Configuring vNICs/vSwitches for this scenario
-
I'm looking to configure pfSense on my ESXi box to serve as the new router/firewall for my home network. I have 4 NICs in my vSphere 5.5 box. 1 is being shared between my media server and backup server. I have 3 free NICs that I wanted to use (WAN, WAN-VPN, LAN) for my pfSense VM. However in the pfSense installation instructions for VMware, it mentions nothing about using passthrough for your NICs. Is passthrough not recommended?
EDIT: OP was answered. Updated question is regarding the best ways to configure my NICs/vNICs/vSwitches for my setup.
-
I've never heard of anyone using NIC passthrough. Everyone seem to use the virtualized e1000 or VMX3 NICs.
-
No its not recommended for security reasons.
You dont want to have your network traffic in contact with your physical hardware on a virtualized system.
Only thing you normally use is graphics and soundcards.
-
No its not recommended for security reasons.
You dont want to have your network traffic in contact with your physical hardware on a virtualized system.
Only thing you normally use is graphics and soundcards.
Ahhhh, that does make sense. Thanks for the clarification.
On a related note, are there any best practices for how to configure your NIC's/vSwitches in vSphere? Like I said, need 3 interfaces (WAN, WAN-VPN, and LAN). Already have one NIC in my VM server assigned to a vSwitch that my Media Server and Backup Server (LAN subnet) use.
-
2 physical NIC's and VLAN'S for the rest :)
-
I only passthru usb, what is the point of passing thru nics.. If that is what you want to do just run pfsense on the hardware directly. I also do some raw mapping of disks to my vm that shares out the storage. This was more for easy access to smart info than anything else, so that vm can warn me if anything going funky with those disks, etc.
I have 4 nics in my host, I use 1 for the vmkern.. So drastic improvements when moving files to and from the datastore to physical network when the normal port groups your machines are on don't share this nic.
Then 1 nic connected to modem on its own vswitch (wan) then another vswitch connected to the lan physical nic, then another for my wlan vswitch and nic this is used for the wlan directly and the vlan for the guest wifi. Then have another vswitch that has no physical nic that I use for dmz segment just has vms on it and pfsense has a vnic in this vswitch along with the other vswitches.
I pass thru usb for usb that powers the host because it was easier to monitor and mange vs doing native in esxi. The linux vm that this is passed to can send command to esxi to shutdown if battery is low.
-
I only passthru usb, what is the point of passing thru nics.. If that is what you want to do just run pfsense on the hardware directly. I also do some raw mapping of disks to my vm that shares out the storage. This was more for easy access to smart info than anything else, so that vm can warn me if anything going funky with those disks, etc.
I have 4 nics in my host, I use 1 for the vmkern.. So drastic improvements when moving files to and from the datastore to physical network when the normal port groups your machines are on don't share this nic.
Then 1 nic connected to modem on its own vswitch (wan) then another vswitch connected to the lan physical nic, then another for my wlan vswitch and nic this is used for the wlan directly and the vlan for the guest wifi. Then have another vswitch that has no physical nic that I use for dmz segment just has vms on it and pfsense has a vnic in this vswitch along with the other vswitches.
I pass thru usb for usb that powers the host because it was easier to monitor and mange vs doing native in esxi. The linux vm that this is passed to can send command to esxi to shutdown if battery is low.
Ahhh, very interesting. I haven't yet determined if I want to break wireless out on it's own interface yet because I'm not sure I'll have enough free NIC's for that. I'm using AirVPN and need all traffic from my Media server to go over that interface (WAN-VPN), while all other traffic goes out over my ISP's network (WAN) as described here. For that reason I was thinking it would be best to use separate NICs for each for ease of configuration.
However I may be able to free up the NIC I have being shared by my Media and Backup servers since I can just connect them to my LAN switch and VLAN them off since my switch does support the passing of vlan tags.
-
No its not recommended for security reasons.
Makes sense but I never remember that because my users couldn't crack a vending machine if you gave them a bag full of coins.