Help with simple configuration



  • Hello,

    I need your help in implementing simple configuration.

    My home network is 192.168.1.0/24. My target is to provide two NAT networks and two isolated networks for ESXi virtual machines. What do I want to achieve? Exactly the same what VMware Workstation provides- NAT or Host-only network settings

    1. NAT network 1 - 192.168.10.0/24
    2. NAT network 2 - 192.168.20.0/24
    3. Isolated network 1 - 192.168.100.0/24
    4. Isolated network 2 - 192.168.200.0/24

    Traffic from NAT networks only to internet and back from internet (default gateway to internet 192.168.1.1, my home router)
    Traffic from isolated networks only inside themselves.

    NICs for all of the networks will be virtual ESXi NICs.

    Possibility to administer the pfSense from home network 192.168.1.0/24

    I tried to implement example NAT network by myself but it's settings overridden my home network settings and I temporarily lost connection to my gateway.



  • I wouldn't exactly call that a simple configuration. Are you trying to replace your existing home router with a virtualized pfSense? Or are you planning on running double-NAT config with two routers in series?

    What is your real goal here? Saying "I want it like VMware Workstation" isn't helpful unless someone knows all about VMw and knows how you are using it.



  • I don't want to replace my home router. I want pfSense to provide networking for different virtual machines set on VMware ESXi. Let's say that pfSense will have one IP address from home network (physical NIC of VMware ESXi server) and couple of virtual NICs connected to provide networking for virtual machines. Each NIC will have own address scheme.

    VMware ESXi do not provide possibility to set NAT networks. VMware Workstation provides that option. This is why I mentioned it previously. You are totally right, this is my fault, not everyone have to know it.

    I want to provide a possibility for different virtual machines to reach internet without hitting my home network or another networks with traffic.

    I have created one interface with 192.168.2.0/24 address scheme, added DHCP pool 192.168.2.2-254 to this interface. My laptop from home network acquired IP from this pool...



  • @zanahoria13 said in Help with simple configuration:

    VMware ESXi do not provide possibility to set NAT networks. VMware Workstation provides that option.

    That was meant for single-user use where you might only have the one network connection to your workstation, so the VM network would be NATed through your workstation. ESXi runs in a different environment where it's expected that you have access to a router and more addresses.

    So, what are you REALLY trying to do? Describe it from a servers and network access perspective, not a pfSense perspective.

    Something like "I have two game servers that I want to NAT to the public Internet, and I have a test lab that I want to isolate from the Internet." Then we can advise you better once we know what your end goal is.


  • Netgate Administrator

    This should not be that difficult. You can define how and what access the 4 internal subnet have using firewall rules.

    You will want to create the pfSense VM with 5 NICs, 4 virtual for the internal subnets and one passed through for the WAN to connect to your home subnet. You should not have a DHCP server running on the WAN which it sounds like you must have done if your laptop pulled an IP from it. You probably want the WAN set static in the home subnet though.

    Steve



  • @stephenw10
    So WAN interface should have IP from my home network?

    I set physical NIC as a WAN with IP address from my home network. I added one virtual NIC. I lose connectivity to admin panel after adding new interface, even without setting IP address to new interface or enabling it. I still can ping any host in my home network from pfSense CLI. Why?


  • LAYER 8 Global Moderator

    @zanahoria13 said in Help with simple configuration:

    I still can ping any host in my home network from pfSense CLI. Why?

    There is no firewall rules that block firewall from doing anything... So yeah pfsense itself wold be able to ping anytning its connected too, or can get too via route, etc.



  • Excellent. I have created first NAT inferface and set DHCP pool on that interface. Hosts are acquiring IP addresses. I set first FW rule on WAN interface to accept all traffic from home subnet for pfSense administering purposes (I will strict it to 1 address). Hosts in home subnet are not able to ping hosts from NAT interface and vice versa- of course, no routing set yet. That's great!

    How can I set routing from NAT subnet to the internet without hitting home network with the outgoing and incoming traffic?

    https://i.imgur.com/iwNY6yx.png
    https://i.imgur.com/mkPObZn.png


  • LAYER 8 Global Moderator

    there is not need for routing to be added.. pfsense has a default route right.. On its wan... That is how the clients on lan side of psfense would get to internet.


  • Netgate Administrator

    @zanahoria13 said in Help with simple configuration:

    How can I set routing from NAT subnet to the internet without hitting home network with the outgoing and incoming traffic?

    You don't want to set a route for that. Instead set a block firewall rule on that interface in pfSense above any pass rules to deny access to the WAN subnet. That way clients will only be able to access either public IPs or other local subnets.

    You can also simply omit a pass rule for it.

    Steve


Log in to reply