Virtualized VMWare box with pfSense and linux dns/hosting box

[wraptor]

Hello, I'm currently waiting for my motherboard and cpu to arrive so I can complete my box.

I wan't to use VMware vSphere Hypervisor for virtualizing my machine so I can run a pfSense vm and a debian vm.
The debian vm will just be hosting a simple low usage local HTTP server (for Page rejections etc.) and DNS for my network.

The question is: Is it possible to locally redirect all traffic from the debian vm to the lan port of my pfSense vm without using an extra NIC and a switch?
 

-Tv

[leadeater]

What do you mean by locally redirect the traffic? ESXi has virtual switches so if you just need the debian VM to be able to talk to pfsense yes you can do this without any extra NICs, cables or switches.

[wraptor]

Thanks for the reply leadeater (like the name xD)

Well, I'm kinda new to the virtualization.

I just want my Debian VM to connect to the pfSense box so it can both use pfSense as throughput to the internet and bridge to the lan network.

 

-Tv

[wraptor]

Just now, AlexTheRose said:

Well, you can forward ports 80, 443, and any other ports you would need to forward, say FTP or SSH or something so you can remotely manage the box.

I know what you are trying to do but I want to programmatically make a connection to the network and my pfSense box so I don't have to deal with forwarding every port I wan't to use.

Still thanks for helping.

[wraptor]

So It's basically inpossible to try what I'm trying to achieve.
There is no way I'll able to use all ports/vm, which reading back is stupid of me.

I still have a Dual NIC Intel card laying around, I guess I'll be using it for this build then.
The plan was to use it in my server, which I recently upgraded with a Quad NIC motherboard so I won't be using the Dual port anymore.

Yes I probably won't use all port/vm but that still gives the feeling I can.
And a Intel NIC is still better than a shitty PCI Realtek card.

So I'll solve my problem by adding that Dual nic card to my machine and using 1 Intel NIC for WAN and the other one for LAN, the onboard NIC will be asigned to the Debian machine.

My ISP allowes me to have 5x D-Link 5 port Gigabit switches as a Business customer.

Woul'd you please give me a little bit of code so other people who still want to use the 1 NIC method, Thanks
 

[leadeater]

@tv15dsi Bridging isn't required for what you want. You create two virtual switches in ESXi, one for internet and one for local LAN. On the pfsense VM add two virtual NICs, one on the internet virtual switch and one on the LAN switch. For the debian VM add a single NIC on the LAN virtual switch and set the default gateway to the IP of pfsense LAN NIC.

 

Physical cabling wise the NIC assigned to the internet virtual switch goes to the router and the NIC assigned to the LAN virtual switch goes to your switch. If you only have a single all in one switch router this is still fine, both server NICs can physically plug in to the router just use different IP subents for the router/pfsense internet interface than the internal LAN subnet. Not a perfect setup but it will work. 

[wraptor]

1 minute ago, leadeater said:

@tv15dsi Bridging isn't required for what you want. You create two virtual switches in ESXi, one for internet and one for local LAN. On the pfsense VM add two virtual NICs, one on the internet virtual switch and one on the LAN switch. For the debian VM add a single NIC on the LAN virtual switch and set the default gateway to the IP of pfsense LAN NIC.

 

Physical cabling wise the NIC assigned to the internet virtual switch goes to the router and the NIC assigned to the LAN virtual switch goes to your switch. If you only have a single all in one switch router this is still fine, both server NICs can physically plug in to the router just use different IP subents for the router/pfsense internet interface than the internal LAN subnet. Not a perfect setup but it will work. 

Thanks for the help, this could solve my problem Though I'm going to stick to my plan placed above.

This gives me better performance, less cpu load (because the NIC I was planning to use is an old PCI Realtek card) and gives me the knowing that my NIC won't die at any given moment.

Though this could be usefull information for the non-dumb people who did think about their setup at first.

Still, thanks for all the information.

[wpirobotbuilder]

I would recommend passing a physical NIC directly to your Pfsense VM to use as your WAN port. That way all network traffic goes through Pfsense, guaranteed, and none of it is touched by the Hypervisor.

 

This article lists a few reasons why it's not a great idea to virtualize Pfsense, personally I think it's ok in a home environment but I would at the very least use a physical NIC to your VM -- https://forum.pfsense.org/index.php?topic=1009.0.

[leadeater]

5 hours ago, wpirobotbuilder said:

I would recommend passing a physical NIC directly to your Pfsense VM to use as your WAN port. That way all network traffic goes through Pfsense, guaranteed, and none of it is touched by the Hypervisor.

 

This article lists a few reasons why it's not a great idea to virtualize Pfsense, personally I think it's ok in a home environment but I would at the very least use a physical NIC to your VM -- https://forum.pfsense.org/index.php?topic=1009.0.

Yep virtualizing a firewall in the long run just ends up being a pain if you need to do maintenance on the host that requires internet access, in a small single host setup.