PfSense on ESXI - only one way traffic???
-
Hi
thank you for your reply.
i have already done the steps you have suggested.screenshots attached.
do you have any idea what else maybe missing?
-
If you want pfsense to firewall/route between 2 rfc1918 networks then there is NO reason to nat.. And to be honest to pfsense which one is the wan.. They are really both lan networks.. Does one of them have a gateway to get to Other networks or internet??
In your setup between 2 of your networks they would be seen as 2 lan segments.. And then you just firewall the rules you want between them, there is no NAT between lan networks by default in pfsense.
-
Also ensure that the windows 7 vm firewall doesn't block access. Shut it down or open the ports you want to access.
-
Why do you have 2 vmkerns setup?
So you have 2 internet connections? These 2 routers you mention the tp and the linksys?
I would setup pfsense with these 2 connections as wan if they have internet. I would then setup other vswitches to put your vms in that are connect to your pfsense vm. So pfsense would have 4 interfaces, 2 tied to the real world that connect to your 2 physical networks 192.168.1 and 10.0.0 and 2 tied to different networks on your esxi host so you could put vms in either network and firewall between them. And both of these networks (or more) could leverage your 2 internet connections that pfsense is tied too.
So in a nutshell you end up with something like this. See attached.
You have your 2 wan vswitches, connect a vmkern to wherever network you want. Not sure why you would need more than 1?
Then create as many lan vswitches as you want and connect to pfsense.. Pfsense then firewalls and routes between them without nat. And now you have multiple internet paths and paths into your 2 networks.
You could manage pfsense from its lan side from one of your VMs that you console into via your vmkern connection from whatever physical network you want to, or you could open up one or both of its wan for management to pfsense from either of your physical networks.
-
Hi
thank you so much for taking the time to right an answer and attach a visio…wow...thank you so much!
your point makes sense if it is implemented in 2 direct ISP connected networks.
in my case we have one network (192.168...) that is connected to the TPlink router that is connected to the internet.
the second network (10.0...)is connected to a linksys router but this router has no connection to the internet, it is actually only a switch.
thus, currently, my pfsense uses its 192.168 address as a wan connection and the vm's in the 10.0 network get internet connectivity actually through the 192.168 router \ gateway.i have two kernel ports because i wanted to create a seperation between the two networks and allow them to communicate with each other through pfsense.
what do you suggest in this case?
should i still not use NAT?any suggestion???
i am open for everything at this point -
if your linksys is only a switch why is it on a different network? Are you wanting to use this network for actual physical devices and or wifi devices with that routers wifi?
Are you using wifi off these routers?
If you just have the 1 network to the internet, you can let the tp nat if you want if you wanted to use its wifi, etc.
Then all depends on what you want this other network to be on your esxi other phy nic.. Could be another segment, could be be your vmkern in the same lan segment. There are mutliple ways to skin the cat, comes down to what you want to actually do.
So you could do this. What is it you want to do exactly?? If possible I would not do rfc1918 on pfsense wan, And connect that physical interface just to pfsense wan, with nothing else on it. If you can not, then using rfc1918 and nat is not big deal - just put pfsense wan into the dmz of your tplink.
-
Hi
i love your diagrams!!!
what want to achieve is to simulate the combining of two "separate" networks together.
one network is the 192.168 network and the other is the 10.0 network.
the current topology allows me create these networks with my two routers,
but the 192.168 will have to be "the top level" network since only this network is connected to the internet.
(by the way, wifi is off on both routers, i dont use wifi at all)this requirement "forces" me to enable all vm's in the 10.0 network to some how use 192.168 address as their default gateway.
when i install pfsense i have to chose which network is my wan and which lan. so naturally i am choosing 192.168 as wan and 10.0 as lan.my desired result:
two lan networks (192.168 + 10.0) that are allowing communication between networks.my current result:
two networks that only have a one way communication (10.0 vm's can connect to 192.168 but not the other way around)did i explain my use case better?
again, thank you so much for your time! -
John, what are you using to make your diagrams?
