HPE Proliant iLO network share, Dual-WAN PPPoE gateway issues, SNMP talk, etc!
-
Hi everyone,
I am a newbie to all this, so if you bore with me, I'd really appreciate it…
I have a HPE Proliant DL120 G9 server, that I want to use as a pfsense router. I have installed ESXi 6.0, and am using pfSense 2.2.6. I have a few questions and I'd be grateful if you helped me with them.
I have two NICs installed on this server. One is a 2-port embedded LOM, and the other is a 4-port add-on NIC (known to the server as Flexible LOM).
1. The server uses a management utility software called iLO that enables admins to access the server remotely (from POST to OS). This software shares the NIC and assigns an IP to one port via its own DHCP server. This always shows up on of the vmnics (ordinarily on vmnic1) in ESXi. Since the server physically sits in my home office, I generally (or am assuming that in general) don't need remote management. The downside here is that I want to use vmnic1 as my WAN2, and when I get to the pfSense webconfig, it appears that pfsense is acquiring an IP of 192.x.x.x, whereas I want it to PPPoE to my ISP and acquire an IP from my ISP. My fear is that if I completely disable the iLO network management, could my on-line UPS continue to talk to the server (via its SNMP card) as to tell it when to gracefully shutdown and when to wake-up, or pfSense will take care of that? Remeber that pfSense will be the router assigning IPs to all devices within my LAN.
2. Does it make any difference which NIC is used as em0 for WAN and which for em1 for LAN? I want to use the two ports on the embedded 2-port NICs for my two WANs (so em0 and em1 are WANs, and em2 is LAN). But when I do this, I cannot get em2 to act as DHCP server - or again I do not know how to.
3. When I get to set up my two WANs within pfSense (to do load-balancing, fail-over, and whatnot) the second WAN doesn't give me the option to configure a gateway for it - or I don't know how to. So, the second gateway always shows as "offline." In one video on Youtube, I saw a setup where the guy had set its DSL modem to assign an IP to WAN 2 in pfSense. So, basically, the modem establishes the PPPoE connection, and assigns a local IP address to WAN 2 configured in pfSense. Then, you can set WAN 2 as DHCP client, and assign the second gateway. But, what bothers me about this scenario is that now your connection to the outside world goes through two NATs. Once at the pfSense level, and the second at modem. For example, a 4.2.2.4 packet from outside gets to the modem, retagged to 192.x.x.x, subsequently is delivered to pfSesnse, and finally the packet is delivered from pfSense to my PC to IP of 10.x.x.x. This is not the proper setup, is it? What is the proper setup?
4. If and when the the load-balancing is setup, I am told that accessing banks and other sites that monitor IP connection (this is how it is where I live), midway if the connection switches IP from WAN1 to WAN2 then the bank drops the connection. How can I configure a firewall rule that all SSH or 443 connection to go through only one WAN?
5. I also I have a em3 port, that I want to set on a different subnet (or inside a VLAN) as to act as my hotspot for visitors. What is the best way to go about doing this?
6. Inside ESXi, I have vmnic5 set as a standalone vmkernel so that I can connect to ESXi via vSphere when things go wrong. I also have setup a second vmkernel inside vmnic2 switch (read as em2) on the same subnet as pfSense DHCP server, but I cannot access the ESXi through that route. Any ideas how this can be fixed?
7. One of my ISPs requires MAC address registration (so every time I connect a new router to modem --when in bridge mode-- I have to call them up to release the MAC address so that their system acquires the new MAC address - a true pain in the neck). Should I clone the MAC address at the ESXi level when I am building the pfSense VM, or should I spoof it inside pfSense? Would it make any difference at all?
I know these are too many questions in one place, and each belong to a different sub-forum, so I apologize for posting all in one place. Your help as I said above would be truly appreciated! Many thanks in advance.
-
:-\ 40+ views and not one reply! To say the least, interesting. I managed to solve Q2 and Q3. Most important to me right now is Q4 and Q5, someone please at least drop a line about either one.
-
As far as Q5 (if I understand your requirement correctly), that's specifically what Captive portal is for.
For WiFi hot spots, best suggestion is setup a dedicated subnet (on a separate NIC or VLAN, your choice) install a WAP and turn off it's DHCP.
Let pfSense provide IP's for that subnet and turn on the Captive Portal for that interface.Lots of info on Captive Portal in the Wiki and the Captive Portal board (https://forum.pfsense.org/index.php?board=2.0).
Welcome to pfSense
-
I have a HPE Proliant DL120 G9 server, that I want to use as a pfsense router. I have installed ESXi 6.0, and am using pfSense 2.2.6. I have a few questions and I'd be grateful if you helped me with them.
Is this the HP custom version of ESXi or the regular version?
I have two NICs installed on this server. One is a 2-port embedded LOM, and the other is a 4-port add-on NIC (known to the server as Flexible LOM).
