another pfSense box via a LAN interface - and basically acting just as a dumb switch.)

stephenw10

I think you screenshot from ESXi was cropped incorrectly, I can't see much of it. ;)

I agree with what others have said. You do not need a physical NIC to get connectivity. You do not need to bridge the two LANs to get connectivity, and in fact briding the LANs largely negates the point of having two separate LANs.

Steve

Jamerson

@doktornotor:

@johnpoz:

Physical nic?? What??

Hopefully he's not going to try to physically hammer the physical NIC to the virtual machine. :o

haha you are really funny guy !! :o

@stephenw10:

I think you screenshot from ESXi was cropped incorrectly, I can't see much of it. ;)

I agree with what others have said. You do not need a physical NIC to get connectivity. You do not need to bridge the two LANs to get connectivity, and in fact briding the LANs largely negates the point of having two separate LANs.

Steve

Steve,
I have 3 Virtual NIC on the PFSENSE,
one is on the group of Vswitch 1 which is the WAN of the ESXI
second one is the VSWITCH 2 which is LAN1
and 3rd one is on the Vswitch 3 which is LAN 2

I understand I don't need a Physical NIC to get the connectivity,
Why when I remove the Physical NIC from the VSwitch 2 /3 the connectivity drops down ?
attached is a screenshot of the Network Diagram on the ESXI.
that why I've attached a Physical NIC to LAN1 otherwise it won't work

on the Physique side , i will have a physical computers that will be a member of the domain controller that is running on the ESXI and need to have the access to the LAN 1 subnet over the WAN
Like Physique computer on the room will need to have access to 192.168.4.0/24 and need to use the PFSENSE as it gateway.

Thank you

LAN.jpg_thumb

johnpoz

You DO NOT need a bridge!! You DO NOT need a physical nic connected to your vswitch.

Remove the BRIDGE! And you will be good.

I run this exact setup. Multiple physical lans, and one that is only vms (dmz) I have no bridge in pfsense (you would not normally bridge 2 different address space segments).. My box in dmz can use the internet and is blocked from talking to lan or wlan because that is how I setup the firewall rules. But lan or wlan can talk to dmz (this is normally how a dmz is setup)

You have seen my esxi setup in previous - and you can see it in the background in the attached.

So my workstation that is on lan (via physical nic connection in esxi to that lan vswitch) on 192.168.1.100 can ping the dmz win7 box. See it attached on vswitch where pfsense also has interface (dmz 192.168.3.253) and w7 box is on 192.168.3.100/24 can ping google, but it can not ping the 192.168.1.100 machine because my firewall rules for dmz says you can go anywhere you want other than locals. That is what the ! in front of it means "not" locals. Locals is an alias in pfsense that includes 192.168.1.0/24 and 192.168.2.0/24 and my openvpn networks. So per my firewalls rules on my lan I can go to the dmz.. But dmz can only "create" connections to networks that are NOT my local networks. This common setup for a "dmz" segment.

edit: Seems I went over the attachment size for my dmz rules - see next post

confignophynic-vswitch.png_thumb

johnpoz

Here is my dmz firewall rules showing ! locals as dest

dmzfirewallrules.png_thumb

stephenw10

To be fair you do need a physical NIC on vSwitch1 if you have physical machines that need to connect to that subnet.

If however you are only getting general internet connectivity with that in place then it sounds like the VMs on vSwitch1 are using some external route and not the pfSense VM for there gateway.

Steve

johnpoz

From what I have been able to make out of this thread.. He only wants vms on this esxi host to connect through pfsense (vm) to the real network via pfsense wan connection. If that is the case then the only vswitch that needs connectivity to the physical world is vswitch that pfsense wan is connected too.

Think of the physical nic you connect to a vswitch as just normal uplink you use in real switches. If you have machines on switch1 and machines on switch2 how do you connect them.. You run a wire between the switches.

This is really all that connecting a physical nic in esxi to a vswitch does - it connects that vswitch to the real world switch the wire from that nic runs too.

