pfSense on OVH Dedicated with ESXi and one NIC

jayb1

Hi all,

I've done a lot of searching but so far not understanding how to set this up correctly.

I have an OVH dedicated server with one NIC and ESXi 7 installed. I want to put pfSense in between the public IP and the VMs.

On installation ESXi grabbed the public IP address from DHCP. This means so far I would assume we have a public IP on ESXi vSwitch0. Correct me if that's wrong.

Many tutorials talk about needing a failover IP, but I'm not understanding why. I assume if ESXi vSwitch0 has grabbed the public IP, then I would only need to add one virtual switch to hang my VMs off?

Honestly, I'm sure I've got something confused, and it's probably my understanding of ESXi which I have never used with a public IP and one NIC. It's always been behind a physical firewall with psychical NICs for each VM. A server with a public IP directly on it is really strange for me , it seems a bit like the old days with software firewalls installed on Windows NT 4.0 or something.

Probably obvious but any help appreciated!

Cheers,

Jay

Tactis

It's not the public IP assigned to your ESXi interface right?

As long as it's not, you should be fine. Add another vSwitch and Port group in ESXi for your VMs, and do NOT assign an uplink NIC to that vSwitch. Connect the pfSense 2nd NIC to this vSwitch and setup the LAN.

This way pfSense will act as the firewall between your LAN and WAN, with the public IP being the one you picked up from DHCP.

If you have a range of IPs available, it's probably still best to setup a static if you want to host any services here. Any additional IPs can be added to pfSense by going to Firewall > Virtual IPs and assigning them here.

jayb1

@Tactis said in pfSense on OVH Dedicated with ESXi and one NIC:

It's not the public IP assigned to your ESXi interface right?

Yeah I think it is. That's how I'm connecting to it (the public IP). Well at first I wasn't able to, but I enabled the basic firewall (not the Cisco ATA option) in the OVH control panel on that interface, and let port 443 through, then I was able to. This doesn't make a lot of sense either, I would have thought with the firewall off I could connect just as much as if it were on with one port open. I'm flying blind as to how their infrastructure works.

As long as it's not, you should be fine. Add another vSwitch and Port group in ESXi for your VMs, and do NOT assign an uplink NIC to that vSwitch. Connect the pfSense 2nd NIC to this vSwitch and setup the LAN.
This way pfSense will act as the firewall between your LAN and WAN, with the public IP being the one you picked up from DHCP.

I'll do that as I assume I'll need it anyway when I work through it.

If you have a range of IPs available, it's probably still best to setup a static if you want to host any services here. Any additional IPs can be added to pfSense by going to Firewall > Virtual IPs and assigning them here.

It is a static public IP, and I'm not sure why ESXi picked it up from DHCP. I'm also not sure how I could connect to ESXi to manage it in the first instance if it didn't pick it up from DHCP, because if I set ESXi as an internal static IP (like 192.168.0.X or whatever) their basic firewall doesn't seem to redirect ports to different IP's, so I'm pretty sure I wouldn't be able to get to the ESXi server. It's a weird and foreign setup to me.