Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VMWare VM with 4 ethernet NICs, can it be done?

    Scheduled Pinned Locked Moved Virtualization
    20 Posts 3 Posters 15.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Seth
      last edited by

      generatedAddressOffset ensures that you have unique MAC addresses.

      At this point I would say that your FW Rules haven't been configured.

      or

      Your VM is also dual homed on the same subnet.
      eth2 and eth3 specify two different virtual networks, VMnet2 and VMnet3.  These are user specified.  VMnet0, VMnet1 and VMnet8 are created for you during install.  VMnet2 and VMnet3 cannot be on the same subnet in your case 192.168.4.0/24.  This may be the root of your problem.  Check the subnet in Virtual Network Editor.  Edit | Virtual Network Editor - Summary - Subnet.  You need to be a local admin to change setting here.

      1 Reply Last reply Reply Quote 0
      • M Offline
        MindTwist
        last edited by

        My 3 (or 4) virtual ethernet adapters are all bridged, connected to the physical network through the only physical NIC on that server that has a link to the rest of the network (switches), so they all belong to VMNet0. The other physical NIC is unused (integrated, Realtek 8129 I would say, I do not use it)

        I will get back when I have time to do the tests again and tell exactly what were the problems, and when I can report with some exact problem and screenshots. I think all my rules were ok, after all I only needed to set up a 3rd WAN connection, and route the traffic with destination port whatever to that connection to try. I usually just route web traffic to one or another connection, and visit some web page that will show me my IP and do a ctrl+F5 to see exactly what connection I am going out through, all 3 connections are on different ISPs, so I can tell instantly if I am going out on the connection I wanted to.

        Thank you, I'll try to go a couple hours earlier tomorrow to work and do the tests again with the 4th adapter.

        1 Reply Last reply Reply Quote 0
        • M Offline
          MindTwist
          last edited by

          Ok, so here is so far the outcome of my tests done this morning.

          Before:
          WAN* -> le0 -> 192.168.2.227
          LAN* -> le1 -> 192.168.1.112
          OPT1(Jazztel) -> le2 -> 192.168.3.226

          For adding the 4th NIC adapter, I edited freebsd.vmx and added just oneline at the end:
          ethernet3.present = "TRUE"

          After booting up the VM and shutting it down later, I noticed VMWare has also added the following lines:
          ethernet3.addressType = "generated"
          ethernet3.generatedAddress = "00:0c:29:25:96:da"
          ethernet3.generatedAddressOffset = "30"

          So the 4th NIC seems to be there and working correctly.

          After booting up and doing an "1) Assign Interfaces" from the console, I had the following:

          WAN* -> le0 -> 192.168.2.227
          LAN* -> le1 -> 192.168.1.112
          OPT1(OPT1) -> le2 -> NONE
          OPT2(OPT2) -> le3 -> NONE

          Then I went to the WebGUI and configured the OPT1 and OPT2 interfaces

          WAN* -> le0 -> 192.168.2.227
          LAN* -> le1 -> 192.168.1.112
          OPT1(Jazztel)* -> le2 -> 192.168.3.226
          OPT2(Telefonica)* -> le3 -> 192.168.4.228

          So I basically have:

          192.168.1.112 LAN
          192.168.2.227 WAN -> gateway 192.168.2.112
          192.168.3.226 OPT1 -> gateway 192.168.3.111
          192.168.4.228 OPT2 -> gateway 192.168.4.113

          192.168.2.112 , 192.168.3.111 and 192.168.4.113 are physical routers to 3 different internet connections

          Problem with this setup; it seems as if OPT2/le3 is not working correctly (even I would say it is configured 100% the same was as OPT1/le2). I have different rules for traffic, so I can basically choose what internet connection the traffic will go out through. In rules -> LAN I have the following 2 rules (and more that do not matter now):

          Proto Source Port Dest Port Gateway Desc

          ICMP LAN net * * * 192.168.3.111 ICMP
          TCP LAN net * * 80 (HTTP) 192.168.2.112 Web

          So, as it is configured now, HTTP traffic will go out on WAN interface (192.168.2.112) and ICMP traffic will go out on OPT1 interface (192.168.3.111)

          So far, so good, this is working since I am only using WAN and OPT1, this is how I had it working until now (and how it is working now).

          More on next post…

          1 Reply Last reply Reply Quote 0
          • M Offline
            MindTwist
            last edited by

            Ok, so with this setup I can basically change my rules (Firewall: Rules -> LAN) and choose what internet connection my web traffic or my ICMP traffic will go out. This way I can easilly just go to a web page like whatismyipaddress.com and see exactly what internet connection I am using, or I can open a CMD window and with a "tracert www.google.com" I can see what router I am going out through.

