Remote Install ESXi5.1 how to pfsense on 1Nic 1 Public IP

  • Hi all,

    Been reading posts and searching but not sure my problem has been covered yet. Here goes:

    I have a Dell server in remote datacenter, access via DRAC (remote access card with own public IP) as no physical access available.

    Now for the challenge: I have only 1 NIC and 1 Public IP for this server. So installed ESXi5.1 on the public IP so I can manage it from my location (I know this is not how you should do it but I just need to get it up & running and will then lock down) . I'm planning to have a web VM with seperate VM's for databases / mail, etc. Then I can lock it down with pfsense and configure remote acess to a private VM "behind" the public IP to manage ESXi or leave as is and only allow certain ports from my public IP.

    Now from other posts it's been suggested to disable IPv4 on physical nic and configure pfsense to use it on WAN. But the second I disable on host I will lose connectivity….. so not sure how to do that remotely..?
    Others say have WAN interface on with multiple LAN VLANs from same interface. But how do you configure the WAN interface with the public IP if it's already used by the physical NIC.

    And to make it worse I might need to host more sites on this system (so more public IP's to that nic....)

    Sorry for all my questions or if it sounds messed up. I'm new to Pfsense and have been trying to work this out myself for a couple of days now so might be going slightly looney!!
    Any help or guidance will be very much appreciated.


  • Ok, first things first, let's get some terminology and ESX(i) fundamentals out of the way.

    In ESX(i), the physical NIC doesn't have an IP directly associated with it, services or VM's running on it can (this is almost of a pet peeve type of thing, but it can also introduce support confusion when you say that the physical port has an IP associated with it.)  Your service console, of course, will have an IP associated with it, and if all you have is a single IP to use, and that's assigned to your service console, and that's connected to your single physical port, that will make it appear like what you're saying, but in reality it's more like I was saying.  And what you're trying to do is to get multiple services and/or VM's to be accessible over the single IP address.

    Anyway, trying to do this with what you've got will create some headaches.  Well, a lot of them.  And, in practice, it's not really supportable.  In theory, you could get your service console to sit behind your pfSense VM and map the port(s) so that you can get multiple services behind the single IP, including your Service Console, but you'd be in a lot of cart before the horse issues where you can't configure the pfSense machine without access to the service console.  So, maybe you could pre-configure pfSense, put the Service Console on an internal only vSwitch (I'd have to test that, btw, I'm not entirely sure if you can) that the LAN side of pfSense is connected to and then assign pfSense to the vSwitch connected to the physical port, but you'd have to do all the network assignments through the DRAC at the console.  Ouch.  And then you're also banking on pfSense never having a configuration issue, either self by induced error (which is rare) or user induced (that never happens, right? ;) )  Oh, and if the host is ever rebooted / power cycled / etc, hope that everything comes up happy (you remembered to make your pfSense VM auto-start, right?)

    Really, the only feasible way I can think of to do this would require multiple public IP's or another interface on a private network that you can get to in some datacenter/colo provided way, such as a VPN.  Really, I think the second port on a private network would be preferred anyway so that your Service Console isn't live on the internet.

  • Many Thanks for the info. Yes, you're right - I was confusing myself there for a bit….  :-[

    I managed to get it setup last night. Got pfsense up, installed vm behind it on private vlan. Then connected to vm via web (not vsphere client). Changed management port to internal, rebooted and its' all up. I now have a "secure" remote setup. So next plan is to punch enough holes, access methods into there so if (as you rightly said) anything goes wrong I still have access. Plan is to open port on pfsense for remote management via static public IP (mine). So in case anything goes wrong I still have some sort of access. In addition to that I will setup VPN to my site. That will give me 3 ways in (although all through Pfsense).

    So what do you think? I've got pfsense on autostart. Got access to console, got access to vm (via web). Will have VPN as well as remote management to pfsense (only my static IP at home).

    Any thoughts...? As I said this is not ideal but hey, sometimes you've got to make things work with what you have right....?  :-X

  • In theory, you may have gotten past the hard part, and, again, in theory, it should work… till it doesn't, then you're really stuck.  But, hey, you've gotten this far and assuming it's not anything you (or clients) are financially dependent on, run with it.

Log in to reply