Using pfsense in VMWare as a router/firewall

XGhozt · Apr 25, 2016, 9:41 PM

Hello,

I am new pfsense and trying to understand how to get it setup correctly.

I am trying to do this:
http://serverfault.com/questions/353223/recommended-way-to-setup-a-secure-esxi-environment-with-a-publicly-accessible-ra/353242#353242

In a nutshell:

1. Create (at least) two vSwitches, one "public", connected to one of the server NICs and one "private", which is not attached to any physical NIC.

2. Pick an RFC1918 subnet to use on the private vSwitch, say 10.0.0.0/24.

3. Install pfSense in a VM, assign its WAN interface to the public vSwitch and its LAN interface to the private vSwitch. Additionally, assign the VMware vKernel management port to the private vSwitch.

4. Set up a VPN in pfSense along with appropriate routing to get to the private network. OpenVPN is quite easy to set up, but IPsec would be fine as well.

5. For any server VMs you have, assign their interface to the private network.

6. Create Virtual IPs in pfSense for the rest of your public IP addresses, then set up port forwards for any services you need people to be able to access from outside the host.

At this point, the pfSense VM will be the only way traffic can get from the outside to the rest of your servers and management interfaces. As such, you can specify very specific rules about which traffic is allowed and which is blocked. You will be able to use the vSphere Client after connecting to the VPN you configured in step 4.

However, I am stuck somewhere around step 4. I believe I have everything else working, including OpenVPN. The main problem is that I can't get to my server from the internet. The pfsense VM has internet access and can get out, but nothing can connect to pfsense. Can anyone point me in the right direction? I feel I am missing something small.

KOM · Apr 26, 2016, 1:45 PM

The main problem is that I can't get to my server from the internet.

Assuming you mean you can't get access when you connect to your OpenVPN instance? Are you running the client OpenVPN package as administrator? If you don't, it will appear to work but the routing table doesn't really get updated so the VPN doesn't route you properly. The pfSense OpenVPN wizard should have automatically created the proper Allow All rule, but you might want to check that under Firewall - Rules - OpenVPN tab.

XGhozt · Apr 26, 2016, 5:45 PM

Yup! I have used OpenVPN in the past, so I'm aware of those caveats.
The problem is I can't ping the public IP, or anything.

It's basically setup like this:

INTERNET -> Firewall (DMZ public IP to 192.168.168.5) -> VMWare ESXi -> pfsense

pfsense WAN: 192.168.168.5
pfsense LAN: 10.0.10.X (DHCP is enabled for the other VMs)

–--
pfsense can get to the internet, but I can't get to the pfsense box from the internet. I feel like the firewall rules are wrong, but I'm not sure what I am missing. I figure it has to be something simple. I am trying to use OpenVPN to get into the network and then I can get back into ESXi and the web admin for pfsense.

johnpoz · Apr 26, 2016, 5:49 PM

Are you saying you can not get to pfsense because you can not ping?

Out of the box pfsense wan rules are block all.. If you want to ping it then you would have to allow that.. if you want to do anything to pfsense from the wan you would have to allow it on pfsense wan rules. Out of the box all unsolicited traffic would be dropped..

XGhozt · Apr 27, 2016, 6:23 PM

Thanks for the help here. My mistake, wrong word, *ping. I am aware ICMP/ping is blocked.

I setup OpenVPN and it created the firewall rules automatically (used the wizard). I wasn't able to connect to it at all, or even detect that the port was open. I setup a few other firewall rules to open ports but I can't seem to get connected to anything. Would you be able to provide an example of how to get this working with my setup (previous post)?

johnpoz · Apr 27, 2016, 5:45 PM

what setup below?

XGhozt · Apr 27, 2016, 6:28 PM

@johnpoz:

what setup below?

Meant here, sorry: https://forum.pfsense.org/index.php?topic=110768.msg617019#msg617019

INTERNET -> Firewall (DMZ public IP to 192.168.168.5) -> VMWare ESXi -> pfsense

pfsense WAN: 192.168.168.5
pfsense LAN: 10.0.10.X (DHCP is enabled for the other VMs)

Basically, the 192.168.168.5 address is what the other firewall has setup for DMZ with a public IP. How can I configure pfsense to work with the public IP, do I need to do anything specific? How should any firewall rules be setup for OpenVPN to work with this setup? Any traffic coming into my public IP is being routed to 192.168.168.5 which (I thought) pfsense was setup to receive traffic from. For whatever reason, nothing can connect. I know it works because if I setup another machine and configure the IP to be 192.168.168.5, and it works fine.

However, pfsense does have an internet connection, it can connect out.