[SOLVED] No internet under ESXi 5.1, pfSense 2.1
-
Been racking my brain over this for a couple days now and have read through the other posts, but nothing seems to work.
My setup:
ESXi 5.1 U1
pfSense as a VM - connected to vSwitch0 - connected to physical NIC
- connected to vSwitch1 - no physical NIC (virtual DMZ)
Physical NIC connected to Cisco E3000 Router running TomatoUSB 1.28 (DHCP Server)
WAN interface in pfSense gets 192.168.123.201 from DHCP (net mask 255.255.255.0, GW 192.168.123.1)
LAN interface is setup for static IP - 192.168.25.1
From VM on vSwitch1 - can ping 192.168.25.1 and can access webGuiProblems:
From VM on vSwtich0 - cannot connect to or ping 192.168.123.201 - I get no response and cannot access webGui
From Router on physical network - can see DHCP lease, but cannot ping address
From VM on vSwitch1 - cannot load packages or check for updates through webGui - error message says no internet connection.
From VM on vSwitch1 - no internet, cannot ping www.google.com from VM or webGuiObservances:
From Interfaces page, I noticed the ISP DNS has 127.0.0.1 listed and 192.168.123.1. This can't be correct but I don't know where the 127.0.0.1 address came from as I definitely don't have that set on the router. Is there a way to manually set the ISP DNS? -
"From VM on vSwtich0 - cannot connect to or ping 192.168.123.201 - I get no response and cannot access webGui"
This is by design - pfsense does not answer ping or allow access to its web gui out of the box on its wan interface (internet to it normally) so you would have to create firewall rules to allow this - if so desired.
"From Interfaces page, I noticed the ISP DNS has 127.0.0.1 listed and 192.168.123.1"
Well 127.0.0.1 is loopback and every single device that runs tcp/ip has this address.. It means itself! So your wan connection to pfsense is set to use your cisco for dns..
can pfsense ping your e300 123.1 address? Can a VM? on vswitch1? Can pfsense resolve www.google.com? You need to setup pfsense to use something valid for dns - quite often this is your e300 IP - since it just looks up stuff via your ISP dns or whatever you have setup on it and hands that back to clients asking it. Be it pfsense, be it other clients on vswitch0
Pfsense out of the box should handle dns for anything on its lan, just like your cisco does.
-
"From VM on vSwtich0 - cannot connect to or ping 192.168.123.201 - I get no response and cannot access webGui"
This is by design - pfsense does not answer ping or allow access to its web gui out of the box on its wan interface (internet to it normally) so you would have to create firewall rules to allow this - if so desired.
OK, this makes sense.
"From Interfaces page, I noticed the ISP DNS has 127.0.0.1 listed and 192.168.123.1"
Well 127.0.0.1 is loopback and every single device that runs tcp/ip has this address.. It means itself! So your wan connection to pfsense is set to use your cisco for dns..
Right. I thought that by the loopback address it would look at the pfsense box, not the cisco.
can pfsense ping your e300 123.1 address?
Yes.
Can a VM? on vswitch1? Can pfsense resolve www.google.com?
No. this is what I'm trying to fix.
You need to setup pfsense to use something valid for dns - quite often this is your e300 IP - since it just looks up stuff via your ISP dns or whatever you have setup on it and hands that back to clients asking it. Be it pfsense, be it other clients on vswitch0
I understand that. DNS is set to the E3000, but doesn't seem to resolve anything or pass traffic from LAN to WAN.
-
Are you Natting in pfsense - this is default configuration.. But if you turned that off - your cisco would have no clue how to get to 192.168.25.0/24 network.
Go into pfsense.. Turn off using itself as dns and only point it to your e3000 IP.
What does the output of diag, dns lookup respond with when trying to look up www.google.com? See my screenshot
-
My DNS diag looks similar to yours, except I still don't have internet. Here's a screen shot of when I ping from a CMD prompt.
![ping results.png](/public/imported_attachments/1/ping results.png)
![ping results.png_thumb](/public/imported_attachments/1/ping results.png_thumb) -
so pfsense which is 25.1 told you it expired in transit.. So where is pfsense routing it?
Do a traceroute to www.google.com If your on windows it would be tracert, add the -d so your not hung up on dns queries for every hop
so tracert -d www.google.com
What do you get for that - see my expample below.. So from my client on the pfsense lan, it hits pfsense 192.168.1.253 in the 1st hop - then it hits my isp gateway the 24.x hop 2.. Then it goes through the internet.. What does your trace look like from connected to vswitch1 using pfsense as its gateway.
-
Not sure what I did, but I noticed that IPV6 was not enabled. I changed it to DHCP6 and after that, internet seemed to work. I can resolve DNS names and browse to internet sites!
One last question - Devices (VMs) on my 25.1 network can see VMs on 123.1, but not the other way around. I tried adding a static route in tomato to point to the 123.201 (pfSense) but can't seem to ping anything on the 25.1 subnet. What am I missing?
-
So what part do you not understand about a firewall exactly?? I will ask again are you wanting to use pfsense as just a router, or as a NAT router/firewall?
No by default nothing on the WAN side of pfsense is going to be able to talk to stuff on the LAN side of pfsense in normal firewall/nat router mode.. Unless you create the rules and the forwards.. Routing has nothing to do with it in your doing NATing - since everything behind pfsense would look like it came from whatever IP it has on its WAN interface - if you want to get to say http on a box behind pfsense from its wan side, then you would have to create a NAT (port forward) to whatever IP address on the 25.0/24 network this server is that is serving up http.. You would then access that via the wan IP of pfsense from anything on the wan side of pfsense.
IPv6 has NOTHING to do with how your ipv4 network should behave.. Nor is getting to a ipv4 address going to go over a ipv6 network.. So you want to show your ipv4 ping to www.google.com again, and a traceroute?
Are you actively wanting to use IPv6? Do you have native IPv6 working on your wan side network of pfsense – ie connected to your e3000 lan? Are you using native ivp6 from your isp, running a tunnel from say hurricane electric? If not then I would suggest you disable IPv6 and not configure or play with it until such time as your ready.
-
So what part do you not understand about a firewall exactly?? I will ask again are you wanting to use pfsense as just a router, or as a NAT router/firewall?
Sorry. My mind doesn't want to think of it as a firewall as it's just a virtual appliance on my ESXi box. I guess I really only want to use it as a router. I don't see a way to turn off the firewall/NAT so do I just create a "pass all" rule?
IPv6 has NOTHING to do with how your ipv4 network should behave.. Nor is getting to a ipv4 address going to go over a ipv6 network.. So you want to show your ipv4 ping to www.google.com again, and a traceroute
I know IPv6 has nothing to do with IPv4, but when I enabled v6, internet traffic started flowing. Perhaps I also checked something else, but that's what happened. As this is a VM, I might just scrap the whole thing and start over to see if I can recreate the problem.
-
While it can be used as just a router – why would you need such a thing in your vm network, without wanting to firewall them off? Confused to be honest..
If you want your vms and your physical to talk to each other - why not just connect all your vms to vswitch0 and put them on your 192.168.123 network?
As to checked something else -- yeah that would be my guess.
If you want to just use it as a router.. Then yeah just turn off the features in, see attached screenie.
-
Thanks for your help. I'm mostly experimenting and learning, but for whatever reason, I couldn't get internet on my LAN interface. I'm not sure what else I would've checked, but it's working now.
-
Did you have a gateway setup on your 192.168.25.1?? Pointing to itself maybe?? Setting gateways when there should not be one seems to be a common area of problems with people with little or no network experience.