Point me in the right Direction !!
need a bit of advice.
I was running pfsense on a pc and all was fine for my home network, then the box died.
so now I want to use my desktop pc which was 4 nics to replace the old one.
so this pc needs to use pfsense as my router/firewall for the other network devices and also I need to use it as my main computer using Ubuntu or windows.
I think I can do it if I run windows/ubuntu and then use virtualbox with pfsense but i'm not sure how to put windows/Ubuntu behind the firewall.
is this something I can do with VMware esxi maybe?
perhaps there is a guide or sticky?
windows 8 pro with hyper-v role enabled !
esxi would work if you wanted to dedicate the box to VMs – but you stated you want to also use the box as you main computer. This throws esxi out as an option.
I've got a small smattering of ubuntu 12.04 machines hosting libvirt VMs. Among those VMs are a bunch of virtual routers. Since you have enough physical interfaces, I'll assume you don't have vlans, so configuration would proceed as usual:
brwan connects ONE physical NIC to one VIRTUAL nic on your router VM. This interface should have NO configuration in the host.
brlan connects ONE (or more) Physical NICs to one VIRTUAL nic on your router VM. THis interface should receive configuration by DHCP or have a well defined static IP.
The other two NICs are unused from the perspective of the Router configuration, and can be used however you see fit.
This setup only works in Ubuntu. If you want to use a similar configuration in Windows, you'll have to wait for another response. I would HIGHLY advise against dual booting your virtual router host.
"windows 8 pro with hyper-v role enabled !"
will the machine running windows 8 be behind the pfsense virtual machine?
how would i set it up so that it is?
from aarcane . . .
i don't mind using ubuntu, but do i need a managed switch?
does pfsense's lan port which is connected to a physical nic connect to the switch and then another switch port connects back to the pc so that ubuntu gets an ip address that way?
i'm a bit confused . . .
You do NOT need a managed switch. I've written instructions assuming that you don't have a managed switch. Your brlan interface becomes your LAN facing interface such that that's where you connect to the network. The brwan bridge will only pass data directly between the physical interface and the logical WAN interface on the virtual router without interfering or inspecting it in any meaningful way. It's basically the equivalent of a virtual switch.
ok, just a couple more questions . . .
if i have ubuntu using, say nic1. i have virtualbox running with pfsense.
do i use nic2 with virtualbox/pfsense for the wan and nic3 for the lan?
does the cable out from nic3 go to a switch and then a cable from that switch goes back to nic1 or do i somehow bridge nic1 to nic3?
if it makes a difference, i do have a managed switch if necessary.
The final and most concise answer I can give is that you ONLY NEED TWO INTERFACES AND NO SMARTSWITCH. Once you understand the two interface setup, you can then, if you so desire, adapt it to use your smart switch.
Turn off your existing networking. ifdown eth0; ifdown eth1; service network-manager stop; create a bridge brlan. configure the interface brlan the same as your eth0 device was previously configured. now add eth0 to brlan. brctl addif brlan eth0;
Now create a new bridge, brwan. add eth1 to brwan brctl addif brwan eth1; DO NOT CONFIGURE brwan IN ANY FURTHER WAY. Now Plug in a cable between your modem and eth1.
The only two devices used are eth0 and eth1. THE OTHERS ARE INSIGNIFICANT. You should have two cables plugged into your system. One virtual device, brlan, should have a configuration.
Okay, now you create your virtual router. Add two interfaces. Designate one to be the LAN interface. Designate the other to be the WAN interface. Bridge the LAN interface to brlan. bridge the WAN interface to brwan.
In pfsense, configure the LAN interface as the LAN interface. Configure the WAN interface as the WAN interface.
Your host machine will access the LAN through the configured bridge, brlan. This is how your machine accesses the internet. The machine will place packets onto the bridge. The bridge will forward to either the vm or the switch as needed. The router will forward packets from it's LAN interface to the WAN interface, which will send packets out along brwan. the host machine MUST ignore packets on this bridge. Must NOT interfere with traffic along this bridge in any way, and must forward all packets it receives between the virtual router and the physical ethernet device that is connected to the modem.
If you have any further questions, TRY IT AND SEE. If you have problems, post a question with a diagram showing exactly what you've done, which ports are bridged to what, any relevant config snippets, and the outputs of any diagnostic commands.
i think i have it solved . . .
i installed pfsense and bridged both lan and wan ports to the respective nics.
i had internet connection in the host machine and the other connected to the other nic.
to get the host behind the virtual machine, i added a host-only adapter.
then i had to disable ipv4 and ipv6 in the host machine by pointing them to link-only.
then after i released and renewed the host machine's ip address all worked.
thanks for the help.
well after all that work, i had to disconnect the computer to put it closer to my modem.
i thought i connected it in the same way and now it doesn't work at all !!
i tried turning the pc on then running pfsense and then connecting the wan cable . . . no go.
i tried just starting as normal with all cables connected and then running pfsense . . . again no internet.
what is the correct way to start things up in the right order? or did i do something wrong? i was so close !
