Port forwarding to other virtual machines on same host.


  • LAYER 8 Global Moderator

    Ok running vmware server 2.02 on 2k8 windows box.

    Pfsense
    2.0-BETA4  (i386)
    built on Tue Aug 17 03:29:48 EDT 2010
    FreeBSD 8.1-RELEASE

    So install went fine - host box is on 192.168.1.4/24 vmnet0 (bridged) intel motherboard nic, wan of pfsense is on vmnet2 (bridged) realtek, lan of pfsense was also on vmnet0 192.168.1.250/24.

    Can not get any port forwards to work.. To copy of vm ubuntu connected to vmnet0, ssh.  Can not forward to host box either, ssh or dns.  But can forward to another physical box 192.168.1.100/24 just fine through the virtual pfsense.

    Outbound internet works just fine from other physical boxes, the host and the virtuals.  Just can not get any forwards to work - unless send off the host machine to another physical box.

    So thinking it might have something to do with all the lan interfaces of the host, ubuntu and pfsense were on the same physical nic connected to vmnet0, I added another nic to the host on vmnet3.. But still can not forward to host machine, or ubuntu with this setup either.  But forwards to physical box works just fine.

    Any ideas??  I would really love to keep running pfsense virtual - but if I can not get forwards to work to other virtual machines on the same host will have to go back to running pfsense on its own hardware.


  • LAYER 8 Global Moderator

    Ok over 100 views and not one response?  Can someone atleast verify that they have port forwards working or not working to virtual machines?  I can not believe that with all the people it seems are running pfsense on virtual platforms, and with the tutorial of how to do it based on vmware server that not one person is forwarding ports to either the host or other virtual machines running on the host?

    I have grabbed the 1.2.3 appliance and have it installed - but have not had time to test it yet.. But I seems odd that is some weird bug in 2 beta, since it works to physical machines off the vm host.

    Just to draw it up so easier to see what I am talking about.

    So I created nat to 192.168.1.6 ssh (auto create firewall rule) - does not work, even though log says it passes.. I ran tcpdump on ubuntu and never sees the traffic.  But I can ping from pfsense to ubuntu, I can ssh to it, ubuntu uses pfsense as it gateway to public net.

    Also created nat to 192.168.1.4 dns – again nothing from outside, but can access hosts dns from ubuntu and pfsense, host is using pfsense as gateway.

    But if I create a nat on pfsense to other physical machine on 192.168.1.100 works just fine.

    So thinking it might be related to being on the same vmnet -- I set it up this way as well.

    But no change – still can access physical from outside using nat on the pfsense, but not the host services or other vm services.

    So can someone please verify if you have port forwards working to host services or other vms - if so how did you do it differently?  Did you have to do some config changes on vmware server?  Or are you like me where the port forwards are not working?


  • LAYER 8 Global Moderator

    164 views and NOTHING… WTF people??  Can you not even comment if your not doing forwards to your other host or guests?  Something that shows that you atleast understand what is happening?

    Is it happening to you?  Do you not forward to host or guests?

    I have tried 1.2.3 - same problem!!  For now I have moved back to physical router so that I can get to the services I need from the outside.. But would LOVE to go back to virtual if someone could tell me what is wrong.

    Thanks!



  • I don't have experience with pfsense in a VM but you sound really frustrated so I may be able to start the troubleshooting thought process with you.

    My question is if you switched to a dedicated Hypervisor like ESXi would you be able to eliminate the problem. The reason I ask is because you are running this VM in Server 2k8 which has a two way firewall, inspection, blah blah blah. My thought: is 2k8 limiting your capability? Sorry I don't have answers but at least it's not you replying to yourself.


  • LAYER 8 Global Moderator

    I would love to move to a esxi setup – I had it somewhat working, but could not access the console once it was.  Its desktop hardware, had to use IDE work around to even get esxi to install..  Does not seem to like the hardware.

    As to the firewall idea -- 2k8 firewall was disabled on all interfaces of the 2k8 box.  Why would it work from pfsense vm console to ubuntu vm on ssh if firewall was blocking it?

    I thought of the 2k8 firewall as well, which is why it was turned off and unchecked from all network interfaces.

    The tutorial is for running vmware server on windows host.. Both 2k3 and XP have software firewalls, etc.  I don't see why it would not work on 2k8 host, etc.  But if someone could verify that they have it working on 2k3 or XP, I would be happy to move the host to that.

    edit: BTW thanks for the post!  Atleast I know someone is out there and understands I'm frustrated ;)  But I would think there has to be lots of people running psfense on vm – hard to believe that none of them are forwarding ports to either host or guest?



  • I am not familiar with VMware stuff but I mainly use XEN. But are you sure the nic for ubuntu is dedicated to it? If not it would still be in the virtual bridge which may cause problems. Best is to make it simple first and put it all on one bridge to make sure its working. Then seperate them onto diffrent bridges with diffrent subnets.


  • LAYER 8 Global Moderator

    I don't see how I could make it any clearer with the pictures drawn?

    Yes I am quite sure it is the only thing connected to the vmnet. I don't believe its possible to give a vm direct access to the nic.. You have to assign it to a specific network.

    As to putting it in its own subnet?  Why would I want to do that – then whats going route between the segments on the lan side?



  • I too am a Xen fan and all my VMs are run on XenServer.

    Take a look at http://benrobb.com/2007/01/20/howto-port-forward-to-your-virtual-machine/

    Is this in the direction that you were looking for?


  • LAYER 8 Global Moderator

    Thanks for the reply but that has nothing to do with port forwarding to host or other vms when running the router as a vm.

    Really is it that hard to understand?  I thought I was VERY VERY CLEAR to what the problem was, even drawing pictures, etc.

