• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Is it possible to run pfSense behind router -> switch on VMware ESXI?

Scheduled Pinned Locked Moved Virtualization
7 Posts 2 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Nicklas
    last edited by Jun 28, 2015, 1:18 PM Jun 28, 2015, 1:08 PM

    Hi Guys, any one an idea how to solve my problem?

    I have succesfull pfSense installed on my VMware ESXI box.
    Sadly I think my set-up in the DC is wrecking my idea to have the pfSense virtualized on each ESXi box.

    Situation in DC;  Cisco router [no control, DC assigned /24 subnet in a vlan] -> Switch: HP Procurve 1810G-24
    DC provide me with a network cable which I plugged into a port of my switch, and everything works perfectly fine so far.

    What I would like to archieve is having pfsense on each esxi box to block certain countries, use snort and have VPN access.

    This is a clean install with latest version of pfSense, open-vm-tools and a clean install of VMware esxi 5.5 patch to latest level.
    It works all fine except it only blocks traffic to the IP on which pfSense is installed all other IPs on the WAN are not protected by the pfsense. No traffic is blocked on WAN to any other IP as the pfsense appliance.

    After installing pfsense and assign the LAN IP with dhcp range I was perfectly able to install a new Debian installation on the LAN.

    The LAN works fine, dhcp server works fine, I installed a VM with Debian IP assigned from the dhcp server and can browse and login the Dashboard. I noticed that the firewall logs only show block/rejects to the pfSense IP xxx.xxx.xxx.38
    I was able to install a Centos VM on the WAN and install extra software with yum and ssh or ping to this other ip address xxx.xxx.xxx.35. I was in the understanding that with current rules no traffic would be allowed on the WAN on this esxi box?

    I have attached screen-shots of the current set-up, any help is much appreciated.

    Edit: I have tried the promiscuous mode as well, alhough it is not really recommend in the book! but no result either.
    VMWare-lan-rules.png_thumb
    VMWare-lan-rules.png
    VMWare-float-rules.png_thumb
    VMWare-float-rules.png
    VMWare-3.png_thumb
    VMWare-3.png
    VMWare-2.png_thumb
    VMWare-2.png
    VMWare-1.png_thumb
    VMWare-1.png
    VMWare-wan-rules.png
    VMWare-wan-rules.png_thumb
    VMWare-ping.png
    VMWare-ping.png_thumb
    VMWare-promiscuous-mode.png
    VMWare-promiscuous-mode.png_thumb

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Jun 28, 2015, 5:19 PM

      pfSense can't help you if you're not routing through it.  If you want to protect all those other servers, move them to LAN so they're "behind" pfSense and then port-forward their services.

      1 Reply Last reply Reply Quote 0
      • N
        Nicklas
        last edited by Jun 29, 2015, 12:17 PM Jun 28, 2015, 9:58 PM

        Thanks,
        I would prefer to use the LAN for VPN and IPMI, perhaps moving the VMs to DMZ and use Bridge/Transparent mode would work?
        I have a full /24 subnet and would need to be able to move VMs between esxi hosts and keep their IPs been assigned to them.

        Not sure if that would be the best way forward as looking around on the forum, many have trouble with BridgeTransparent mode.
        I hope someone could give advise in what is good practice with many [public] IPs as all my VMs have a public IPs at the moment.

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by Jun 29, 2015, 1:38 PM

          Best practice is DMZ with port-forwards.  Create IP Aliases for each of your public IPs.  Create NAT/firewall rules that map each IP alias to a LAN server.

          1 Reply Last reply Reply Quote 0
          • N
            Nicklas
            last edited by Jun 29, 2015, 3:09 PM

            Thanks, will give that a try.

            1 Reply Last reply Reply Quote 0
            • K
              KOM
              last edited by Jun 29, 2015, 3:21 PM

              Check these out if you haven't already

              https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

              https://doc.pfsense.org/index.php/Aliases

              https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

              https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

              1 Reply Last reply Reply Quote 0
              • N
                Nicklas
                last edited by Jul 7, 2015, 6:30 PM

                Just some feedback,
                I had that working fine, but I really don't want to change all the servers IPs, I have decided to go for Transparent mode [Bridge] In that way I only have to move the servers from the DMZ to WAN port back in case the firewall is down for whatever reason. Servers/service can keep their current IPs and the 'design' is way much simpler. Thanks very much for putting me in the right direction.  :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  [[user:consent.lead]]
                  [[user:consent.not_received]]