Trouble setting up transparent firewall in a vSphere environment - no traffic

  • Hello,
    I am trying to setup pfSense as a transparent firewall in front of our VM’s in a vSphere 5.5 environment

    My current situation in vSphere:

    Internet (public/25)
    +- pfSense box 1 (NAT 1:1 config) – LAN 1 -- VM’s
    +- pfSense box 2 (Bridge config) -- LAN 2 -- VM’s

    Both the uplink and the LAN 2 Distributed Port Group have promiscuous mode enabled.

    Box 1 (NAT 1:1 config) is running for 2 years without a problem, but I really would like to use pfSense as transparent firewall. So I set up a new backend LAN and a installed pfSense 2.2.4 on a new VM.

    The problem is, as soon as i bridge the WAN and LAN interface on box 2, all network traffic on the distributed port group witch the WAN interface is connected to is halted. Not only on the WAN interface on box 2, but on all VM’s connected to this port group (tcpdump shows no traffic).

    When I do a “ifconfig bridge0 down”, all traffic is resumed.

    I tested this exact setup/config on a physical server, as well on my workstation with VMware workstation 10 with no problems.

    Has anyone ever seen this behavior before? Could there be a problem with MAC addressing (VMware expecting a MAC address on a different portgroup)?

    Any pointers would be greatly appreciated!

  • Hi,

    I have successfully set up a transparent firewall environment on ESXi 6.

    However, I set Promiscuous Mode to "accept" on the vSwitch level, not on port group level - both for the WAN-side vSwitch and the LAN-side vSwitch. Maybe you try that, not sure if it makes a difference?

    Best regards

Log in to reply