PfSense Virtual Applianace / Multiple External IP / Dedicate Box



  • I am renting a dedicated server with ESXi installed. The server has 1 NIC and I am using pfSense in a VM to handle the routing. The rental comes with one External IP address to access the server with and I have added two more in addition as I plan to run an Email Server and a Web Server virtually. The IPs are as follows: X.X.238.91, X.X.238.92 and X.X.238.93.

    The first attachment shows the configuration in VMware. The X.X.X.91 address routes directly to the hardware NIC on the server. This goes into a vSwitch(WAN) with the Management Network and my pfSense router. The other vSwitch(LAN) is where all of the host VMs connect.

    The next attachment shows the configuration of the WAN currently in pfSense. I currently have the X.X.X.92 address routed to the WAN. I am able to access the internet on the test machine HL-UB1 that is connected the vSwitch(LAN).

    I feel though as if this is not set up correctly. I know that I want all of the IP addresses essentially routed to the 1 NIC. From there I need to use Virtual IPs and 1:1 NAT. However I don't really know what I need to ask of my host so I can get all of the IPs routed to the one NIC.

    Should I keep the .91 address to access the ESXi host and try and see if I can have all other future IPs 'routed' to the .92 address?

    Any input on the situation would be greatly appreciated.





  • I am running a similar setup with a dedicated server.

    You can save one of the IP addresses if you assign a private address (ex. 192.168.1.10) to the VMkernel - Management interface. It is also more secure, even if you can configure access list and lock-down the ESXi host I reckon this is a better approach. Setup pfSense WAN to X.X.X.91 and use Virtual IP's and NAT 1:1 for the rest.

    To manage the ESXi host I use a IPsec tunnel from a different DC but you could probably change the vSphere Client port (see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1021199) and then do some port-forwarding to 192.168.1.10?

    Hope this helps.


Log in to reply