-
i'm guessing microsoft visio
i use it too
-
Sounds like then my 2nd lab1 drawing is what your after. You can have vms on your 10 network, and any other networks you want that are purely VMs.. If you want other networks in the physical world without more interfaces for esxi host you would need switch that does vlans.
You have Vms and physical hardware on your 10 network via vswitch connected to that phy nic. You can bring up as many other networks as you would want to put vms on and just create a new vswitch for that network and new nic for pfsense tied to that vswitch.
As to gateway with your 10 devices, this would be pfsense interface in the 10 network. Since all your networks both your 10 and anything else you would bring up on esxi host are all lan interfaces to pfsense then all you have to do is allow the traffic you want, there will be no natting between them.. Only nat will be when you go what amounts to a transit network (192.168) to get to the internet out the pfsense wan.
This is pretty close to my own setup, but I have more phy interfaces in my esxi host (4) so I have 2 physical lan with 1 having some vlans on it, and then 1 interface in the host just for vmkern (sharing this with a normal vswitch takes a performance hit on the vmkern moving files to and from the datastore) so since I had a port I broke it out on its own. And then 1 that is just wan and tied directly to my cable modem, so pfsense gets public on its wan interface.
Here is my esxi networking. See attached.
So you notice my pfsense (pf22 has interface in every vswitch. The wlan vswitch you will also see is set to 4095 which trunk so that is the pfsense interface that I have pfsense vlans on that correspond to the physical network through to my phy switch, etc..
Your setup since you only have 2 nics one is tied to your internet router that is doing nat, would be nice to just have pfsense do the nat vs double nat but can work with. Then your other phy nic would have your normal physical network and your vmkern, and then you can create as many other vswitches as you would want for other vms - see my dmz vswitch as example.
Yeah use visio for the drawings..
-
Hi
i will try to do it the way you suggested.
thank you so much for your effort! -
Yeah use visio for the drawings..
Hmm, was hoping it was FOSS and not Microsoft.
-
I wish it was foss as well, but have yet to find one that is good as visio. I have tried quite a few of them dia, yEd, pencil project, gliffy is free online one I point to use that post us something like crayons on a napkin ;)
When you use it pretty much everyday at work, its what you get use to.. And if I sent someone a drawing in a different format are they going to be able to read it? etc..
But always on the lookout for a good foss tool that can replace it.. So if you find one please post about it! ;)
-
Continuing to hijack the thread…
yED looks nice. What didn't you like about it? LibreOffice Draw with network shapes from VRT Systems looks promising as well.
I've used Visio in the past but found some of how it operated to be frustrating, especially when it came to aligning lines and connectors. Maybe it's improved since, but I don't want to spend the money to find out.
-
yEd is very nice - should prob spend some more time with it to be honest, but bad habits die hard so I find myself always going back to visio.
As to auto align and connectors there are some free stuff you can add to visio to help with that. The big one for me when doing actual work diagrams is labels on the connectors for the interfaces on each end.. Here is a great free addon
http://www.squaremilesystems.com/products/sms-visio-utils/
My fav part is the network connector
http://www.squaremilesystems.com/products/sms-visio-utils/network-connector/
If you just want the vss of the connector stencil, just send me a pm ;) That way you don't have to fill out their form, etc..
-
Thanks but I'll keep playing with the other two for now. LibreOffice Draw is already on my home box and it seems to do the job. Getting decent network image templates was the stickler, and the VRT stuff seems good enough to me.
-
@KOM:
Thanks but I'll keep playing with the other two for now. LibreOffice Draw is already on my home box and it seems to do the job. Getting decent network image templates was the stickler, and the VRT stuff seems good enough to me.
LibreOffice Draw + VRT is what I use for the diagrams in the pfSense book (now, as I'm updating it), and other places like the Hangouts. Not sure if I've moved any over on the Wiki yet. They are nice shapes with a permissive license so there are no concerns with using them in published diagrams, too.
LibreOffice Draw has lots of room for improvement but it's not too bad these days.