            So I can put 192.168.3.111 as gateway for the ICMP rule, and with a "tracert www.google.com" I will get:
            (this tests also apply to web traffic. On WAN and OPT1 I can do web browsing ok, on OPT2 web pages will not load)

            Traza a la dirección www.l.google.com [209.85.135.99]
            sobre un máximo de 30 saltos:
              1     2 ms     1 ms     2 ms  192.168.3.111
              2     6 ms     6 ms     6 ms  197.217.106.212.static.jazztel.es [212.106.217.197]
            

            And I can put 192.168.2.112 as gateway for the ICMP rule, and I will get:

            Traza a la dirección www.terra.es [213.4.130.210]
            sobre un máximo de 30 saltos:
              1     2 ms     2 ms     3 ms  192.168.2.112
              2    14 ms    18 ms    11 ms  static-10-0-235-87.ipcom.comunitel.net [87.235.0.10]
            

            But then, if I put 192.168.4.113 as gateway for the ICMP rule, I get:

            Traza a la dirección www.l.google.com [209.85.135.99]
            sobre un máximo de 30 saltos:
              1     *        *        *     Tiempo de espera agotado para esta solicitud.
            

            Doh, not working. But then, on the WebGUI if I go to Diagnostics -> Ping , and ping 192.168.4.113 (physical router), I do get an answer:

            PING 192.168.4.113 (192.168.4.113) from 192.168.4.228: 56 data bytes
            64 bytes from 192.168.4.113: icmp_seq=0 ttl=255 time=1.371 ms
            64 bytes from 192.168.4.113: icmp_seq=1 ttl=255 time=0.845 ms
            64 bytes from 192.168.4.113: icmp_seq=2 ttl=255 time=0.937 ms
            --- 192.168.4.113 ping statistics ---
            3 packets transmitted, 3 packets received, 0% packet loss
            round-trip min/avg/max/stddev = 0.845/1.051/1.371/0.229 ms
            

            If I switch around the interface IP/gateway for OPT1 and OPT2 (I put ISP Jazztel on OPT2, and ISP Telefonica on OPT1) results are the same, OPT1 works ok with Telefonica's router, and OPT2 still doesn't work, this time with Jazztel's router.

            Here I put Telefonica IP and gateway on OPT1, router ICMPs on 192.168.4.113, and it does work!

            Traza a la dirección www.l.google.com [64.233.183.99]
            sobre un máximo de 30 saltos:
              1     1 ms     1 ms     1 ms  192.168.4.113
              2    35 ms    35 ms    36 ms  192.168.153.1
              3    35 ms    36 ms    35 ms  145.Red-81-46-34.staticIP.rima-tde.net [81.46.34.145]
            

            NOTE. The 192.168.153.1 IP does not belong to my network

            So, from the first time I tried all this, it made me think that VMWare didn't get along with the 4th NIC card I had created, and that's why it was giving me problems. If it should be working ok with 4 virtual NICs, I guess then that my problem must be somewhere else. I was even about to just grab an old computer, plug 4 3com NICs on it, and try it out there…

            I'll try to post some screenshots on my current config right now, thanks for reading! :)

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG Offline
              GruensFroeschli
              last edited by

              Do your physical routers to which your OPT2 and 3 go know the route back to where the request comes from?

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • M Offline
                MindTwist
                last edited by

                Here is my LAN interface (sorry about the huge width of the images, I made them with a firefox extension and have no image editing program here):

                Here are my three WAN interfaces, WAN OPT1 and OPT2:


                Here are my main firewall rules. I basically choose what traffic to route on OPT1 by destination port, and the traffic that doesn't match any rule usually is routed on WAN.

                Rules that would route a given type of traffic to WAN I usually have them disabled, since traffic will go out on WAN anyway. I just leave the routes in there for testing purposes, like, web traffic will always be going out on WAN, but for testing the other connections I enable the rule and change the gateway, so I can see what connection my web traffic is going through.

                Thanks!
                Aitor

                1 Reply Last reply Reply Quote 0
                • M Offline
                  MindTwist
                  last edited by

                  @GruensFroeschli:

                  Do your physical routers to which your OPT2 and 3 go know the route back to where the request comes from?

                  Hello,

                  I guess so. They are just normal ADSL routers, one is a Comtrend, the other one is a Telsey. If I put on my notebook fixed IP 192.168.2.1 gateway 192.168.2.112 or IP 192.168.4.1 gateway 192.168.4.113 I can use those connections with no problem at all. If I configure OPT1 to use the 192.168.4.113 router it works ok, if I configure it on OPT2 it doesn't seem to work.

                  Note that I have the 3 internet connections as WAN OPT1 and OPT2. I do not have OPT3.

                  Thanks!
                  Aitor

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG Offline
                    GruensFroeschli
                    last edited by

                    I assume you didnt add a static route to your LAN on this router, did you?
                    In this case this router does not have a clue that your LAN-subnet even exists.
                    –> It can not answer to anything you send over it.