Your vmkern portgroup would need a physical connection or you would not be able to manage the esxi host box. From your other drawings this is the same vswitch you have pfsense wan connected too. Your other lan and dmz segment vswitches only need physical connectivity if you as stated by stephen you have real world machines on those segments.

doktornotor

@Jamerson:

Why when I remove the Physical NIC from the VSwitch 2 /3 the connectivity drops down ?

P.S. Removed the BS bridge yet, or still feel like wasting more of our time with that nonsense?

johnpoz

If you would let one of us teamviewer in we could have this fixed in like 3 minutes.. And we are on page 4 ;)

stephenw10

@Jamerson:

i will have a physical computers that will be a member of the domain controller that is running on the ESXI and need to have the access to the LAN 1 subnet over the WAN
Like Physique computer on the room will need to have access to 192.168.4.0/24 and need to use the PFSENSE as it gateway.

He does say 'over the WAN' here but I discounted that because he implies that real machines need to be in the 192.168.4.X subet which is LAN1/vSwitch1.

Steve

johnpoz

But he stated this as well
"LAN 1 and LAN 2 are not attached to Physical NIC, "

I if he even knows what he wants, I think it is getting lost in translation.. Maybe he would have better luck with someone that speaks his native language?

Jamerson

@johnpoz:

But he stated this as well
"LAN 1 and LAN 2 are not attached to Physical NIC, "

I if he even knows what he wants, I think it is getting lost in translation.. Maybe he would have better luck with someone that speaks his native language?

if i remove the physical NIC from vSwitch 1,
my Physical Machines in the office will be able to communicat with LAN 1 ( 192.168.4.1 ) even it doesn't have Physique NIC ?

when you say remove the bridgen ? which one you mean?
on the interfaces there is no bridgen.
attached is a screenshot of my bridgen

bridgen.jpg_thumb

stephenw10

@Jamerson:

if i remove the physical NIC from vSwitch 1, my Physical Machines in the office will be able to communicat with LAN 1 ( 192.168.4.1 ) even it doesn't have Physique NIC ?

No. You need a physical NIC on vSwitch1 to allow that. We just needed confirmation that was what you're trying to do.

@Jamerson:

on the interfaces there is no bridgen.

Ok, so you removed it already? In your much earlier out put of 'ifconfig' it showed a bridge.

Steve

johnpoz

"my Physical Machines in the office will be able to communicat with LAN 1 ( 192.168.4.1 ) even it doesn't have Physique NIC ?"

And these physical machines are on 192.168.4.0/24 or are they on the wan that your pfsense is connected too 192.168.2.0/24 I think?

stephenw10

Ah, very good question. Yes, you mentioed via WAN earlier, did you mean that?

Steve

Jamerson

@johnpoz:

"my Physical Machines in the office will be able to communicat with LAN 1 ( 192.168.4.1 ) even it doesn't have Physique NIC ?"

And these physical machines are on 192.168.4.0/24 or are they on the wan that your pfsense is connected too 192.168.2.0/24 I think?

the physical Machines are using PFsense as Gateway,
on the WAN side I have just the ESXI and the ISP Modem,
all other machines are connecting to the internet through the PFSENSE( Virtual or Physiques)
all my network is going through the Pfsense.

Steve yes this exactly what I want :).

thank you so much

johnpoz

Well then are you working.. If you removed the bridge and have firewall rules correct, change your lan2 pfsense IP to be .1 vs .0 you should be up and running.

Jamerson

@johnpoz:

Well then are you working.. If you removed the bridge and have firewall rules correct, change your lan2 pfsense IP to be .1 vs .0 you should be up and running.

this what I did and it working thank you so much for your help.
to do this my PFSENSE LAN1 required a Physique NIC ? right
as showed on my screenshot the Vswitch 1 has attached Physique NIC.

my question is , is it possible to have Pfsense ( I mean LAN1 ) accessible to the physique machines even Vswitch 1 doesn't have a Physique NIC ?

stephenw10

Only if those machines are somehow routed through the pfSense WAN with appropriate firewall and port forwarding rules.
No, is probably the answer. If you wish to have physical machines connected to LAN1 and using pfSense as their gateway to the internet you need to have a physical NIC connected to vSwitch1 to get that real traffic into the virtual network.

Steve