PfSense on esxi 6.7, can get it to work propperly.

marcel1988

Hello everyone,
I have been working on my ESXI server for some time, and therefore decided to replace my router with PfSense.
Now I've followed the tutorial at: https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-vmware-vsphere-esxi.html But I can't get it to work.

This is current network setup:
T-mobile Fiber> Media converter> Ubiquiti USG> Network Switch for the rest of the house.
This is the setup I would like.
T-mobile Fiber> WAN port PFsense> LAN port PfSense> Network switch for the rest of the house.

Unfortunately, I run into the following problem, and I can't get it solved.
I followed exactly what the tutorial described:
1.Add two Virtual switches, one for WAN and another for LAN. For uplink select two separate available ports.
2. After creating Virtual switches, click on Port groups tab. On the Port groups tab click on “Add port group”. Add WAN and LAN port groups, each using WAN and LAN switches respectively.

After this I neatly installed PfSense and assigned the interfaces to the ports on the esxi server.
And here I get stuck.

All internet virtual machines are getting internet, but as soon as I connect a network cable to the port which is configured as LAN, no DHCP ip address comes out. Setting a static IP does not work either.

Also I tried the following setup to get it working:
T-Mobile fiber> Ubiquiti USG> WAN port Pfsense (192.168.1.200)
Lan Port PfSense (10.0.0.1)
Again all Virtual machines work perfectly and neatly get an ip range in the 10.0.0.x and can also access the PfSense admin GUI. but as soon as I connect a network cable to the NIC which is indicated as LAN in PfSense, a 169.254.10.189 address comes out.

I would like to hear the mistake I make :)

This is the setup of my ESXI server:
(Updated) ESXi-6.7.0-20191204001-standard (VMware, Inc.)
Dell Inc. PowerEdge T20
2 CPUs x Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
RAM: 27.91 GB
Network nics; 2X RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

three

Try setting VLAN-ID for LAN port group in ESXI to 4095.

marcel1988

@three
Can you explain why, and what this does?

three

Not really. I came across the same problem. Had VLAN ID set to nothing, except for my VLAN flagged interfaces. But that did not work. Have you tried it?

marcel1988

No, thats not working at all.

I have removed ESXI from the machine and installed Windows Server 2019 as a test.
Then i installed Virtualbox and made a virtualmachine with PfSense.

I attached 2 nic's ( WAN, LAN ) and changed the ip range for the LAN to 10.0.0.1 with DHCPrange 10.0.0.25/10.0.0.200.
It is working instantly.

So i know the the network nics will work in virtualisation.
So why is it not working within ESXI?

three

Is that your setup in esxi like this?

physical port LAN - > virtual switch LAN -> Port group LAN -> VLAN ID empty
physical port WAN -> virtual switch WAN -> Port group WAN -> T-mobile fiber

How are your other virtual machines connected?
And how do they get IPs?
And do they have internet access via pfsense -> WAN -> t-mobile?

marcel1988

@three said in PfSense on esxi 6.7, can get it to work propperly.:

Is that your setup in esxi like this?

physical port LAN - > virtual switch LAN -> Port group LAN -> VLAN ID empty
physical port WAN -> virtual switch WAN -> Port group WAN -> T-mobile fiber

Yes
physical port LAN - > virtual switch LAN -> Port group LAN -> VLAN ID empty
physical port WAN -> virtual switch WAN -> Port group WAN -> T-mobile fiber ( or on the LAN of the USG )

How are your other virtual machines connected?

network adapters on the LAN group

And how do they get IPs?

trough DHCP.

And do they have internet access via pfsense -> WAN -> t-mobile?

Correct.

three

So, all VMs are in LAN and do get IP addresses from pfsense and they are able to connect to internet. That's good but all virtual within ESXI.

Now, when you plug in a cable between your ESXI LAN port on your physical network switch, those devices do not get IP addresses.

Is this switch managed? Any VLAN settings on the particular physical switch port? Have you tried another physical switch port? Have you tried to directly connect a device via cable to your ESXI LAN port?

marcel1988

@three said in PfSense on esxi 6.7, can get it to work propperly.:

So, all VMs are in LAN and do get IP addresses from pfsense and they are able to connect to internet. That's good but all virtual within ESXI.

Now, when you plug in a cable between your ESXI LAN port on your physical network switch, those devices do not get IP addresses.

Is this switch managed? Any VLAN settings on the particular physical switch port? Have you tried another physical switch port? Have you tried to directly connect a device via cable to your ESXI LAN port?

That is correct, all the VM's are getting internet access. But when i put a network cable form the NIC port to a switch, or direct into a client. there is no internet access. The devices are getting a IP adress like: 169.254.10.189.

Same behavior when the cable is plugged into a normal switch.

kiokoman

something must be fucked up, vlan id 4095 means that you set the vswitch as trunk port like you would do in a real switch to let all vlan pass.
169.254 no dhcp lease is offered
if you can pls post some screenshot of your esxi configuration
i'm using VMXNET3 and don't forget to install open-vm-tools
be sure it's the correct physical NIC port

three

I agree, something seems wrong with ESXI setup. Some screenshots could indeed help.

Just to be on the safe side: Your test with Windows Server 2019 and Virtualbox involved the very same machine? On which you are now operating with ESXI? And you are using the very same physical ethernet port for LAN on this machine?

marcel1988

Yes this is the same machine with esxi 6.7 or with Windows server 2019.
First off all let me explain this first.

