What am I doing wrong? install on ESXi 5.1 failing
-
Hi,
I have a frustrating problem with PFSense, it's probably something silly but it is driving me nuts.
I am trying to change my router/firewall from Sophos UTM to PFSense to enable full nat on multiple Xbox's in the lan.
The Sophos installation is working fine on a ESXi 5.1 vm running on a HP Microserver N54L.I have seen quite a few tutorials on how to install PFSense in this type of environment which seem to be straight forward enough. However the basic install I have done does not allow anything through to the internet.
Here is a brief description of what I have done, hopefully something obvious will jump out!
ESXi networking already setup from Sophos install, so nothing to do there really.
1. Access ESXi via the vSphere client, shut down the Sophos box.
2. Create new VM for PFsense, 2 nics etc (check mac address of the wan and lan nics for ref)
3. Default install of PFSense onto the new VM.
4. Set the WAN and LAN interfaces, no gateway on LAN (using the same IP address as the Sophos box as I have a few things with static IP's) set the DHCP on the LAN.
5. Log onto the Web configuration, go through the initial setup, taking defaults for the WAN, changed the hostname and domain only (home.com?)
6. Reboot and then nothing can access the internet! all interfaces are reported as up.The router is getting an IP from the cable modem and I can ping that address ok, however I cannot ping the cable modem. The DHCP server on PFSense is working ok.
I have tried changing various settings mainly around DNS (currently using 8.8.8.8 and 8.8.8.4) but nothing seems to make a difference.
According to the logs only 5% of traffic is being passed through the firewall, 95% blocked. It appears that the 5% going through are the TCP SYN packets but the TCP ACK packets are being blocked.Is there something simple I have missed? all the tutorials I have read/seen seem to suggest install as standard and it should work straight out of the box as far as general internet access goes.
Any help would be greatly appreciated.
Paul. -
is your wan getting a public ip or a private ip RFC 1918 (https://en.wikipedia.org/wiki/Private_network)
in case of private ip: interface–>wan--> uncheck "block private networks"
also, if you plan on using the vmx3 drivers: update to >=esxi5.5u2
-
Hi, thanks for the quick reply.
The ip on the WAN is a public one 82.x.x.x, it's not the exact same address as on the Sophos box (in use now) but the modem was restarted to enable Sophos to get an IP.
I am using the E1000 nic in ESXi.Thanks
Paul. -
you do understand that freebsd 10.1 (current pfsense based on) is not supported until 5.5u2 by vmware
While you may or may not get it to run.. Its not a supported combination. Also are you trying to install the native vmware tools?
You mention home.com - so this doesn't seem like production system. I have to wonder why your on such a OLD version of esxi?? 6 u1 is current..
-
you do understand that freebsd 10.1 (current pfsense based on) is not supported until 5.5u2 by vmware
While you may or may not get it to run.. Its not a supported combination. Also are you trying to install the native vmware tools?
You mention home.com - so this doesn't seem like production system. I have to wonder why your on such a OLD version of esxi?? 6 u1 is current..
Actually, no I didn't realise FreeBSD 10.1 required ESXi 5.5, doh!
Thanks for the pointer, I'll need to update ESXi first I guess. Never updated it previously as it was a case of it's working fine so no need to change, need to log into VMware and download the zip file.Thanks, hopefully that'll solve it.
Paul. -
Keep in mind on the newer versions of pfsense if using the vmx3 drivers this is now native supported in freebsd 10.1 and no need to install the native vmtools to get the driver. If you do install the native drivers it will break with the checksums enabled.
You can just install the vmtools package on pfsense for ability to shutdown gracefully, etc.
As to updating esxi, while you can debate the not broken don't fix it methodology. Updating esxi versions adds bug fixes, security fixes and best of all features and support for newer versions of OSes.. Since its FREE and non critical production that is not limited by enterprise level change control ;) I don't see any reason why anyone in a home/lab setup would not be running current version.
It normally takes all of a few minutes to update.. While yes there is small down time on reboot.. I just check https://my.vmware.com/group/vmware/patch#search ever couple of months or when I think of it for new versions and update as they come out.. Patches normally come out every 1 or 2 months.
-
While technically FreeBSD 10 support was new to ESX 5.5, it works fine on all 5.x versions. Guessing an upgrade isn't going to change anything, sounds more like a general network config issue somewhere. Though yes it is best to keep up to date, and maybe there is some kind of issue in whichever version OP's currently running that's causing the problem, that just seems unlikely.
-
while I agree people have stated they are running pfsense current on older version of esxi that don't officially support freebsd 10.1 – what is the point of doing so in such a setup.. You could very well be chasing an issue that is related to not officially supporting of the OS in question.
Once its on a version that is supported, then can look into what might be wrong otherwise.
I have been running pfsense on esxi for quite some time, its really clickity clickity sort of setup without any real issues and straight forward configuration.
-
Thanks for the pointers.
Had a bit of time this morning so upgraded ESXi to 6 and PFSense is now playing nice. Sorted the open NAT for both xbox ones so got a happy son too :).Looks like the issue was with the version of ESXi.
I will now go through the rest of the config changes I want to make but no doubt I'll have a few more questions.
Cheers
Paul. -
so your esxi 6u1 which is build 3029758 then.. And all is smooth, great to hear!
So it seems cmb that doesn't actually play all that nice with older versions of esxi that do not officially support freebsd 10.1 ;)
You got xbox to show open nat, you might want to share that in the gaming section.. That sure comes up quite a bit, and there is some really bad advice in there floating around about setting all port 1-65k to strict nat.. Which is just nonsense..