                    Add a static route on this router pointing to your OPT2 interface for your LAN-subnet.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      MindTwist
                      last edited by

                      @GruensFroeschli:

                      I assume you didnt add a static route to your LAN on this router, did you?
                      In this case this router does not have a clue that your LAN-subnet even exists.
                      –> It can not answer to anything you send over it.

                      Add a static route on this router pointing to your OPT2 interface for your LAN-subnet.

                      Mmmh nope, I did not add anything, no static routes. I am not sure I understand though, I need to add a route on the 192.168.4.113 router? Or on pfSense? If I configure OPT1 interface to make use of the 192.168.4.113 router it does work ok, so I did not think I would have to modify anything on the router… I did not have to add anything on the other 2 routers for the other 2 connections when I originally setup pfSense, any hints on what exactly do I have to do will be appreciated.

                      Thanks Gruens!

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        MindTwist
                        last edited by

                        This is what I have on the 192.168.4.113 router (Comtrend) that relates to routing. Destination 192.168.4.0 traffic goes out on br0 interface, so I think that should be ok. Otherwise it would not be responding to pings from the pfSense router on 192.168.4.228?

                        On Advanced Setup -> Routing -> Static Route I have no info.

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • GruensFroeschliG Offline
                          GruensFroeschli
                          last edited by

                          On your WAN you're NATing traffic from the LAN.
                          Meaning for the "real" router it seems as if the traffic comes from an IP in a known subnet.
                          On the OPT interface no traffic is NATed.
                          So for the "real" router the traffic seems to come from an unknown subnet.

                          You can either configure pfSense so it NATs traffic on the OPT interface,
                          or add a static route on the "real" router (192.168.4.113) with as destination 192.168.4.228 for the subnet 192.168.1.0/24

                          We do what we must, because we can.

                          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            MindTwist
                            last edited by

                            @GruensFroeschli:

                            On your WAN you're NATing traffic from the LAN.
                            Meaning for the "real" router it seems as if the traffic comes from an IP in a known subnet.
                            On the OPT interface no traffic is NATed.
                            So for the "real" router the traffic seems to come from an unknown subnet.

                            You can either configure pfSense so it NATs traffic on the OPT interface,
                            or add a static route on the "real" router (192.168.4.113) with as destination 192.168.4.228 for the subnet 192.168.1.0/24

                            Now I feel so stupid…

                            You are completely right. I didn't have a clue that traffic on OPT interfaces was not NATed by default, and I was asuming that if it was working ok on OPT1, it would also work ok on OPT2 . What I was failing to remember was that I actually configured it that way when I set up pfSense multiwan months and months ago.

                            So traffic was coming out of 192.168.4.113, but incoming traffic didn't know where to go and was being dropped by the physical router. He was geting traffic for 192.168.1.x IPs, and it was just being discarded.

                            So I had to go to Firewall : NAT : Outbound, which I have configured for Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), and there was my solution. I only had rules for WAN and OPT1, and I just copied the rule for OPT1 and created a new one for OPT2.

                            Changing the ICMP rule to go out on OPT2, tried a "tracert www.google.com", and there it is, working without problems now.

                            Traza a la dirección www.l.google.com [66.249.93.99]
                            sobre un máximo de 30 saltos:
                              1     1 ms     1 ms    <1 ms  192.168.4.113
                              2    45 ms    37 ms    37 ms  192.168.153.1
                              3    35 ms    35 ms    36 ms  145.Red-81-46-34.staticIP.rima-tde.net [81.46.34.145]
                            

                            I will do some more testing on monday but I am sure that this will be it. I can't do too much testing now since it is friday evening, or otherwise if I mess up and have to reboot the router I will have 3 dozens of crazy kids yelling at me because they have been kicked out from WOW or lost the DOTA match they were about to win.

                            Thanks!
                            Aitor

                            1 Reply Last reply Reply Quote 0
                            • GruensFroeschliG Offline
                              GruensFroeschli
                              last edited by

                              btw: why are you running this in a VM?
                              Wouldnt it be easier to just install pfSense on the hardware itself?

                              We do what we must, because we can.

                              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                              1 Reply Last reply Reply Quote 0
                              • M Offline
                                MindTwist
                                last edited by

                                Mainly because it is not a dedicated computer, it's a multi purpose WinXP computer that has right now 3 VMs:

                                • pfSense
                                • Win98 SE with out custom cybercafe management software
                                • Debian (file sharing, squid proxy)

                                I also use often the XP part by using MSTSC, VNC, some web browsing, a couple of programs for file sync, …

                                I actually gave it a thought on just building a dedicated machine for pfSense, but I am not sure if it would be worth it. It would mean one more computer on 24/7, and I doubt that the performance would be a lot better, ping times would go down but maybe 1ms..? I do not know if I would even notice the difference.

