ESXI + pfesense + sg300 = no internet for VMs



  • Hello Everyone,

    I am new here and wanted to see if I could get some assistance. I do not have a lot of experience with networking in general which is why I am doing this. I am not able to ping pfsense LAN IP 192.168.20.1 from other VLANs which I believe is why my workstations are not able to get out on the internet. From the router I am able to ping all devices on all vlans. I have a SG300-20 in layer 3 mode with ip interfaces for each vlan.

    When I use my physical firewall all works fine but in all honesty I couldn't ping my physical router from other vlans either but things seem to work and I was able to access the internet. I don’t quite understand why.

    Physical Configuration:
    Netgear FVX538 (192.168.20.1) –> SG300 (Multiple VLANs) Layer3 --> ESXI Host vSwitches

    SG300 (Layer3 mode) switch:
    A lot of VLANs trying to simulate real life environment
    VLAN1 = Router
    VLAN10 = Home (default vlan)
    VLAN30 = Servers
    VLAN50 = VM Management
    VLAN55 = Workstations
    VLAN56 = Development
    VLAN60 = Storage
    VLAN70 = vMotion
    VLAN71 = FT

    A default route has been added to SG300 to point to 192.168.20.1 for internet.

    GE1 port on SG300 is connected to my LAN vSwitch on the host. I tried changing the port from access mode (untagged VLAN1) to trunk mode (tagging VLAN1) both have the same result.

    pfsense:
    In pfsense I added static routes back to VLAN 10, 30, 50, 55, & 56 using gateway 192.168.20.2 (SG300 VLAN1 interface). I also made sure on the LAN that there is no gateway selected as this seems to trip up a few people.

    I have attached a few screenshots in order to assist.

    Any assistance would be appreciated. Also if you see anything that is not done correct with regards to networking best practice please let me know.

    Thanks
    ![ESXI vSwitch.png](/public/imported_attachments/1/ESXI vSwitch.png)
    ![ESXI vSwitch.png_thumb](/public/imported_attachments/1/ESXI vSwitch.png_thumb)
    ![SG300 Port Modes.png](/public/imported_attachments/1/SG300 Port Modes.png)
    ![SG300 Port Modes.png_thumb](/public/imported_attachments/1/SG300 Port Modes.png_thumb)
    ![pfsense Routes.png](/public/imported_attachments/1/pfsense Routes.png)
    ![pfsense Routes.png_thumb](/public/imported_attachments/1/pfsense Routes.png_thumb)



  • Here are some more screenshots.

    ![SG300 VLAN Interface Table.png](/public/imported_attachments/1/SG300 VLAN Interface Table.png)
    ![SG300 VLAN Interface Table.png_thumb](/public/imported_attachments/1/SG300 VLAN Interface Table.png_thumb)
    ![SG300 Ping Test.png](/public/imported_attachments/1/SG300 Ping Test.png)
    ![SG300 Ping Test.png_thumb](/public/imported_attachments/1/SG300 Ping Test.png_thumb)
    ![SG300 VLANs.png](/public/imported_attachments/1/SG300 VLANs.png)
    ![SG300 VLANs.png_thumb](/public/imported_attachments/1/SG300 VLANs.png_thumb)



  • Last set.

    Thank you in advanced!  :D

    ![pfsense No Gateway for LAN set.png](/public/imported_attachments/1/pfsense No Gateway for LAN set.png)
    ![pfsense No Gateway for LAN set.png_thumb](/public/imported_attachments/1/pfsense No Gateway for LAN set.png_thumb)
    ![pfsense ping Internal Network test.png](/public/imported_attachments/1/pfsense ping Internal Network test.png)
    ![pfsense ping Internal Network test.png_thumb](/public/imported_attachments/1/pfsense ping Internal Network test.png_thumb)
    ![pfsense DNS test.png](/public/imported_attachments/1/pfsense DNS test.png)
    ![pfsense DNS test.png_thumb](/public/imported_attachments/1/pfsense DNS test.png_thumb)



  • I was able to successfully ping the gateway 192.168.20.1 (physical firewall) from all vlans by removing an incorrect route. I had a route on my firewall that said 192.168.20.0 traffic go through 192.168.20.2 which makes sense why I could not ping the gateway from those vlans. I will continue to troubleshoot my virtual pfsense firewall tonight.



  • I figured it out! I created an Alias called InternetforVLANs for all VLAN traffic that require internet. After that I then created a rule to allow Any IPv4 traffic from InternetforVLANs to any destination. I have attached screenshots for those who may have a similar issue.





Log in to reply