Issue with pfsense/vmware/vlans



  • Hi Everyone,

    I'm trying to get pfsense running in transparent mode in a vmware esxi 5.5 environment using vlans without much success.

    I've created a port group in esxi 5.5 passing all vlans to the pfsense virtual machine (using vlan id 4095) and enabled promiscuous mode on that port group. I also set Net.ReversePathFwdCheckPromisc to 1.

    I then installed pfsense and started assigning vlans. However, I have found that with promiscuous mode enabled, I can't ping anything from the shell of pfsense (or allow inbound). If I disable it, I can do those functions, but I can't get traffic to pass over the bridge. (I.e i can't ping devices on the internal vlan, but the arp table is setting their mac addresses)

    Thoughts?

    Ideally, I also want to put this in HA mode (yes, I know we should look at NAT)

    Thoughts? Recommendations are greatly appreciated.

    Thanks!

    UPDATE: I lose connectivity as soon as the bridge is enabled. if I down the bridge, within a few seconds, I can then ping (from the pfsense vm) the devices on both sides.

    Tom



  • I use vlans for my net connections and i have them as physical interfaces on the vm. I mean, vmware tags and untags the traffic and pfSense doesn't know or care what vlan it's talking to. Do you have many vlans where having so many network adapters would be cumbersome?



  • All, this was resolved by using two vmware interfaces to send the traffic in and out (i.e. one port group with all vlans for "in" traffice and one port group for all "out").

    I guess trying to move everything over the one interface caused the vmware layer 2 protection to kick in.



  • If you try without vlans in your config is the bridge mode working?

    Not sure why you would use Net.ReversePathFwdCheckPromisc to 1 as this is discussed in VMware forum where vswitches are somehow linked. http://www.chriscolotti.us/vmware/vsphere/interesting-vmware-vswitch-advanced-setting/