Setting up pfSense under ESXi



  • Hi,

    I'm trying to set up a pfSense firewall with an Untangle machine behind it and am having some difficulties.

    This is all being done under ESXi if that makes any difference.

    I am using 3 virtual switches (called LAN, UntangleBridge and ADSL).

    Intitially my configuration was :

    To LAN I have a single machine connected (XP VM for testing) and the LAN connection of Untangle (in bridged mode)/ No NICs associated with this switch under ESXi
    To UntangleBridged I have the WAN conenction of Untangle and the LAN connection of pfSense. there are no NICs associated with this under ESXi
    To ADSL I have the WAN connection of pfSense and the NIC that is associated with this switch is connected directly to the ADSL modem. I also have another VM XP box connected to this for testing purposes.

    However, I couldn't get it to work at all in this configuration so have removed the Untangle box to see if I can get everything up and running just behind the pfSense so that I can diagnose what the problem is (well, I know the problem is me, but exactly what it is I am doing wrong :D)

    My current configuration is

    A single XP VM (XP_LAN) and the LAN connection of pfSense on the LAN vSwitch and a single XP VM (XP_WAN) box and the WAN connection of pfSense on the ADSL vSwitch.

    So far I can get to the stage where :

    From XP_WAN (using the modem as a default gateway) I can ping external sites, surf, ping the WAN port of pfSense. Everything works fine behind the ADSL modem as far as I can see.
    From pfSense command line I can ping the ADSL modem, ping external sites, telnet to port 80 of external sites, ping XP_WAN and ping the LAN interface.
    From XP_LAN I can resolve hostnames, can ping both LAN and WAN interfaces on the pfSense VM but I cannot ping anything externally including other sites, XP_WAN or the ADSL modem.

    From my initial testing, it looks like everything is OK between the modem and the WAN interface of pfSense but there must be a configuration problem in pfSense that is preventing devices on the LAN reaching further than the WAN interface.

    Does anyone have any ideas on how to troubleshoot from here?

    Many thanks in advance.

    Further information

    XP_LAN : 192.168.5.169, g/w 192.168.5.1
    pfSense LAN : 192.168.5.1
    pfSense WAN : 192.168.10.10 g/w 192.168.10.1
    XP_WAN : 192.168.10.99 g/w 192.168.10.1
    ADSL modem : 192.168.10.1

    pfSense rules currently in place :

    WAN : Allow all (Proto : *, Source *, Port *, Dest *, Gateway *, Queue none, Schedule Blank). Block Private Networks unchecked, Block bogon networks checked.
    LAN :Allow all (Proto : *, Source *, Port *, Dest *, Gateway *, Queue none, Schedule Blank). Otherwise default Anti Lockout and allow LAN to any.

    Screenshots:

    TIA


  • Netgate Administrator

    Are you using DHCP on any part of this?

    Is there anything in the pfSense firewall log?

    I would try removing the bogons rule if only for a test. I'm not sure if private networks are in bogons or not, however if you still had 'block private networks' set on WAN I would not expect to be able to get out from the pfSense box itself. Have you unchecked that?
    Edit: I see you have.

    A netmask problem can show up like this.

    Steve



  • Hi Stephen,

    Thank you for taking the time to try and help out.

    No DHCP server is enabled on the pfSense machine.

    Removing the bogon rule seems to have made no difference. I still can't reach from the LAN to the WAN side of things. I notice you suggest a netmask issue might be responsible. Does this help determine whether things are incorrectly configured :

    ifconfig output from pfSense console

    Thanks again. I am leaving work in about 20 mins so I will look again in the morning.

    EDIT - No DHCP server is running anywhere in the VM Network - everything is statically configured at this point. Netmask on XP_LAN is 255.255.255.0



  • bb,

    There doesn't seem to be anything inherently wrong with what you've posted so far.  What you have should just work out of the box but there are some things to try:

    • Take out your (not the default) Allow All rule on LAN  -  Assume you put it in to try to get past this problem but shouldn't be needed

    • Take out your Allow All rule on WAN  - assume this was for troubleshooting too but shouldn't be needed and exposes XP-WAN to the Internet  :o

    • Turn on Log packets blocked by the default rule under Status > System logs > Settings and see what gets logged for the pfSense WAN

    When you say you can resolve host names from XP-LAN, does that include www.google.com?

