Why WAN interface needed DHCP option enabled?
-
@marvosa yes, pfSense is virtualized.
I'm sorry, this is my first experience in drawing a network card. But I see it somehow.
LAN and WAN - its a virtual hyper-v adapters.
WAN - Exnternal virtual adapter - static ipv4. WAN - copy of physical adapter settings.
LAN - Internal virtual adapter, works in sub network 10.xx.xx.xx/24 and use DHCP.
Internet on virtual machines does not work if I prescribe static settings issued by my ISP. But I do not understand what's the matter, if the same settings are registered on the physical Ethernet adapter on the host - everything works fine.
I created another forum topic with a more detailed description of my problem (yes, I know that it is wrong to copy-paste, but initially I did not know what the specific reason was, i'm sorry).
Here more detail: https://forum.netgate.com/topic/142123/pfsense-on-vm-internet-not-working/7
Thank you for help! :) -
The fact you're seeing automatic rules for the 10.x.x.x, LAN, subnet there shows you have the gateway correct when you made that screenshot. But was that using DHCP?
Even if you have the gateway not on the actual interface that would break NAT for clients behind pfSense the gateway should still show as up as long as it responds to ping.
I see you have a gateway on LAN too which can confuse things but since that is not in the auto rules that too looks correct.
I'm not sure why you have obscured the subnet you're using on LAN. It's in the private 10/8 range. No body can do anything with that info and obscuring it just means we can't spot any possible mistakes.
Steve
-
@stephenw10 i'm sorry for incorrect information about my LAN network. My LAN subnet is 10.10.10.1/24. I use this guide for setup my virtual adapters: https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-hyper-v.html
In my case, LAN connection type is Internal, not a private network.
Its looks like:
Ethernet 2 - Network Bridge - vEthernet (Hyper-V Virtual Switch).
Yes, LAN using DHCP. -
Hmm, if you have only on static IP in the 192.x.x.x range when you set the pfSense WAN to use it are you removing it from the host? Only one of those things can use that IP at a time.
Steve
-
@stephenw10 Yes, I am trying to use the same IP address for the host and the pfSense virtual machine. I'm sorry for wasting your time. Tell me, please, in my network pfSense filters only traffic addressed to virtual machines, right? Host not protected by pfSense? And can I implement NAT for pfSense in order not to buy an additional public IP?
-
It is possible to do that, yes. However I'm not familiar with the exact terms used by Hyper-V to do it.
You could just set the host to DHCP since that seems to work. But you might lose connectivity to it. You need to have some out-of-band connection to it to be sure you can revert that change if necessary.
Steve
-
@stephenw10 I'm sorry for disturbing you, will it be possible to implement such a network scheme using virtualized pfSense: Global Nework -> pfSense Firewall (virtualized) -> Host (192.xxx.xxx.xxx) -> Other VMs
Is it realizable? Or required physical gateway on which pfSense installed? -
It is possible to do that.
Pass the physical NIC through to the pfSense WAN interface or a switch connected to it without the host using that NIC directly. Then give the host a virtual NIC in the LAN subnet so it only has connectivity through pfSense.
As I said though I'm not familiar with the exact way that might be done in Hyper-V.
You should probably ask in the Virtualisation sub-forum.
Steve
-
@stephenw10 Thank you very much for help and advice!
-
To keep things straight, and for performance reasons, I'd recommend adding a 3rd NIC at a minimum (if not a 4th) and dedicating 2 NIC's to your PFsense VM. The configuration would look like this:
4 NIC setup
NIC 1 = Assign to vSwitch0, create vMkernel port group used for management, connect to switch
NIC 2 = Assign to vSwitch1, create port group labeled "VM Network", connect to switch
NIC 3 = Assign to vSwitch2, create port group labeled "PFsense WAN", connect to ISP modem
NIC 4 = Assign to vSwitch3, create port group labeled "PFsense LAN", connect to switch3 NIC setup
NIC 1 = Assign to vSwitch0, shared vSwitch for VMkernel port group (Management) and VM Network port group, connect to switch
NIC 2 = Assign to vSwitch1, create port group labeled "PFsense WAN", connect to ISP modem
NIC 3 = Assign to vSwitch2, create port group labeled "PFsense LAN", connect to switchI use ESXi, so you may have to translate the terms into Hyper-V speak.
A 2 NIC setup will work as intended but has to be configured and addressed properly... much like stephenw10 mentioned.
-
This is going to be significantly more difficult because as understand it hyper-v is running on a hosted appliance. Access to it may be limited. Adding NICs is probably not an option.
Steve
-
Thank you all. I setup network, it turned out pretty simple. I thought External Virtual Switch - its a network bridge in Hyper-V, but its works differently. Probably, i dont uderstand how it works - I watched IP conflict, because my public IP (192.xxx.xxx.xxx) belonged to host, at the same time pfSense tried to use it (because of this there was no network on pfSense VM). I delete ipv4 parametr from External VS, create Microsoft Network Bridge for External VS and Ethernet 2 (my physical adapter with public IP). And its works for me! Now i have internet on all my virtual machines. Also, NAT is work. pfSense routes all packets. Tracert gives me the: 10.10.10.1 -> ISP gateway -> google.com (example). Thank you guys! Without your help, I would hardly have succeeded. :) Very friendly forum!
-
Glad it's working!
Just a note for down the road, eventually you will want to remediate your double NAT situation. In other words, have the ISP configure their modem in bridge mode, so PFsense gets a public IP.
