Struggling with front-ending my vSphere environment with pfSense...



  • Hi all,

    I'm struggling a bit with setting this up, I'm afraid this may be just as much a question around vSphere as much as it is around pfSense. Hoping someone can help.

    The diagram below shows my vSphere environment.
    0_1541231999110_Slide1.JPG

    I essentially have three communities of users I'd like to "segment" my environment with and at the same time offload the firewall and routing functionality from my consumer cable modem.

    I can understand the diagram below, how this could be done physically but am struggling to overlay this thinking to my virtualised environment...
    0_1541232117801_Slide2.JPG

    The desired functionality I would like to have is as follows;

    1. Cable Modem operates in DMZ mode forwarding all to pfSense WAN NIC
    2. pfSense manages 3 LAN independent networks to align with three communities of users, installed as VM on esxi-5.domain.com.au
      ..Media Network 192.168.241.x
      ..Hosting Network 192.168.242.x
      ..Other Network 192.168.243.x
    3. pfSense provides to LANs services such as DHCP, DNS, Routing, Port Forwarding Rules

    Questions...

    1. How do I have virtual machines on each ESXi server “map” to the appropriate network?
      VLANS from pfSense?
      .. Multiple distributed switches mapped to each user community?
      .. How does the above relate to physical NIC’s in each host?
    2. Can the NIC’s in the ESXi hosts still all plug into the same 24 port physical switch?
    3. How do you leverage the NIC’s for the distributed virtual switches
    4. Would an additional standard switch be required for the WAN port on the pfSense VM? Would this have be mapped separately to a physical NIC where the cable modem can physically connect into, and not plug into the same 24 port physical switch?

    Any help or pointers would be greatly appreciated

    David



  • I would do it with Vlans.

    I would use a direct cable from the modem to an esx host. use one nic on that host for a wswitch for internet. The rest i would build as vlans distributed over all esx servers.