Second LAN not working

the_only

I've got the following network diagram:

Network diagram showing an ESXi Server with four NICs: NIC0 and NIC1 are attached to one VM, pfSense, as "WAN" and "OPT1", respectively; NIC2 is attached to an internal "vSwitch0", which is attached to the pfSense VM as "LAN". Externally, NIC0 attaches to the WAN, NIC1 attaches to a cheap SOHO Wi-Fi Router, and NIC2 attaches to My PC.

To configure OPT1, I did the following:

Added a static address for pfSense on it, in a different subnet from LAN
(192.168.0.1/24 vs 10.172.16.1/24)
Enabled a DHCP server on it, for the appropriate subnet
Copied the Default allow LAN to any rule over to it
Saved, applied, rebooted

However, I cannot get connectivity on OPT1. When connecting my PC to it to test, I get a DHCP lease, but cannot even ping its given gateway.

How is one supposed to configure a second LAN?

(If I go into pfSense and I assign NIC1 to LAN and vSwitch0 to OPT1, then NIC1 has connectivity, and all the VMs lose it; that is why I suspect the problem lies in my configuration of pfSense and not with a hardware problem or problem within ESXi.)

KOM

@the_only Don't you have to create another vSwitch, map your NIC1 to it, then use that network for your VM's OPT1 NIC? And why are you using 192.160.0.0 subnet? That's not rfc1918 address space.

the_only

why are you using 192.160.0.0

Ah, that's a typo — I did not make this mistake in pfSense, and have updated the OP. Thanks!

Don't you have to create another vSwitch, map your NIC1…

Like NIC0/WAN, I did not bother creating a vSwitch for NIC1/OPT1 since it's only going to have one device attached to it.

(In any case, if I assign NIC1 to LAN and VMX0 to OPT1, then NIC1 has connectivity and the virtual interface doesn't. My issue is not a hardware one; it's in getting OPT1 per se to work.)

KOM

@the_only I've always used switches per port or port group and I've never had any problems with interfaces. How do you even map a specific NIC to a VM without using a switch?

the_only

@kom said in Second LAN not working:

How do you even map a specific NIC to a VM without using a switch?

The thick green lines in the diagram denote PCIe passthroughs.

The catch is, NIC1 works perfectly when I assign it to be the LAN, but when I do that, I then can't get connectivity for the VMs on vmx0/vSwitch0/OPT1.

KOM

@the_only I wondered if you were using NIC passthrough but I don't know much about that as I've never used it. It sounds from your description that you've done everything correctly. Next step is to post screenshots of your OPT1 config and rules to make sure you did what you think you did.

the_only

Next step is to post screenshots…to make sure you did what you think you did

Roger that:

(I have done this fresh from a factory-reset installation to ensure no config cruft could have gathered, a few times, and I could not figure out why it's not working.)

KOM

@the_only That all looks good to me. Do you actively use IPv6?

the_only

@kom Not particularly at this time, but…

I found the problem (leaving it unspoilered for quick notice of those skimming this thread):

Screenshot from 2021-05-15 08-48-26.png

Changing that to OPT1 net fixed it: the interface and network don't automatically get linked, you have to change them both when copying the rule.

KOM

@the_only I thought you still had NIC1 plugged into LAN, not OPT1. Glad it's working for you now.

the_only

Log in to view

Wow, apparently Netgate login-gates images.

For logged-out users, here's what firewall rule you've got to create (I recommend clicking the "Copy" icon on the existing rule on the LAN tab):

Action: Pass
Interface: OPT1
Address Family: Any (IPv4+IPv6)
Protocol: Any
Source: OPT1 net [this is what I'd forgotten to set]
Destination: any
Description: Default allow LAN to any rule