Is there a real and hardware IPMI port? I mean a dedicated one, only for the ILO usage?
Or is this a shared port that can act as the IPMI (ILO) Port or for anything else also?
And what 4 Port NIC is this exactly please?40+ views and not one reply! To say the least, interesting. I managed to solve Q2 and Q3. Most important to me right now is Q4 and Q5, someone please at least drop a line about either one.
One tread with one big question or one thread with many smaller questions would be the best I think!
And like it looks here I am not alone, perhaps this is owed to that circumstance?So in my eyes you could use the quad port NIC for the following parts;
- LAN Port 1 > WAN 1
- LAN Port 2 > WAN 2
- LAN Port 3 > LAN
- LAN Port 4 > WLAN with CP
Then you can be easily use the both onBoard LAN Ports as your IPMI (ILO) Port and the other for the
APC USP to secure the entire server. This would be not harming anything or build a security hole in.2. Does it make any difference which NIC is used as em0 for WAN and which for em1 for LAN? I want to use the two ports on the embedded 2-port NICs for my two WANs (so em0 and em1 are WANs, and em2 is LAN). But when I do this, I cannot get em2 to act as DHCP server - or again I do not know how to.
In normal you would be able to use all kind of LAN Ports for all things you want, only if some problems
occurring and can´t solved out, only in this situations it can be wise to use the em driver as the WAN
interface instead of the igb(4) driver, but not at the start more if something goes wrong and can´t be
solved out. But why creating problems and then try out fiddling them out?3. When I get to set up my two WANs within pfSense (to do load-balancing, fail-over, and whatnot) the second WAN doesn't give me the option to configure a gateway for it - or I don't know how to. So, the second gateway always shows as "offline." In one video on Youtube, I saw a setup where the guy had set its DSL modem to assign an IP to WAN 2 in pfSense. So, basically, the modem establishes the PPPoE connection, and assigns a local IP address to WAN 2 configured in pfSense. Then, you can set WAN 2 as DHCP client, and assign the second gateway. But, what bothers me about this scenario is that now your connection to the outside world goes through two NATs. Once at the pfSense level, and the second at modem. For example, a 4.2.2.4 packet from outside gets to the modem, retagged to 192.x.x.x, subsequently is delivered to pfSesnse, and finally the packet is delivered from pfSense to my PC to IP of 10.x.x.x. This is not the proper setup, is it? What is the proper setup?
Hmm, how to start here right? If you want to do a load balancing you need a minimum of two WAN interfaces
and there fore you should create also two WAN groups each sorted right with a gateway, so called gateway groups. And in normal you will be connect one modem at each WAN port. A pure modem is not doing SPI &
NAT!!!!! It is a bride device and don´t do any routing, DHCP and SPI/NAT. Only a real router with an internal
modem will do SPI & NAT, but often this routers will be able to set up in the so called "bridge mode" and then
this routers are also acting as a pure modem without doing any kind of NAT or SPI in front the pfSense firewall.Only if you are placing a real router in front of the pfSense that will be not able to set up on the bridge mode
it will be a so called double NAT, but then you will loose only 3% - 5% of the full throughput and this would
be not really urgent in normal, if you don´t want to terminate VPN connections at the pfSense firewall.4. If and when the the load-balancing is setup, I am told that accessing banks and other sites that monitor IP connection (this is how it is where I live), midway if the connection switches IP from WAN1 to WAN2 then the bank drops the connection. How can I configure a firewall rule that all SSH or 443 connection to go through only one WAN?
You will be able to load balance the entire traffic by using more then one method.
- session based routing (this is more for server traffic balancing)
- policy based routing (this could be taken also to direct the SSH traffic through one WAN Port)
- service based routing (this would be right for the SSH traffice to go through one WAN port)
5. I also I have a em3 port, that I want to set on a different subnet (or inside a VLAN) as to act as my hotspot for visitors. What is the best way to go about doing this?
Routing is the goal and way to go with in my eyes. Please don´t bridge ports together and ask
then why the;- ports are flapping
- packet loss is growing
- latencies are even gain or high up
- packet drops and connectivity is lost
Or something else. I would suggest to go with routing instead of bridging ports together.
7. One of my ISPs requires MAC address registration (so every time I connect a new router to modem –when in bridge mode-- I have to call them up to release the MAC address so that their system acquires the new MAC address - a true pain in the neck). Should I clone the MAC address at the ESXi level when I am building the pfSense VM, or should I spoof it inside pfSense? Would it make any difference at all?
buy a real modem that fits your needs and Internet connection like the Draytek Vigor 130, as an example
this could be truly and real turned into the bridge mode and will be only one time registered with its MAC
address by your ISP. And then you could install behind of them all you need and want. Either pfSense or
any other kind of router or firewall. So why spoofing a MAC address?