ESX + pfSense + Multi FailOver IP and MAC adress associated



  • Hello,

    First, I have a problem with multiple FailOver IP (or public IP) on pfsense and i only fond doc about multi-WAN or multi IP.
    I am not very friend with networking, so be compliant please.

    I want to have multiple "network" connected to internet with one public IP and only one gateway for all of them..
    When data gone in with one IP, the firewall have to know which LAN IP is the recipient of theses data and when data goes out from a defined LAN IP, the firewall have to attribute it the good WAN IP and MAC Adress. (A public failover IP is associated to a specific MAC Address)
    My servers are only VM (ESX) hosted by Online.net

    This is an example:
    IP1 – MAC1
    IP2 -- MAC2
    ...

    / IP1 < --- > LAN IP 1, LAN IP 3, LAN IP 4
    GATEWAY
               \ IP2 < --- > LAN IP 2, LAN IP 5

    If it is possible, I prefere to use only one pfSense server.

    Currently, I succeeded to make LAN IP 2 to out with the right IP but the wrong MAC Address and my host does not accept it.

    Thank you in advance for your help.

    NB: Sorry for my english mistakes, I don't speak very well english.



  • Up !
    Do you need more informations ?


  • Netgate Administrator

    Hmm, I'm not sure I understand what you're trying to do.

    Do you have two WAN connections or two public IPs via one connection?

    Steve



  • I have two public IPs via one connection.


  • Netgate Administrator

    I don't think pfSense can attibute a different MAC address to a virtual IP, which is what would have to happen to allow outgoing packet tagged with different MACs.

    Perhaps someone else can enlighten me.

    You might be able to do this by adding an extra virtual interface and switch within ESXi giving pfSense and extra WAN interface with a different MAC. However this is outside my experience I'm afraid.

    Steve



  • I tried it,  setting one WAN with one public IP Adress, when packet go in, it's ok but as you said, pfSense is unable "to allow outgoing packet tagged with different MACs"
    But we know from a specific LAN IP which WAN IP and MAC Adresses we have to use but we can't configure pfSense to use right informations.
    In fact, we are able to configure it to use the right WAN IP but it does not tag the packets with the right MAC Adress.

    Thank you for your help.


  • Netgate Administrator

    I've never used ESXi. Can you configure virtual NICs with different MAC addresses?

    Steve



  • If NIC means Network Interface Card, Yes.
    A VM can have one and more NIC.


  • Netgate Administrator

    If you can specify the MAC address when adding new virtual cards in ESXi then you could give pfSense two WAN interfaces, with different MACs, which should allow the tagging you need.

    Steve



  • I tried to do it, using serveral interface and multi-WAN but when packets go out, it tags theses with the wrong MAC Adress.

    i don't know how to configure pfSense to tell him:
    "Hey you see this LAN Adress 10.0.1.1 ! When a packet is going out from this LAN Adress, I want you use the Public IP Adress 85.58.85.30 with MAC Adress 00:0a:a0:1b:b1:a1 but when a packet is going out from 10.0.2.1 or 10.0.2.2, you HAVE to use the Public IP Adress 85.58.85.31 with MAC Adress 00:0a:a0:1b:b1:b2 !"
    (All adresses are faked)


  • Netgate Administrator

    This would be easy to accomplish if you had two physical WAN interfaces.
    Because you are using one NIC and virtual interfaces, either in pfSense or in ESXi, you are asking it to spoof the MAC on an individual packet basis. Neither ESXi or pfSense are able to this it would appear.

    Steve


Log in to reply