Pfsense with ESXi and VLANs



  • Hello,

    I have started playing with pfsense a few days back. I have installed it on my esxi server and I have configured one VLAN (opt1) which is a parent of my LAN interface


    hebergeur d image


    herbergeur d image

    pfsense runs a dhcp server on the VLAN OPT1. I noticed the following

    I noticed that I leave it as it is the windows machine (win10_1) does not get an ip address.
    From packet captures (btw the packet captures are so easy to take and analyze!) I see that the DHCP broadcast arrives at LAN interface. Hence I tried to bridge LAN and opt1. In this case it works fine

    Am I missing something ? I am not sure if the bridge is really necessary or if I have a fundamental error in my config.

    Thanks for the help !
    cgeo

    Edit: Actually I see the DHCP broadcast arriving also on the opt1 interface but there is not reply if it is not on bridge mode
    Firewall is disabled temporarily until I sort this out


  • Rebel Alliance Global Moderator

    what are you trying to accomplish with this vlan.. Is it going to physical world?  If just in esxi, why do you need to vlan?  Just create another nic on another vswitch and put those vms on the same vswitch.  You only need to vlan when you working with the those vlans in the physical world.



  • For the time being I am playing with it. But in the future it will be connected to the physical world.
    I just wanted to know if the behavior I am seeing is normal or there is something fundamentally wrong in my config

    Regards,
    cgeo


  • Rebel Alliance Global Moderator

    Well depends on what your trying to accomplish.  Since you have a vlan tag of 20 on your one portgroup.  Which not sure why??  And then 4095 on your other port group, and then tied to a phsyical nic that have no idea what its port settings are.

    What are you bridging??

    If you want pfsense to tie 2 networks together on esxi, then create another vswitch put vnic for pfsense in that vswitch, while it has another vnic in another vswitch.  You do not need to tag anything for that to work.  As I stated already you only need to tag that traffic as it enters the physical world.  You can use different vswitch just like they were real physical different switches.

    Looking at your config I have no clue to what your trying to accomplish, but I don't see how those vms on that port group would even talk to pfsense.



  • @cgeo:

    Hello,

    I have started playing with pfsense a few days back. I have installed it on my esxi server and I have configured one VLAN (opt1) which is a parent of my LAN interface

    Am I missing something ? I am not sure if the bridge is really necessary or if I have a fundamental error in my config.

    Thanks for the help !
    cgeo

    Probably.

    If you intend to put the VM's behind pfSense LAN then add a virtual NIC to the pfSense VM and attach it to the vSwitch with VLAN20 tag. This will show up as a VMX interface in the pfSense VM which you can then assign to 'LAN'.

    Your 1st VMX NIC would then be 'WAN' on pfSense.

    Note that when you do it this way, pfSense doesn't see the VLANs - these tags are automatically added/ removed at the vSwitch level.



  • Hello,

    Thanks for the comments. WHat I am trying to do is to simulate a physical network. So typically you seperate traffic using VLANS and in order for the traffic from one VLAN to be routed to another it needs to go via a router (in this case pfsense). So ideally I wanted to have several VMs in different vlans and have pfsense route traffic between them if needed. For educational purposes in the beginning. I did not add in the screenshots but I also have another vnic of pfsense (WAN interface) connected to another vswitch

    I still do not know why this should not work. I have simulated a trunk port by using the VLAN 4095 and I do see the broadcast packets coming to pfsense from a windows machine requesting an IP Address from the DHCP server attached on the opt1 interface tagged with vlan 20. But pfsense does not reply to it unless I bridge the LAN and OPT1 interfaces which does not seem right to me.

    I know that I have them attached to two vmnics but it should not matter right ?
    Please let me know if you have any ideas as to why this does not work or if you need any additional info to help me

    Thanks!



  • I think I have found the issue. It was rather simple. I have mistakenly assigned VLAN20 to the LAN interface and not to the opt1 interface.

    Once I assigned the vlan20 to opt1 the windows machine received its ip address from pfsense