PfSense + ESXI + DMZ



  • Hello and good day.

    I have been using pfSense for a few years and love it! Kudos.

    I recently moved pfSense from a physical machine to a ESXI Virtual machine.

    I configured pfSense, ESXI and a DMZ on my first ESXI box with no problem using the site instructions below:
    https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

    Works flawlessly!

    However, I have setup a second ESXI Virtual Machine and installed a Linux Guest which I would like to place in the DMZ as well.

    The Guest, on the second machine, is configured with an IP from the DMZ Network, but I can not ping WAN or LAN (however, I can ping local host).

    Does this second Esxi machine need a second nic card and pfSense installed also?
    If so, what is the proper configuration to get it working?

    If not, how do I get the Host on the second Esxi Virtual machine to work properly.

    Thank you.



  • You will need rules to allow traffic in on pfSense's DMZ interface.  Default is to block all, just like the WAN interface.


  • Rebel Alliance Global Moderator

    Ok your use of terms is a bit confusing - when talking about esxi, a HOST is normally the actual physical machine that virtual machines VMs are running on.. So I am a bit fuzzy on if your talking about just another VM on the same physical esxi host, or different physical host and a vm on it that your trying to put in a dmz network via a physical connection to this other host?

    If the vm is on the same host, then all that is required is to give it an interface in the dmz vswitch, and then yes create any rules needed on the dmz firewall tab in pfsense to allow the traffic you want to where.



  • @biggsy:

    You will need rules to allow traffic in on pfSense's DMZ interface.  Default is to block all, just like the WAN interface.

    I have the DMZ Interface configured, setup and working on the first ESXI (ESXI-1) Box. The ESXI Guests on (EXSI-1) are communicating on the DMZ.

    However, the second ESXI machine (ESXI-2), the Linux Guest is not able to communicate.

    It only has 1 NIC and pfsense is not installed on the ESXI-2 Virtual Machine.



  • @johnpoz:

    Ok your use of terms is a bit confusing - when talking about esxi, a HOST is normally the actual physical machine that virtual machines VMs are running on.. So I am a bit fuzzy on if your talking about just another VM on the same physical esxi host, or different physical host and a vm on it that your trying to put in a dmz network via a physical connection to this other host?

    If the vm is on the same host, then all that is required is to give it an interface in the dmz vswitch, and then yes create any rules needed on the dmz firewall tab in pfsense to allow the traffic you want to where.

    Sorry for the confusion. I have made the adjustment to my explanation.

    I have a second Physical ESXI (ESXI-2) Host, setup with a newly created Linux Guest. I want to place it into a DMZ but it will not communicate on the DMZ although the pfsense firewall rules have been created to allow DMZ Traffic to flow.

    The Guests on the original ESXI-1 Host are communicating and working fine with the current firewall rules setup and configured.

    It's just the second ESXI-2 box is not able to.


  • Rebel Alliance Global Moderator

    Well how do you have these esxi hosts connected?  The dmz network would have to be connected.

    host – dmz --- host

    so physical nic from host1 to the real world, and then physical nic to real world on host2 with its guest connected to that vswitch.



  • @johnpoz:

    Well how do you have these esxi hosts connected?  The dmz network would have to be connected.

    host – dmz --- host

    so physical nic from host1 to the real world, and then physical nic to real world on host2 with its guest connected to that vswitch.

    EXSI-1 (host1)

    NIC1 – WAN -- INTERNET
    NIC2 -- LAN -- SWITCH (Several Guests running on LAN; One Guest running on DMZ successfully)
    Used the following setup for ESXI-1 (http://www.digitalphotomac.com/PFsense/DMZ/)

    EXSI-2 (host2)

    NIC1 -- LAN -- SWITCH
    One Guest configured for LAN and working but I want this one guest to be on the DMZ which is not working.
    The ESXI-2 host (host2) is not on the DMZ Network.
    It is on the same Lan Network as ESXI-1.
    The Host2 Guest VM will work on the Lan but can not communicate when configured for the DMZ.

    With that said, how do I configure, "... physical nic to real world on host2 with its guest connected to that vswitch."? Do you mean configure host2 with WAN connection instead of LAN, run network cable from this nic to the modem, configure host2 vswitch, and make sure those hosts are using the WAN connected vswitch for network connectivity?