Well does pfsense get an IP on its wan? To be honest I don't see a point to what your doing? Is not your machine already behind a nat router - running pfsense on the host your actually on doesn't make sense since I am quite sure your machine has a software firewall built in already, etc.
well there is no router.
i have a cable modem and two computers. i don't like commercial routers because they don't handle openvpn as well as pfsense.
so i want to use my desktop as a main computer and router. i could just put pfsense on it but then i couldn't use it for anything else. that's why i want to put pfsense in a virtual machine so i can still use the pc for work.
Ah ok that makes sense then, I run the same sort of setup but I run my pfsense and other vms on a dedicated box hp n40l running esxi. But doing a host network is not the way to go about it.
Your box your running pfsense on the wan interface connected to cable modem should not have an host OS IP on it - in windows just unbind ipv4/ipv6 uncheck all the stuff microsoft networking, etc etc.. Then that interface should be bridged to the switch/interface that is pfsense wan.
Then your other interface you can have host OS IP on in your network, and then just bridge it to pfsense and pfsense would have an IP on the same network that is the gateway off.
Or you could create 3 interfaces, where you do the same as wan uncheck the host os everything for the interface and on the 3rd interface make it host only and create another network on pfsense and connect your host machine to that. That way pfsense has 3 segments - wan, lan and your host.
thanks for the advice johnpoz.
i actually do have 3 nics, so i may try the latter idea.
so just for clarification . . . ( i do appreciate your patience) . . . with my host running normally with say eth0 connected to the modem, i modify ipv4 and ipv6 by eliminating all options for connectivity.
then i start up pfsense with interfaces em0 for wan and em1 and em2 for lan. i bridge em0 to eth0.
for em1 i bridge that eth1 so my other devices have access to the internet from pfsense.
then for em3 i make it host only and run a cable from it to a switch and then another cable from the switch back to eth2 so the host has internet access.
does that sound correct?
"then for em3 i make it host only and run a cable from it to a switch and then another cable from the switch back to eth2 so the host has internet access."
If its host only how is there a cable?? Why would you ever need 2?
Host-only networking is another networking mode that was added with version 2.2 of VirtualBox. It can be thought of as a hybrid between the bridged and internal networking modes: as with bridged networking, the virtual machines can talk to each other and the host as if they were connected through a physical Ethernet switch. Similarly, as with internal networking however, a physical networking interface need not be present, and the virtual machines cannot talk to the world outside the host since they are not connected to a physical networking interface.
Instead, when host-only networking is used, VirtualBox creates a new software interface on the host which then appears next to your existing network interfaces. In other words, whereas with bridged networking an existing physical interface is used to attach virtual machines to, with host-only networking a new "loopback" interface is created on the host. And whereas with internal networking, the traffic between the virtual machines cannot be seen, the traffic on the "loopback" interface on the host can be intercepted.
Here this is how you could do it where you use a host only network to connect pfsense and your host on their own segment. - see first attachement
Where eth0 and em0 are bridgedbpx - eth0 has no windows network bindings.
eth1 and em1 are bridged in virtualbox - eth1 has no windows network bindings.
The other way to do it sim where host is on the same network as your physical and you just don't remove the windows network binding form eth1
the linux machine . . . i gave up. started getting too complicated.
i bought a cheap server and decided on the vmware esxi route. i can practice fixing all my mistakes more easily this way.
anyway, the setup i now have is:
modem –> wireless router --> switch --> pc1, printer etc.
branching from the switch is —> esxi server —-> pc2.
the esxi server has pfsense and ubuntu vms on it and i set up the lan side of pfsense to be different than the wireless router.
so wireless is 192.168.1.1/24 and pfsense is 10.10.10.1/24.
the problem is that i can't get internet access from ubuntu or pc2.
so just a few questions . . .
1. do i leave the wireless router as-is and let it hand out all dhcp addresses?
2. in pfsense, what gateway and dns do i use?
3. is one of the routers supposed to have a static ip?
4. maybe it's a double nat thing?
i think i'm missing something pretty simple here.
why is pc2 connect to esxi? Or is it also connected to your switch?
What is your network setup of vms on your esxi.
- sure if you want to..
- well your want to pfsense would be your wireless router. So I have to assume 192.168.1.1 is your wireless routers IP? So pfsense wan could just be dhcp and get that from your wireless router.
- Why would you think you need a static? But I have to assume your wireless routers LAN is static on 192.168.1.1 - so what other router are you talking about?
4) Is your "modem" as you call it just that or is it a NAT device as well.. What IP does your wireless router get on its interface connected to the "modem"
Edit: here is my esxi host network. So pfsense wan is connected to vswitch wan, which in turn is connected to my esxi box phsyical nic vmnic1, while pfsense lan is connect to vswitch lan and physical nic vmnic2
And so on.. So my pfsense in my setup gets public IP on its wan interface from my modem which is connected to vmnic1, now my vmnic2 is connected to real switch where my physical devices like my workstation are connected to (your pc2 maybe?)
Can you post up your vmnetwork like what I posted so we have frame of reference to discuss your network.