Since this CPU cant run vt-d i need to disable this at the start with: noiommu in the /bootbank/boot.cfg at the end of the line with kernelopt: http://www.digitalroadies.com/vmware-6-initializing-iov-issues/

By default the realtek nic card is not working within ESXI so i need to install a driver for it:
https://networkguy.de/installing-realtek-driver-on-esxi-6-7/

After that i followed the tutorial: https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-vmware-vsphere-esxi.html for creating the WAN and LAN ports.

i have made a couple of screenshots for you off the settings that i have made on the WAN - LAN and uploaded it here:
https://imgur.com/a/IgPD7DU

Dont mind the link down at the nics, that is correct becuase i have remove the cables.
When i insert the cables the nics are up.

I will make some more screenshot of the settings inside PfSense, and the Ubuntu vm.

marcel1988

Sorry,

The WAN is a wrong setting. this is the right setting for the WAN.
It's the WAN of the vmnetwork of the onboard NIC of the motherboard,

marcel1988

and here are some screenshots.

you can see that the ubuntu instalation on ESXI is working perfectly with internet access.
it running on the DHCP lease of 10.0.0.X.

You can also see that my Windows 10 laptop and my Synology NAS wich are connected trough LAN cable on the NIC are not getting the right IP address. so there is no DHCP.

https://imgur.com/a/ZDUSXnm

three

Are both, network adapter 1 and 2, realteks?

EDIT 1:
Just saw that wan and lan are Realtek, but VMNetwork is Intel.

Need to look again ...

EDIT 2:

At the time it works, does your WAN (Network Adapter 1) is set to VM Network or WAN?

marcel1988

@three

It only works when i set the WAN on VM Network.
When i set it on WAN it wont work.

three

Then it is related to the realteks. You somehow need to validate whether they operate properly in ESXI at all. Another option could be, as mentioned by @kiokoman, to change to vmxnet3 in pfsense-VM-settings of ESXI.

kiokoman

yeah in any case realtek card are never a good choice for this stuff

marcel1988

ok.

In the meantime i have tried to run PfSense directly installed on a SSD.
That is running fine, and working woth both the INTEL nic for the WAN and the realtek as the LAN.

The devices that are attached trough a LAN kabel are getting 10.0.0.X and internet access,
When i tried it with windows 2019 its working perfect without a problem. So i think i need to consider to leave ESXI for what it is. or try a different hyperviser OS.

i only want to use it for:

1x windows server machine
1x firewall machine
2-3 linux machines.

Any thought?

kiokoman

change that realtek card to some intel they are cheap on ebay / amazon after all

three

Exactly what I would recommend as well. It would cost only a few bucks and will work right out of the box with ESXI. Otherwise you need to spend countless hours or days to get into another hypervisor. Do the math to your liking :)

marcel1988

Thank you both for the help :) i will buy a Intel card ;)

I just found one of these: https://ark.intel.com/content/www/us/en/ark/products/184824/intel-ethernet-network-adapter-i350-t4-for-ocp-3-0.html for €20 euro.

Will this one work?

gcu_greyarea

With ESXi have you tried putting the LAN vSwitch and Port Group into promiscuous mode ?

marcel1988

ok so, i bought this https://ark.intel.com/content/www/us/en/ark/products/184824/intel-ethernet-network-adapter-i350-t4-for-ocp-3-0.html inserted it in the ESXI and booted up. It works perfectly.

So now it is running and working like this:

Fiber optic > Ubiquiti USG router WAN > Ubiquiti USG router LAN > network port NIC ESXI WAN > network port NIC ESXI LAN > Network switch and accespoint in the house. ( 10.0.0.X range. ) this is working perfect.

But i want to remove the Ubiquiti usg router so i can setup the fiber optic directly into the WAN port of the NIC of the ESXI.
so i'm working with T-Mobile here in here in the Netherlands. and i have added the VLAN 300 for internet into the PfSense on the interface of the WAN port of the NIC:

Under interfaces > assigment i have put the new VLAN300 into the WAN:

But i dont get a IP from the DHCP server of my ISP provider.

When i set it back on the normal settings, everything is working perfect and i get a 192.168.1.2 from the Ubiquiti USG.

kiokoman

under esxi did you set the vswitch to vlanid 4095 ?

marcel1988

So i need to edit this one:
This is the nic port that is comming from the fiber optic.

And can you tell me WHY i need to add VLAN 4095?

three

This is a specific of ESXI. If empty, VLAN are NOT supported. 4095 allows ALL VLAN numbers from the VM. I still get confused about VLAN, tagged, untagged, etc. But this should work,

kiokoman

indeed 4095 means that you set your vswitch as a trunk port letting any vlan pass through

marcel1988

Yes, this did the trick :)

marcel1988

so after a few day's working perfectly.
it now randomly stops working.

In the PfSense VM i see this:

When i reboot the VM everything works again.
What can this be?

kiokoman

try to reinstall open-vm-tools
maybe do a fsck also

marcel1988

@kiokoman

i have reinstalled the open-vm-tools and nothing changed
what you mean by fsck?

And what about the new update?
i'm now on:

2.4.4-RELEASE-p3 (amd64)
built on Wed May 15 18:53:44 EDT 2019
FreeBSD 11.2-RELEASE-p10

kiokoman

fsck: from console is option 5 and F key ( F: Reboot and run a filesystem check )
and yes, upgrade to 2.4.5

marcel1988

ok now i understand what you mean. i just did that a couple of hours ago and it seems to work again.
What about the update?

after the update i need to reinstall vm-tools again? and another fsck?

kiokoman

nope, no need, make a backup of your config just in case and do the upgrade