Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up vSwitches for transparent bridging VM advice needed

    Scheduled Pinned Locked Moved
    Virtualization
    1
    1
    252
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reqman
      last edited by

      Hello everybody,

      I've posted an (overly) detailed explanation of my actual setup in another thread, but since I have not received any replies (truth is that the description is overly informative, but hard to decipher) I'm posting some different questions here.

      In the past I've successfully used a pfSense VM as a filtering bridge (not firewall), utilizing the ESXi (5.5) host's two physical NICs. To accomplish that we used two vNICs for the VM and two corresponding vSwitches (LAN/WAN). Each vSwitch was obviously connected to a different port of a physical switch. The extra step needed was to allow promiscuous operation on the port group of each vSwitch.

      On the same host a number of VMs was running alongside the pfsense VM. And all of them shared the same 2 NICs.

      My question is: if I instead had a single physical NIC (and, thus, a single port on the physical switch) could I perform this fitlering as well? My idea would be to:

      • set the port on the physical switch to be trunked (LAN/WAN VLANs),
      • have a single vSwitch utilizing the physical NIC,
      • have all port groups on that vSwitch, albeit VLAN tagged (LAN or WAN)
      • place the two vNICs of pfsense on the LAN and WAN port groups

      Would this setup work? I believe a possible issue that could arise is that since a filtering bridge transmits data that it receives on all ports, it could receive data from its LAN vNIC and transmit them to its WAN vNIC. That would pass to the WAN port group and then to the (single) physical port of the physical switch. Could this generate a port loop (and hence RSTP would kick in, blocking traffic)?

      Can you find a fault with this approach, or suggest something else to do entirely considering that a single physical NIC is available for all traffic?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post