Need help setting up pfSense as a router inside ESXi 6

  • Hi,

    I am using ESXi 6, but I only have 1 public IP. i am trying to implement a NAT within the esxi network. Is there any guide on how to do this with one public IP. The ESXi server management interface is using the only public IP.

    Any help is much appreciated.

  • LAYER 8 Global Moderator

    so this esxi is on some colo somewhere?  Or is on your local network?  I only have 1 public IP ;)  Your issue is being able to manage it and access it via vmkern.  So this esxi6 is on some server be it hardware or vps not in your physical location?

  • @johnpoz:

    I only have 1 public IP ;)  Your issue is being able to manage it and access it via vmkern.

    VPN?  8) I have some what of the same setup at home but all my servers have dul-nic's & well my vmkern only runs on my LAN side of the network.

    (www)–--[ESXi-eth/nic0]–-{vm-pf}---(vswitch)---[ESXi-eth/nic1]–-[other network stuff]


    OK so here is something you can do!

    In a nutshell:

    • Create (at least) two vSwitches, one "public", connected to one of the server NICs and one "private", which is not attached to any physical NIC.

    • Pick an RFC1918 subnet to use on the private vSwitch, say

    • Install pfSense in a VM, assign its WAN interface to the public vSwitch and its LAN interface to the private vSwitch. Additionally, assign the VMware vKernel management port to the private vSwitch.

    • Set up a VPN in pfSense along with appropriate routing to get to the private network. OpenVPN is quite easy to set up, but IPsec would be fine as well.
      For any server VMs you have, assign their interface to the private network.
      Create Virtual IPs in pfSense for the rest of your public IP addresses, then set up port forwards for any services you need people to be able to access from outside the host.

    At this point, the pfSense VM will be the only way traffic can get from the outside to the rest of your servers and management interfaces. As such, you can specify very specific rules about which traffic is allowed and which is blocked. You will be able to use the vSphere Client after connecting to the VPN you configured in step 4.


    I don't think you can do this in less you have more than two NIC's on the server, do to I think ESXi has to have a physical NIC for management interface. However if it does not you could make a virtual switch and add management to it and keep management on the physical NIC as well so after you install PF you will have some way to talk to the server!?!!?