    So on your XEN, do you run pfsense as a VM as well?  And do you forward traffic through your vm router to other vms on the same host?



  • I do run pfsense in Xen, I have several pfsense VMs but I don't do any forwarding like what you are doing, but if I did I would have to create an internal interface on pfsense and the other VMs 'behind' pfsense. The internal network between the pfsense VM and any clients 'behind' pfsense would have to be exclusive. I'm sure there is a way to do it in VMware, I guess since your not getting the answer you are looking for it might be time to just experiment and mess around until you get it.

    If you do figure it out please post back with your findings.



  • I am sorry of not being any help but I did run into simillar situation with vmware before and I just gave up. I then turned to XEN. Not trying to put vmware down in anyway just I had a hard time understanding it. One of those things that just didn't work with me like my first wife :p.


  • LAYER 8 Global Moderator

    "but if I did I would have to create an internal interface on pfsense and the other VMs 'behind' pfsense."

    Yeah that is a GIVEN… How would I forward to them, if they were not behind the pfsense??

    Again I thought I had made it crystal clear with a drawing -- but guess not?  But I am at a loss to how to draw it any clearer than already shown..

    pfsense vm, to vmnet2 bridged with physical nic connected to cable modem, this is the public interface in pfsense, then is lan side interface is tied to vmnet3, which is bridged with another physical interface on the host machine - this is tied to my local 192.168.1.0/24 network.. So pfsense has a publicIP on its WAN, and then its lan is 192.168.1.250.

    Then another vmnet0 is also tied to my local lan with a different physical nic in the host.  The host has a 192.168.1.4 address on this nic, the ubuntu vm also tied to vmnet0 has a IP address of 192.168.1.6

    So there are 3 physical nics in the host.. ONE is used for the wan interface of pfsense - this is the only thing connected to this virtual switch vmnet2 - connect to cable modem, pfsense get a public IP (24.14.xxx.xxx).. Its lan interface is then tied to another physical nic which is bridged with vmnet3 -- pfsense is the only thing tied to this vmnet3, and has an IP address of 192.168.1.250

    Now the host is tied to 3rd nic, vmnet0 bridged as well, host has IP of 192.168.1.4, and virtual ubuntu has a 192.168.1.6 IP.

    From the console of pfsense, I can ping and ssh to ubuntu at 192.168.1.6, I can do dns queries to the host IP at 192.168.1.4

    Problem is I can not port forward to either of these IPs..  But I can port forward if to a different physical machine on my 192.168.1.0/24 network.

    This host is not 64bit, latest xen is only for 64bit hardware is it not? - so thats kind of not possible sort of switch.

    So cougarmaster - you were seeing the same issue with vmware server, so its not just me ;)  Thanks for that info..

    What I find frustrating is why would they put up a tutorial of running psfsense virtual -- if you can not access any other vms or the host from the internet???  Its utterly pointless sort of setup if you ask me ;)



  • Not sure if this is any help but try to give a diffrent subnet to each nic may help as I think you are putting all nics on the same subnet which might confuse others and pfsense as to where to route. As each nic to pfsense is a different subnet. Also double check your firewall rules usually its those places that makes life difficult. If not switch to XEN but be prepared for some late night studying :p


  • Banned

    I am running all of my machines in a virtualized enviroment…I use VmWare ESXi. The difference between ESX and i, is the lack of console.

    On 2008 you need to enable routing and remote acces as a service to forward the traffic from the physical nic to the VM. Otherwise 2008 doesnt know where to send the traffic coming in from the interface....have you done that?



  • It's always nice when people reply back to the topic and tell you the fix action for searching purposes.


  • LAYER 8 Global Moderator

    "On 2008 you need to enable routing and remote acces as a service to forward the traffic from the physical nic to the VM"

    How is that since 2k8 is not doing any routing nor would I want it too.  Its currently working for traffic going OUTBOUND from all the vms to the internet, and the host to the internet without it.

    Same goes for changing the subnets.. of the nics..  If I did that – then something would have to route!!

    I appreciate the attempted help - but unless your specifically running vmware server on a windows host, with pfsense as a VM, and your forwarding to other VMs on the same host as pfsense is running you might as well just not respond.. Or have run this setup in the past?

    It has to be something with the vmware bridging into the physical nic.

    Before I moved back to virtual -- I did this test.

    So on the host running windump I watched for traffic to ubuntu on port 22 on the motherboard nic that is bridged to vmnet0.
    At the same time Im watching for traffic on the vms nic inside ubuntu with tcpdump - tied to same physical nic through vmnet0

    So I generate a ssh connection from the outside (my webhost shell account) to my public IP.. The packet travels through pfsense - can see on the firewall log that it passed the traffic.. And changed to go to 192.168.1.6

    Now watching windump which is listening on the vmnet0 nic -- the HOST sees the packet.  But tcpdump running inside ubuntu does NOT.

    So something in the bridge protocol is not passing that packet to ubuntu.

    Now I can hook it back up virtual pretty quickly -- but until someone has some actual advice that makes any sense at all.. It pointless for me to do so.

    As to 2k8 routing -- What should it route??  Why should I have to put another router behind pfsense to route traffic to another subnet for?  Like I said port forwarding is working through the VM pfsense - as long as it to a differnet physical box.. Not the HOST or guests.

    To be honest I find it unlikely it has anything to do with pfsense - cuz I can see that it sent the traffic through.. It seems to be a issue with the vmware server bridging protocol.  Now I have the same question with same details on the vmware boards -- and have not heard squat from that post either.

    Is no one running vmware server with pfsense as virtual on it per the tutorial of how to run pfsense virutual on the pfsense site??


Log in to reply