    Is that Untangle bridge really right out of the picture and you rebooted everything after taking it out?  Just thinking that something might have a latent memory of it.

    Biggsy


  • Banned

    Change to this

    XP_LAN : 192.168.5.169, g/w 192.168.5.1
    pfSense LAN : 192.168.5.1
    pfSense WAN : 192.168.10.10 g/w 192.168.10.1
    Delete XP_WAN : 192.168.10.99 g/w 192.168.10.1
    ADSL modem : 192.168.10.1



  • Hi biggsy,

    Thank you too for helping.

    @biggsy:

    bb,

    There doesn't seem to be anything inherently wrong with what you've posted so far.

    Good news - maybe I'm not such a complete idiot after all  ;D

    What you have should just work out of the box but there are some things to try:

    • Take out your (not the default) Allow All rule on LAN  -  Assume you put it in to try to get past this problem but shouldn't be needed

    • Take out your Allow All rule on WAN  - assume this was for troubleshooting too but shouldn't be needed and exposes XP-WAN to the Internet  :o

    • Turn on Log packets blocked by the default rule under Status > System logs > Settings and see what gets logged for the pfSense WAN

    I have done as you suggested and I still have the same issues. After attempting to ping bing.com, google.com, 192.168.10.1 and 192.168.5.1 the only entries appearing in the firewall logs are from XP_WAN to 192.168.10.255 on port 137 proto UDB (NetBIOS from memory?) Nothing from the LAN side.

    When you say you can resolve host names from XP-LAN, does that include www.google.com?

    Yes, I appear to be able to get DNS resolution for any FQDN I choose, just cannot reach it in any manner.

    Is that Untangle bridge really right out of the picture and you rebooted everything after taking it out?  Just thinking that something might have a latent memory of it.

    Biggsy

    Yes - but I will reboot the entire ESXi unit later to see if it makes a difference. Thank you for your suggestions. Maybe something went hinky on install - I will also fire up a second pfSense VM and see what happens - maybe I have an adaptor issue - any suggestions as to what adaptor I should choose for the pfSense VM under ESXi?

    bb



  • Good morning Supermule.

    @Supermule:

    Change to this

    XP_LAN : 192.168.5.169, g/w 192.168.5.1
    pfSense LAN : 192.168.5.1
    pfSense WAN : 192.168.10.10 g/w 192.168.10.1
    Delete XP_WAN : 192.168.10.99 g/w 192.168.10.1
    ADSL modem : 192.168.10.1

    I've powered down the XP_WAN for now to continue testing. XP_WAN was there just to make sure that the WAN side of the pfSense VM was in fact operational and it wasn't connectivity related.

    Thank you also for taking the time to offer assistance.

    bb



  • bb,

    any suggestions as to what adaptor I should choose for the pfSense VM under ESXi?

    Now there's a good point!  Why didn't I think of that?  I must have been distracted by all those beautiful girls who (amazingly) live in my area and, according to the ads, would just love to date me  :)

    Sorry, definitely use an E1000 adapter.

    Biggsy



  • @biggsy:

    Now there's a good point!  Why didn't I think of that?  I must have been distracted by all those beautiful girls who (amazingly) live in my area and, according to the ads, would just love to date me  :)

    You must live near me :) Amazing - I never knew there were so many single cute girls in the area :)

    Sorry, definitely use an E1000 adapter.

    Biggsy

    I just ran up a new pfSense VM and it works perfectly, so I guess something went hinky on the other install  :-\ Wouldn't even detect VMXNET2 Enhanced so had to go with E1000 and started working just fine.

    Thanks to everyone who took the time to help, now to try and plumb in the Untangle box for reporting purposes :)

    Kindest regards

    bb


Locked