2x pfsense instances on ESXi 6

  • Hi,
    Hopeing for some help.  I am stuck.

    Presently I have 2 PFsense boxes connected to my modem/router.  1 for connecting VPN to canada and 1 for connecting VPN to USA.  Each pfsense box has a wireless router connected to them.  Dlink router connected to PFsense VPN Canada BOX and a DD-WRT router connected to PFSense USA BOX.  Almost all my devices are connected to Dlink router and I have 1 device connected to DD-WRT router.

    The new goal is to have both instances of fpsense on esxi 6 server, each pfsense vm will have there own LAN port but share 1 singe WAN NIC to connect to modem/router.  esxi management port connected to Dlink router, 1 nic for future server labs also connected to dlink router.  This way I can manage ESXI from my primary PC which is connected to dlink router and also retain Canada VPN connection.  Also future server lab vm will have access to all the same devices and network resources that exist in dlink ip range.

    to help explain I have create a network diagram here:

    on the left side is what i have working
    on the right side is what I am trying to get to work.

    This is also what I have setup under ESXi configuration - networking:

    CANGW = PFsense VPN Canada LAN port/vmnic
    USGW = PFsense VPN USA LAN port/vmnic
    WAN = vmnic for both PFSesne WAN port/vmnic which is connected to mdoem/router

    I have set manual MAC for both LAN nics for both PFSense nics.
    I have tried also manual MAC for WAN but not sure if that would cause an issue or not.  Not sure if that should be left as Automatic.

    End result, I cant get an IP from either LAN port from DHCP from either PFsense instances/nics even tho the console config on fpsense boxes looks perfect.  MACs link up and they both get an ip address from DHCP on Modem/Router!!

    Anyone have any ideas?

  • sorry clarification,
    esxi managment nic is connected to switch port of dlink router
    dlink wan port is connected to pfsense canada LAN port

  • Don't entirely understanding your setup.
    Not that it matters much, there must be something essentially wrong (DHCP from pfSense works), and I would think in the esx config.
    Why the manual MACs? Why 2 pfSenses? Why the 2 routers?
    In the new setup, you could let pfSense handle both tunnels, do dhcp for your network(s), and still separate those networks if you must. (your esx host seems well equiped with nics)

  • LAYER 8 Global Moderator

    Yeah I don't get why you would run 2 pfsense. You could have multiple vpn connections and route your traffic to them how ever you wanted.

    What I see from that drawing is a MESS.. So looks like to me you have your wifi routers natting as well

    Why is can vpn pfsense 2.1 but wifi router is 1.1 and usa vpn is 3.1 and wifi router is 4.1?  WTF  And then pfsense is behind a nat as well..

    connect your modem to your pfsense wan, if was really a "modem" you should have public on pfsense wan - then create how ever many segments you need on your local side be it phsyical or vlan and create as many vpn connections in pfsense you want and then route the traffic how you want.. If you want machine A to use can vpn sure, if you want machine B to use USA vpn then do that.  Machine A could either be in the same local segment or a different one..

    Your going down the rabbit hole here to total unwarranted complication.

    If you were using AP that supports vlan tagging of your ssids you could even have different wireless clients on the same AP isolated and again use whatever vpn you want, etc..

    I run pfsense on esxi 6 and have multiple lan segments both physical and vlan and multiple ssids on my unifi ap with different wifi networks on their own segments.

  • or this


    add some intel lan cards (1x slot so it can take a dual gigbit nic max)

  • pfsense sometimes has a hard time with dual HMA vpn, IME>

    I'm working on the same now.

    SHOULD be doable with one pfsense… I had it running but now get problems. Can swap between.

    I have tried even using a second WAN to no avail.

    I have not tired with multiple IPs same provider, just multiple providers=nics.

    always fully reall and passed through nics, of course

Log in to reply