                                With several old computers laying around I might give it a try just to see if it would be worth it. Makes me wonder if I could run it from a bootable pendrive, so at least I could save myself the HD and its noise/heat.

                                I have also grown used to VMs over the years for many tasks. It makes it soooo much easy to just backup a full machine, move it to different hardware, and never bother installing too much crap on the main computer. I even have some VMs dedicated to things like Visual Basic 6, I still use it once in a while, and almost every time I needed it it meant reinstalling, so now I just have a VM with VB6 installed that I boot up when I need it, so I will never need to install VB6 on the main computer.

                                1 Reply Last reply Reply Quote 0
                                • GruensFroeschliG Offline
                                  GruensFroeschli
                                  last edited by

                                  From a security-point it's not such a good idea.
                                  Search the forum, since there are quite a few threads why running a firewall in a VM is insecure.

                                  I've been running for quite some time a windows xp "server" too.
                                  Ok it wasnt a server but just a computer that was running 24/7.
                                  I noticed that about every 20-30 days you HAVE to restart. (windows behaving really really strange)
                                  I dont know if you run into the same problem.

                                  If you're running pfSense on dedicated hardware you could take some lowpower embedded system since you dont seem to use packages.
                                  (Like http://pcengines.ch/alix2c3.htm )

                                  Ping wise…
                                  I dont know. You could run a longtime test through your VM-pfSense.
                                  I think i just saw in cT (german computermagazone) a free software which is capable of displaying ping tests over long periods of time.

                                  If your customers are playing FPSs it would make a difference if they have 100 or 50 ms latency.

                                  We do what we must, because we can.

                                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                  1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    MindTwist
                                    last edited by

                                    I am positive that everything would be a bit more secure on dedicated hardware than on virtual machines, but the data I might be keeping is not critical at all. My weakest security would probably be someone just walking to one of the servers since we open 7 days a week and I just won't always be there, the fact that pfSense or any other server/service is running on dedicated hardware or a VM won't make me lose my sleep :)

                                    There are several reasons that could make me switch to a dedicated hardware solution:

                                    • Ping times. I doubt the difference between VM or dedicated would be 100 or 50ms, but maybe more like 51/52 or 50ms. I haven't even checked the difference between direct connect to the DSL routers or through pfSense and from there to the routers, but if I had to guess I would say that pfSense in the middle doesn't add more than 1/2ms.
                                      If you know of any tool to do some tests on latency times I would love to know, since always I have done test on this they have been by hand (ping for x hours and make an avarage, use a gamer tool like HLSW to make me an avarage of ping times to a game server over a period of time, etc). If I had a scientific way to say "VM pfSense adds 5ms to my traffic, dedicated hardware pfSense adds only 1ms" that would be a good reason to make the switch.

                                    • Good hardware, I once looked into it but didn't find anything that seemed good for me. It is not easy to find this kind of hardware in Spain, I looked some ITX computers and things like that. The one you linked me too seems great, but they do not seem to have any with 4 lan ports which is what I think I would need (I could probably use just 3, yeah, or even one since that is what I am using now with pfSense on a VM). I see it at 98.20E + taxes here in Spain, another 12.20E + taxes for the box, it doesn't seem so bad. It would be about 128E and I would just need a CF card, and I think that the power suply, which doesn't seem to be included.

                                    • About two years ago I retired an old P2-266Mhz 128Mb 2Gb HD which was running 98SE with our own management software. I just moved it to a VM on this computer for several reasons; it was one more computer running 24/7, which added to more wasted electricity, more noise, more dust, more heat, … If I go the other way now with the pfSense router it would make me feel like going backwards. Yeah, I would do it if I had a good reason, better ping times, good hardware like the one above that has a low power usage/noise/heat disipation, etc.

                                    I would love to try more things with pfSense, but my time (and knowledge) is limited. I could try it on a physical computer to see if it improves, I would love to have failover so if one connection fails traffic would be router on another one, I would like to use it as a proxy with squidguard, or a file server... I just love breaking things that work ok just for the heck of fixing and improving them :)

                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      MindTwist
                                      last edited by

                                      Everything seems to be working just great over here!

                                      I have now the 3 internet connections working of a single pfSense router on a VM, and all with only one physical NIC on the computer. I have one connection for WOW, Warcraft3, Quake3, UT, Guild Wars, Warsow, and some more, another connection for BF2, Steam games, CS, TF2, and a third one with more bandwidth but worse latency for web, IM, and any kind of unknown traffic. I love it! :D

                                      When I have the time I will take a look if it is possible for me to implement failover, so if one connection is offline traffic can be redirected automatically to another one, and I would also like to try to use pfSense on a physical computer, to see if there are good improvements vs running it on VM.

                                      Many thanks!
                                      Aitor

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.