Esxi Install - Do I make interfaces Trunk or Access ports?



  • I have installed pfsense successfully on a dual nic esxi setup. However I'm new to networking and unsure of how to continue. I have a few vlans in my network. Plan is anytime a PC tries to access the internet, the default route will have to go through pfsense. If pfsense is offline, no traffic will reach the internet because pfsense is not there to continue the traffic.

    My questions are do I make my pfsense part of my router management network, and make it a trunk port that includes all vlan subnets? Or do I make a new vlan just for pfsense, and just make it an access port? Will the above scenario work in either a trunk or access port configuration?

    ![Screen Shot 2018-02-10 at 11.59.17 AM.png](/public/imported_attachments/1/Screen Shot 2018-02-10 at 11.59.17 AM.png)
    ![Screen Shot 2018-02-10 at 11.59.17 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-02-10 at 11.59.17 AM.png_thumb)


  • LAYER 8 Global Moderator

    You can create a vswitch on esxi with 4095 set… This allows all tagged vlans to come in without being removed.  Then create vlan interfaces on pfsense VM connected to that vswitch.  Or you could create port groups on your vswitch set to the vlan ID and just add vm interfaces in pfsense (non vlan) connected to those port groups.

    its up to you how you want to do it.  But yes if you have vlans connected to your esxi host interface then that interface would be trunked and your vlans tagged.  Where you identify and handle the tagging is up to you - you can do it with port groups on esxi vswitch or you can do it on pfsense directly.

    So you can see in attached example..

    So the Domotz VM is set to understand vlans - so it has multiple vlan interfaces in the different vlans I carry over this connection.

    The UC is vlan stupid it only sees the untagged vlan on this connection.. In my case vlan id 2

    Mint is the same way it on the untagged vlan..  The pf21 was an old version of pf I fired up for another thread testing nessus.  The other pfsense vm as 1 vm nic em1 and has multiple vlan interfaces riding on that em1 interface in pfsense..

    If you only have 1 physical interface on esxi and it will carry multiple vlans then the switch port would have to be trunked with the specific vlans you want tagged and allowed.  You would only use access ports on your switch if you had multiple interfaces on your esxi host and your traffic into esxi would be untagged.




  • That last paragraph made a lot of sense! Thanks for clearing that up. I think I understand where I have to go in this case.

    Regarding a future project of mine. I spec'd my esxi host more than what I needed PFsense to require. Its a low power, 4 core i5 and has 16 Gb of ram. Its built to always stay on. Id like to take further advantage of the additional ram and 2 cores by adding a domain controller to vsphere. Likely FreeBSD/Linux based for the learning purposes.

    Do you know best practice for a DNS/Domain Controller server when it comes to network design? Id like to stick a domain controller in the same esxi host as PFsense. Its still admittedly a half-baked idea at the moment, but I'd like to setup PFSense today to handle all traffic bound for the internet, with the possibility I may host another server in the same esxi environment for more services like DNS/DHCP/Active Directory. I see Samba is able to active as an AD, so I may be playing around with that.
    https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

    Any reason I couldn't host an AD in the same esxi host? I suppose it all depends on what OS I choose and if it can also handle receiving trunk'd traffic, right?

    I appreciate you helping someone so vague! This is a really fun project and I'm enjoying learning more about network design/configuration.

    Thank you very much!


  • LAYER 8 Global Moderator

    You can host anything you want on your VM setup.. Sure if you want to run Acitive Directory or LDAP.. have at it..


Log in to reply