  • Rebel Alliance Global Moderator

    How do you think the vm on dmz would work if the esxi 2 host is only connected to your lan?  Do you have vlans running?

    Those instructions are nothing more than how to setup another network and call it dmz ;)  How are those instructions any different then setting up lan2 or wlan segment?  What does that have to do with a esxi environment, and its from pfsense 1.2 ;)

    What physical nic do you have connected to this DMZ?  How do you think this dmz traffic is suppose to get to the esxi host 2 and then to the vswitch on esxi that your VM is connected to?

    What license of vsphere do you own?  Are you just running on free esxi?  Do you have your esxis in a DC under vcenter?  Just because you call a vswitch dmz on host 1 and create another vswitch on host 2 and call it dmz does not mean they can talk to each other ;)



  • @johnpoz:

    How do you think the vm on dmz would work if the esxi 2 host is only connected to your lan?  Do you have vlans running?

    Those instructions are nothing more than how to setup another network and call it dmz ;)  How are those instructions any different then setting up lan2 or wlan segment?  What does that have to do with a esxi environment, and its from pfsense 1.2 ;)

    What physical nic do you have connected to this DMZ?  How do you think this dmz traffic is suppose to get to the esxi host 2 and then to the vswitch on esxi that your VM is connected to?

    What license of vsphere do you own?  Are you just running on free esxi?  Do you have your esxis in a DC under vcenter?  Just because you call a vswitch dmz on host 1 and create another vswitch on host 2 and call it dmz does not mean they can talk to each other ;)


    I don't know how to answer your questions when I have asked a question.

    I have one physical nic connected to host2.

    This is why I am asking how to set this up. I do not know how to get the dmz traffic to flow to/from host2.

    I am using ESXI Free.

    So maybe it would be simpler to just instruct me on how to do it or pose a setup/configuration that I can follow.

    So to ask my question, again: Should I put the host2 on the DMZ network? What if I want to add a mixture of LAN and DMZ guests on host2? What would be my configuration?

    Thanks!


  • Rebel Alliance Global Moderator

    You CAN'T set it up – that is the point..  You don't have a physical DMZ network from your statements.. So how do you think the dmz from host 1 talks to dmz of host 2?

    You could run vlans over the physical network..  And create port groups over the one vswitch on each host putting them in the vlans that you have tied to the 1 physical nic.  Does your physical switch support vlans?  If your switch does not support vlans it pretty much comes down to you just run 2 ip address spaces over the same physical wire.

    Do you have devices on the physical network that your going to want to isolate either in the lan or dmz network?  What physical switch do you have?



  • @johnpoz:

    You CAN'T set it up – that is the point..  You don't have a physical DMZ network from your statements.. So how do you think the dmz from host 1 talks to dmz of host 2?

    THats what I wanted to hear!

    You could run vlans over the physical network..  And create port groups over the one vswitch on each host putting them in the vlans that you have tied to the 1 physical nic.  Does your physical switch support vlans?  If your switch does not support vlans it pretty much comes down to you just run 2 ip address spaces over the same physical wire.

    As for the switch, I have a Netgear GS108, which I do not believe supports VLAN. How do I run the 2 IP address spaces?

    Do you have devices on the physical network that your going to want to isolate either in the lan or dmz network?  What physical switch do you have?

    Yes, I have LAN devices and 1, current, DMZ device. Hoping this will be 2 and maybe 3 or 4 depending on how THIS configuration works.

    Not sure if I mentioned this but my pfSense box is a Guest VM running on ESXI Host1.


  • Rebel Alliance Global Moderator

    Well I run my pfsense host as vm on my esxi host as well - its a great way to run pfsense!

    If you need more dmz devices just run them on the one host..



  • @johnpoz:

    Well I run my pfsense host as vm on my esxi host as well - its a great way to run pfsense!

    If you need more dmz devices just run them on the one host..

    Yes it is a great way to run pfsense. Very minimum system requirements. I love it!

    And I was thinking of just using one host for dmz. That would be the Host1 which pfsense is running on.

    Just out of curiosity, if I did purchase a switch with VLAN, how would I configure the Host2 VM to run a other DMZ Guests? I may just purchase a new switch.

    Plus, I would like to know how to configure this on more than one Host :)