PfSense ESXi 5.0 VM
-
Hey guys,
So I recently purchased a dedicated server which has allocated me 1 IPv4 address and 1 IPv6 address. The box also has only one NIC that I can use.
My plan is to have two vSwitches WAN and NAT. The NIC will be connected to WAN and then Pfsense will be connected to both. The PfSense VM will be the gateway for all of the VM's, including the ESXi host management port. These will all reside on the NAT vSwitch.
The problem I have is that once I set PfSense with the IPv4 allocated to me and also it's gateway there is no network communication on the WAN interface. Is there something I am supposed to configure extra within ESXi? Do the VMKernel ports affect the forwarding for the PfSense WAN interface?
Any help will be greatly appreciated as I have spent ages trying to get this working!
Thanks :)
-
Hello rawsi,
I don't think there is any "configure extra" needed to be done to get communication on the WAN interface in ESXi (but I could be wrong! ??? ) & I would NOT put the VMKernel on the WAN side or port it out to be open to the WAN at all, running PfSense / ESXi with one NIC can get complicated…
Do you have some sort of way to manage the server other than the allocated IPv4 & IPv6 address , something like a management port that the host can provide? This way you can put the VMKernel on that interface.
-
yeah you would need to have vmkern on the lan side of pfsense, and then have pfsense open to management on the wan..
Without atleast a temp way to configure this not sure how you could get it working with just 1 IP and one interface..
Once its configure it could work. vmkern port group on the lan switch with lan IP and port forwards through pfsense to get to it, etc. But not sure can be done on the fly without breaking your connection.
So vmkern would start on wan so you can manage esxi. Create the vswitches and install pfsense – but you would have issue with the 1 IP.. Maybe you could leverage the ipv6 for vmkern on the interface bring pfsense up on ipv4 and then move vmkern to ipv4 on the lan or just leave it running ipv6.
Can't you add more IPs or interfaces? Atleast to get it running?
-
Thankyou so much for the responses! It's great to have some extra help with this.
Hello rawsi,
I don't think there is any "configure extra" needed to be done to get communication on the WAN interface in ESXi (but I could be wrong! ??? ) & I would NOT put the VMKernel on the WAN side or port it out to be open to the WAN at all, running PfSense / ESXi with one NIC can get complicated…
Do you have some sort of way to manage the server other than the allocated IPv4 & IPv6 address , something like a management port that the host can provide? This way you can put the VMKernel on that interface.
The only methods I have to manage the server are using the IPv4 and IPv6 address that is assigned to me. I am unable to purchase addition IP's either.
yeah you would need to have vmkern on the lan side of pfsense, and then have pfsense open to management on the wan..
Without atleast a temp way to configure this not sure how you could get it working with just 1 IP and one interface..
Once its configure it could work. vmkern port group on the lan switch with lan IP and port forwards through pfsense to get to it, etc. But not sure can be done on the fly without breaking your connection.
So vmkern would start on wan so you can manage esxi. Create the vswitches and install pfsense – but you would have issue with the 1 IP.. Maybe you could leverage the ipv6 for vmkern on the interface bring pfsense up on ipv4 and then move vmkern to ipv4 on the lan or just leave it running ipv6.
Can't you add more IPs or interfaces? Atleast to get it running?
I agree with regards to the ESXi management on the WAN. My plan is to have it on the internal switch with a local address. I have been able to use both the IPv4 and IPv6 when managing ESXi so hopefully that can help get my out of trouble to begin with. The issue that I am having is that I cannot get the PfSense WAN interface to communicate through the physical NIC. I can only assume that the VMKernel port is still somehow affecting this?
Do you guys know if the ESXi host routes and VMKernel ports affect the PfSense routing?
Thanks again.
-
So access esxi vmkern vs ipv6, setup pfsense using your ipv4 via its wan. Then move your vmkern to nat vswitch.
You have to switch your wan vswitch with vmkern port group sharing the same interface as wan port group. Then create another vmkern vswitch that you connect to lan side of pfsense.
-
So access esxi vmkern vs ipv6, setup pfsense using your ipv4 via its wan. Then move your vmkern to nat vswitch.
You have to switch your wan vswitch with vmkern port group sharing the same interface as wan port group. Then create another vmkern vswitch that you connect to lan side of pfsense.
Hello and thanks so much for responding again!
I afraid I don't completely follow, would you be able to go into what you have mentioned in a little more detail? I would really appreciate it as I want to make sure I'm not missing anything etc.
Thanks again :)
-
so setup your vmkern on esxi to ONLY use the ipv6.. On this vswitch you will have port group vmkern and your wan port group connect to your 1 physical interface. Then setup pfsense via console in esxi to use your ipv4 address on its wan. I do believe if you only setup 1 interface of pfsense WAN it auto allows access to web gui via wan. When you setup pfsense with 2 interface you can only access web gui via lan side.
So when you have a wan firewall rule to allow gui access add your lan port and connect to your lan vswitch. At this point your done to be honest.
You can use the esxi firewall to limit esxi access to your source IP for its vmkern so could leave it on our wan.
Moving it to the lan side might be a bit tricky. But I do think you can have more than 1 vmkern connection so you could setup one on lan side of pfsense forward to it on whatever private lan side IP you use.. Once that is working you could turn off your wan side ipv6 vmkern connection.
Concerns with this setup is if pfsense crashes or esxi crashes - how are you going to get access again? Since you would loose connectivity to pfsense and then esxi.
To be honest there might be better visualization options than esxi if your limited to 1 ipv6 and 1 ipv6.. What kind of place only gives you 1 ipv6?? Do you even have ipv6 access where you at so you could leverage the ipv6 address for setup?
-
Good info @johnpoz, I would say before adding the vmkern to the LAN side maybe setup a VPN with OpenVPN in PfSense ? This way you can just VPN into the LAN side network to manage the server && just lock down the vmkern on the WAN side in tell needed…
;) Oh and I found this when googling it may help a bit as reference material even tho they are using two NIC's in this HOWTO
https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5
