Help with my setup. Vmware

deaney · Apr 27, 2013, 8:26 PM

Hi All,

Tried to find the answer a few times but maybe this is abit more specific. I've been trying to solve this for about 4 hours now ???

This is the setup I have.

192.168.1.254 - Gateway (modem to the internet) DHCP enabled
192.168.1.199 - VMWARE ESXI Host

I have setup pfsense as a VM with 2 nics, one which goes out to the gateway, and gets its IP from the gateway (this is 192.168.1.81) and another NIC which sits on the internal VMware network I would like this to be 172.16.0.1 and if possible hand out DHCP?

All VMs will only have a link to the the internet by passing through the pfsesne box. But I dont want my vm's on the 192.168.1.. network.

I want pfsesne to act as a router/modem to my vms.

192.168.1.254/24 > Modem
|
Pfsense em0 - (ip 192.168.1.81)
|
|
–----------VM WARE---------------------------------
|
Pfsense em1 - (ip 172.16.0.1/24)
|
|------|
|
|-------------------|---------------------|
Server1(172.16.0.2) server2(172.16.0.2) server3(172.16.0.3)

Something like that.

I also want the computers on 192.168.1... to be able to manage pfsesne as well as the computers on 172.16.0...

Kind Regards and thanks in advance!
James

biggsy · Apr 27, 2013, 8:52 PM

Hi James and welcome.

Have you read this: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5 ?

deaney · Apr 27, 2013, 9:16 PM

Hi biggsy,

Thanks for that! I've got to grips with adding the network interfaces from VMware, they are all set.

I think its having the two lans and getting them to talk to each other.. some kind of routing? that im having trouble with.

e.g. the VM lan @ 172.16.0.1 needs to forward all traffic out to the internet @ 192.168.1.254 but wont.. anything on the 172.16.0.1/24 network cant get an internet connection :(

Regards

biggsy · Apr 27, 2013, 9:17 PM

Sorry, hit the wrong key there. At least it wasn't in mid-sentence. :)

You need to switch your modem/router into a modem only. That will allow pfSense to get your public IP on its WAN interface: modem -> ESXi host NIC -> vSwitch -> pfSense virtual WAN interface (em0).

Use your other ESXi NIC as the LAN interface and move the computers on the 192 network to that (may require a physical switch): 192 computers -> switch -> ESXi host NIC -> vSwitch -> pfSense virtual LAN interface (em1).

Your other VMs, on the 172 network, don't need a physical NIC, only virtual ones. Your pfSense VM will also have a virtual NIC connected to the 172 network.

You will be able to manage your ESXi host, pfSense and the other VMs through the LAN.

Hope that helps.

deaney · Apr 27, 2013, 10:46 PM

Thanks for that!

I'm so… soooo close!

I only have one network adapter on the esxi box, thats why I cant move the 192.... network off onto that lan.

See the attached image - all I need now is internet access on the 172 network and im all sorted.

biggsy · Apr 28, 2013, 12:41 AM

The problem with your current design is double-NAT - never a good idea. A second NIC in the ESXi host will save you from potential hassles related to that. Well worth the investment.

Unless you have told pfSense that the 172 network is its LAN, you probably just need some rules in pfSense to allow traffic in on that interface so they they can get access to the Internet. Only LAN has an "allow any" rule by default. All others are "deny all" by default.

If you've told pfSense that 172 is the LAN, you're going to have to allow traffic through its WAN interface in order to access your VMs from the PCs in the 192 network. You'll also have to allow traffic from private networks, specifically your 192 network, on its WAN interface.

There are almost certainly other things you'll need to do as well but I can't think of them just now.