PfSense 2.2 as firewall on VMware ESXi 5.5

Need someone to help me find a good url and to decipher some of the missing information in almost every search result I can find on how to set up pfsense as the main firewall, for esx and vms behind it on one single server. I have found countless links but all seems to be for their own unique uses or have missing details which never make sense.

I get how the idea works.
I get that you set up a pfsense firewall on the public side, then put your vms on the private side.

What I don't get which is never clear is how to set up the ESXi interfaces for this to work.
Some people talk about using no NICs, some say use a NIC, some say make a fake MAC, some say otherwise, it's just nonsense.

What I need to know are things such as;

The machine has two NICs and I could create VLANS but I want the simplest possible setup.
Obviously, one NIC is used for the public side.
But, the second NIC for LAN side, should it be in the main Networking configuration or adding a second one?
And should it use the real physical NIC of the server for the LAN side or should it have no NIC assigned and how?

Once this is set up, I need to change the admin interface of ESXi to be on the LAN side, preventing public access.
I fully understand that if I lose access to pfsense, I lose access to everything and other such issues. I do have IP KVM access in case anything goes really bad.

I'm sure this won't be that complicated once I can talk with someone who understands this so am hoping to find a solution on this site.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I assume PFsense is a VM on the Host ?
projectsAuthor Commented:
Yes, it will be once the networking is set up.
It's WAN interface will be on the public side and a second interface will be on a private, LAN side.
Note that there is no actual LAN side, this is a single stand alone server.
Zephyr ICTCloud ArchitectCommented:
If I understand your question correctly you could achieve what you're looking for by creating 2 vswitches, use 1 pNIC with each vswitch.

1 vswitch will be for internal only and pfsense vnic for "LAN" will be connected to this vswitch (along with all other "LAN" connected devices and VMware management, the other vswitch will be connected with the pfsense vnic for "PUBLIC" traffic, connect nothing else to this vswitch ...
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

projectsAuthor Commented:
My current setup is two vswitches, one without nic.

One is the WAN side, where ESXi admin is at the moment but which I want to put the pfsense WAN side to.

One is the LAN side, which I want to put the pfsense LAN side to.

Do I really need to use a physical NIC on the LAN side? I've read that I don't.

If I have it set up right, how do I now switch ESXi admin over to the LAN side without losing access.

Attached is how things look at the moment.
Zephyr ICTCloud ArchitectCommented:
You don't have to add a pNIC to the LAN vswitch no, it just means that all the VM's on that switch will only be able to talk with eachother and nothing else (except for going out over the firewall/pfsense naturally).

This setup works if you don't have other physical systems that should be able to talk directly with the virtual systems on the LAN vswitch.

But, leaving your management network on the outside facing pNIC is also not without risks of course.
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Please see my attached screenshot.  I think this is what you are looking to do.

pfSense on VMWare
projectsAuthor Commented:
Thanks for the information but there was much more to it than what is mentioned here. I don't really even know how to provide information because it will be different in each case depending on how/where I am setting something up.

Basically, I got everything working now.

I kept the ESX admin on public port until I installed pfsense.

I then set up a temp public IP on pfsense so I could reach it and added a rule to allow myself admin access to ESX.

Once I was able to do that, I disabled management access on the public port of ESX, moving it to the LAN side. Now I connect through pfsense to get to the management interface on the LAN side.

I made sure that pfsense is set to auto start but at worse, I have remote KVM access to the server.

It is very weird that pfsense now has the public IP of ESX so that I can reach ESX from remote.
Obviously, if I reboot pfsense, I will lose access to the server so before rebooting or anything, all settings much be closely checked to make sure you have some means of accessing the machine again should it be lost.

Now, all traffic flows through pfsense first and the host is for all intents and purposes, on the private LAN only.

Odd but, it all seems to work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
projectsAuthor Commented:
Each person will have to deal with their own unique setup. There is lots of very confusing information on the net, mainly because of exactly that, each case will be unique unless you find one that fits your needs specifically.

Good luck.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.