projects
asked on
PfSense 2.2 as firewall on VMware ESXi 5.5
Need someone to help me find a good url and to decipher some of the missing information in almost every search result I can find on how to set up pfsense as the main firewall, for esx and vms behind it on one single server. I have found countless links but all seems to be for their own unique uses or have missing details which never make sense.
I get how the idea works.
I get that you set up a pfsense firewall on the public side, then put your vms on the private side.
What I don't get which is never clear is how to set up the ESXi interfaces for this to work.
Some people talk about using no NICs, some say use a NIC, some say make a fake MAC, some say otherwise, it's just nonsense.
What I need to know are things such as;
The machine has two NICs and I could create VLANS but I want the simplest possible setup.
Obviously, one NIC is used for the public side.
But, the second NIC for LAN side, should it be in the main Networking configuration or adding a second one?
And should it use the real physical NIC of the server for the LAN side or should it have no NIC assigned and how?
Once this is set up, I need to change the admin interface of ESXi to be on the LAN side, preventing public access.
I fully understand that if I lose access to pfsense, I lose access to everything and other such issues. I do have IP KVM access in case anything goes really bad.
I'm sure this won't be that complicated once I can talk with someone who understands this so am hoping to find a solution on this site.
I get how the idea works.
I get that you set up a pfsense firewall on the public side, then put your vms on the private side.
What I don't get which is never clear is how to set up the ESXi interfaces for this to work.
Some people talk about using no NICs, some say use a NIC, some say make a fake MAC, some say otherwise, it's just nonsense.
What I need to know are things such as;
The machine has two NICs and I could create VLANS but I want the simplest possible setup.
Obviously, one NIC is used for the public side.
But, the second NIC for LAN side, should it be in the main Networking configuration or adding a second one?
And should it use the real physical NIC of the server for the LAN side or should it have no NIC assigned and how?
Once this is set up, I need to change the admin interface of ESXi to be on the LAN side, preventing public access.
I fully understand that if I lose access to pfsense, I lose access to everything and other such issues. I do have IP KVM access in case anything goes really bad.
I'm sure this won't be that complicated once I can talk with someone who understands this so am hoping to find a solution on this site.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
I assume PFsense is a VM on the Host ?
ASKER
Yes, it will be once the networking is set up.
It's WAN interface will be on the public side and a second interface will be on a private, LAN side.
Note that there is no actual LAN side, this is a single stand alone server.
It's WAN interface will be on the public side and a second interface will be on a private, LAN side.
Note that there is no actual LAN side, this is a single stand alone server.
If I understand your question correctly you could achieve what you're looking for by creating 2 vswitches, use 1 pNIC with each vswitch.
1 vswitch will be for internal only and pfsense vnic for "LAN" will be connected to this vswitch (along with all other "LAN" connected devices and VMware management, the other vswitch will be connected with the pfsense vnic for "PUBLIC" traffic, connect nothing else to this vswitch ...
1 vswitch will be for internal only and pfsense vnic for "LAN" will be connected to this vswitch (along with all other "LAN" connected devices and VMware management, the other vswitch will be connected with the pfsense vnic for "PUBLIC" traffic, connect nothing else to this vswitch ...
ASKER
My current setup is two vswitches, one without nic.
One is the WAN side, where ESXi admin is at the moment but which I want to put the pfsense WAN side to.
One is the LAN side, which I want to put the pfsense LAN side to.
Do I really need to use a physical NIC on the LAN side? I've read that I don't.
If I have it set up right, how do I now switch ESXi admin over to the LAN side without losing access.
Attached is how things look at the moment.
pfsense.png
One is the WAN side, where ESXi admin is at the moment but which I want to put the pfsense WAN side to.
One is the LAN side, which I want to put the pfsense LAN side to.
Do I really need to use a physical NIC on the LAN side? I've read that I don't.
If I have it set up right, how do I now switch ESXi admin over to the LAN side without losing access.
Attached is how things look at the moment.
pfsense.png
You don't have to add a pNIC to the LAN vswitch no, it just means that all the VM's on that switch will only be able to talk with eachother and nothing else (except for going out over the firewall/pfsense naturally).
This setup works if you don't have other physical systems that should be able to talk directly with the virtual systems on the LAN vswitch.
But, leaving your management network on the outside facing pNIC is also not without risks of course.
This setup works if you don't have other physical systems that should be able to talk directly with the virtual systems on the LAN vswitch.
But, leaving your management network on the outside facing pNIC is also not without risks of course.
Please see my attached screenshot. I think this is what you are looking to do.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Each person will have to deal with their own unique setup. There is lots of very confusing information on the net, mainly because of exactly that, each case will be unique unless you find one that fits your needs specifically.
Good luck.
Good luck.