PfSense - ESXi 4.1 - 4 NICs?



  • Hello,

    I've read a lot of the posts on here regarding how to get pfSense working as a vm with 2 NICs. However, I can't find anything about 4 NICs. I have the Dual Intel NIC card I purchased for my hardware pfsense box - can i not install this in my ESXi host and dedicate the Intel Dual NIC to pfSENSE - one for WAN one for LAN - and then use the other two NICs in the host for LAN traffic? This would seem to me to be the most obvious and safe solution, but I am concerned I am missing something about the 2 NIC option. I do not need a DMZ

    Thanks for any advice

    Jon



  • If VMware cannot see the NIC and the system does not support hardware pass-through it won't work. An alternative would be if you happen to have a managed switch handy at which point you could tag your single network card and run multiple vlans across it to your hearts content.



  • As long as ESXi recognises the card, and you see the ports in the management console, you can assign them to any machine you want, and wire them, physically, and logically, how you want them.

    Cheers.



  • Thank you. Is there any benefit (security or performance wise) to having 2 physical NICs dedicated to pfsense rather than a logical setup?

    Jon


  • Banned

    Are you running on bare metal or in a VM on a windows/linux box?



  • currently bare metal with 2 dedicated intel nics. planning to go virtual with esxi. pondering if i should put the intel nics in the host or just make logical ones using the two that are there already

    Jon


  • Banned

    U can emulate E1000 NIC's in a VM, so just use the ones there, and if you need more, then VLAN them. :)



  • Hello,

    Thanks for the help so far. Attached is a drawing taken from a ss in ESXi. Is this the correct vSwitch config for pfSense? Do I need to edit any of the settings inside the vswitch?

    Jon



  • Banned

    You need to attach the PFsense to the VMnic1 port group.



  • Supermule, thanks for bearing with me. Like this then?….

    Do I need to allow 'Promiscuos' mode on either the LAN or WAN?

    Jon

    ![Screen shot 2010-10-26 at 1.47.04 PM.png](/public/imported_attachments/1/Screen shot 2010-10-26 at 1.47.04 PM.png)
    ![Screen shot 2010-10-26 at 1.47.04 PM.png_thumb](/public/imported_attachments/1/Screen shot 2010-10-26 at 1.47.04 PM.png_thumb)


  • Banned

    Promiscious mode is for changing the Vswitch to a hub…..so it distributes the traffic to all ports....Not good in most setups.

    Not good in this one either since you have your vmkernel network and mgt network on the same switch.

    Its not good network practice and I would use VLAN tagging on the Vswitch to override the most obvoius attacks that can occur. I know its on your LAN side, but I hate when the kernel network is on the same VLAN ID as the main FW.



  • Hi nojstevens
    I run 2ESXi 4.1 with 4NIC's (2 unsupported CARDS) .  The two machines are built with exactly the same specs:
    CPU - 2
    QUAD XEON (Giving me 8 processors)
    MEM - 26GIG
    HDD - 3SAS300GIG + 5SAS1TB, 2RAID 5
    MB Intel Server
    NiC - 2
    onboard + 2*D-Link(unsupported according to VMWare, but hand-built)
    I use the 2 onboard NiC's for WAN traffic and the 2 PCI for LAN.
    The Server has 4 VM's built:
    1. pfSense
    2. ZIMBRA mail server (Linux)
    3. AVG server (MS2008R2)
    4. Backp Server. (Linux - in-house written)

    Now regarding "Promiscious mode" - In your vSphere client consol, click on CONFIGURATION/NETWORKING/PROPERTIES, choose your VMNetwork under PORTS and untick Promiscuous Mode.
    Kind regards
    Aubrey Kloppers



  • Just a side-note: if you use CARP (for HA) in the future with additional pfSense VMs you will need need to re-enable promiscuous mode on the vSwitch (as well as enabling mac address changes, and forged transmits).

    This helpful advice is in "the book" (pfSense:The Definitive Guide, Buechler and Pingle, 2009,  p. 405/20.10.5).



  • Thanks everyone for their input. I have it working, although the host crashes every now and then - it appears to be when I have a high load. Originally it was crashing every 5 mins and the CPU on the pfsense guest was showing 100%, so I reset my config to factory defaults (originally I had imported the config from my baremetal pfsense). Once i did this, CPU calmed down to 0-1%, but it still crashes the host from time to time.

    Jon



  • I know that his may not be directly related but I just had a high CPU usage problem (discussed on other threads as well)

    Im running EXSi 3.5 U2 (due to my CPU having a bug that does not allow higher versions)
    HP DLD585 , 4 x AMD Opteron Quads 2.2
    2 On board NIC and a Dual Intel Pro1000  = 4 Physical Nics

    So here are my 2 cents:
    Dedicate a NIC for the Mgmt Network
    When running pfSense as a VM, setup a separate resource pool and reserve CPU bandwidth (mem reservations do not impact much if you have sufficient RAM)
    In a very aggressive setup, you might want to set CPU affinity to the pfSense VM to cores that are unused from other VMs (means change them all = VMotion problems)
    And yea - disable VMotion for pfSense

    I had 75-80% interrupt usage. After just setting Shares = High and reserving 1GHz, this dropped down to 20%.

    I am running 18 VMs, 2 windowses and 15 openSuse + pfSense
    … + a certain apps from my LAN that maintain ~3000 firewall states and it is working great now.

    Cheers.
    H



  • Thanks Helix - I will try what you suggest. I managed to stop pfsense crashing the host - i'm rock solid now - a BIOS update to my mobo made all my issues go away, but I like what you are suggesting also

    Jon


Log in to reply