VMware Communities
MrRango
Contributor
Contributor

Vmware workstation won't bridge wan ip address from nic to pfsense host. How?

Hello guys. I have installed pfsense in workstation 12 instance and no matter what configuration in try (bridge mainly) pfsense can not get comcast ip address.

I can not do NAT as then my vpn interface won't receive it's vpn address. I have intel pro 1000 mt dual server adapter in my desktop pc which the physical card gets comcast ip address but i need pfsense to receive the wan address.

The desktop nic always does. The desktop also will be used to browse the internet and i need to be able to connect to web interface from desktop pc. I have asus router/switch that is in AP mode and acting as lan interface and AP.

How do i force modem to hand out wan isp ip address to pfsense hosted on vmware workstation instead of physical nic? 

I would greatly appreciate feedback how to set this up. I'm sure i'm doing something incorrectly. Screenshots would be great help too.

13 Replies
wila
Immortal
Immortal

Hi,

Sounds like comcast is binding to the NIC by MAC address and only allow the NIC from your desktop? (Haven't heard about that type of thing on home setups for more as a decade though)

I use pfSense down here in pretty much the same setup. That is... pfSense gives me my NAT in a separate virtual network.

All of my VMs are normally behind the pfSense appliance.

This is on VMware Fusion, but I'm pretty sure it works exactly the same on Workstation as I sometimes use the same setup on Workstation as well.

You could assign the mac address of your host to the pfSense appliance, but then you can't use the host's NIC (NICs with the same mac address in the same network going to give problems)

Seems you have to reconfigure your asus router/switch to clone the host's MAC address and then forward the required ports for the VPN to your pfSense appliance.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
MrRango
Contributor
Contributor

Thank you for replay. I'm pretty sure. there is no mac binding as I have old Pentium 3 box (as different pc and test) and installed pfsense on it and comcast will hand out ip to it and will hand out to laptop and anything else.

The issue i see is that on physical layer first point of contact with my modem is my physical nic which is installed in desktop (amd a10 not pentium 3) that is hosting vmware workstation which is hosting pfsense on vm wkstation.

If i do NAT i will get 192 ip but that doesn't help me as then VPN won't hand out ip to pfsense so i'm pretty sure it's setup. I just don't know how to set this up logistically to get this working. Bridging didn't work. Nat does but then vpn doesn't work

and the point is for pfsense to be firewall so nat is not really an option really as it should be first applicence after modem. I would use that P3 box but on vpn it does no more then 20mbps and it's noisey too so i'm trying to get this up on workstation.

Reply
0 Kudos
wila
Immortal
Immortal

Hi,

Well your comcast setup is likely only handing out one IP address and so you can't bridge because that would mean needing to get two IP adresses with comcast.

Your pfsense is trying to bridge via your physical adapter and if the physical adapter is not allowed to get an IP then I have my doubts on how it could act for the physical layer..

Depending on the VPN software you use, it is possible to do that via port forwarding in NAT setup. I've done it before using openVPN, but don't have the exact details handy.

Hmm... what if you hardwire the NIC on which you bridge on to your LAN? (eg. set the ip address by hand to LAN instead of using comcast DHCP for that one)

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
MrRango
Contributor
Contributor

Wila physical nic does get ip from comcast but that ip assigned to NIC in desktop pc win7 pc. That win7 pc has wmware workstation installed that has pfsense host installed

So when my modem sees first is my nic on desktop and assigns win ip to nic on desktop but that's not interface of psense as pfsense is a host on vm workstation.

Nat does work but then i have 192 ip and vpn isp won't assing ip to 192 ip ...lol so as you see this is more of logistical (how to setup or seperate) those virual nics in vmware with physical nic adapter and force my modem to only see vmware virtual adapter which will be pfsense interface. I need to somehow make modem hand out wan ip to vmware first.

Reply
0 Kudos
dariusd
VMware Employee
VMware Employee

Your modem will only hand out one IP address to one "client", which is identified by its MAC address.  By default, that will be the host's MAC address, because it will be the first to run DHCP and request the address.  Your pfsense VM will then run DHCP but the modem will not be able to assign an address for the VM.

Assuming you want all of your host's web browsing and internet access to pass through the pfsense firewall, you will need to do something like the following (and be careful along the way... maybe take screen snapshots so you know what settings to undo if things go wrong!):

  • Unbind IPv4 (and perhaps IPv6 too) from the physical NIC (In Windows, this involves unticking a few checkboxes in the network device's Properties page; Varies for different Linux distros).  Your PC will lose Internet connectivity at this point.
  • Configure your pfsense VM with two virtual NICs: The first will be bridged to your physical NIC going to the modem, and the second can be a custom "Host only" network (without DHCP and NAT service) if only this PC needs Internet access, or it can be bridged to your second physical NIC if you're going to provide Internet access to other physical machines via your Asus wireless AP, which should have its own routing/NAT functions disabled.
  • Power on your pfsense VM and check that it obtains the WAN address through DHCP.  (Double-check the ordering/labelling of interfaces in the VM against the ethernet0/ethernet1 virtual devices... the guest OS kernel might enumerate or label the devices in an unexpected order!)  It might take some time (or a reboot of the modem) if it doesn't immediately realize that the VM is now the client, not the PC.
  • Configure the NAT and DHCP services in your pfsense VM, and check that the host can obtain an IP address from the pfsense VM (If it's a "Host only" network, the address will be assigned to the VMware virtual network adapter on the host; If you've bridged the second virtual NIC to the second physical NIC, it'll be that second physical NIC on the host).
  • The host should now have a default route pointing to your pfsense VM, and your host should now have Internet access through your firewall VM.

Cheers,

--

Darius

[Edit: Fixed some minor and unimportant blunders.]

MrRango
Contributor
Contributor

Darius that's great instructions. I'm planing to use asus router in AP (wifi, physical switch) mode so no routing, no dhcp. I want pfsense to handle that but will act as physical switch and wifi AP to my laptop. Essentially asus will be lan interface in pfsense. So no ipv4 and 6 in first nic! got that. Regarding second physical nic and setup in vm.


So i will run cat5 cable from second physical nic to asus AP switch and both vmware virtual nics will be setup as bridged in vmware correct?


Last time i did that both nics in bridged mode, one of the nics was blank with no ip and other gets 192 ip address. Am i understanding your instructions correctly?


I assume reboot of the physical desktop will not affect dhcp hand out of modem to other host besides pfsense as long as ipv4 and 5 are disabled correct meaning pfsense will get ip again from modem?

So my second physical nic will be setup as follows below in screenshot?  Once i get wan comcast ip in pfsense do i keep ipv4 and 6 off as it will route threw vmware correct?

vmware-setup-bridged.PNG

This is only if i don't want asus ap in the mix correct as this would act as virtual switch inside vm correct?

Can you give me just a little bit more insight on this setup as i'm not getting this unless what i said in sentence above is correct?

vmware-setup.PNG

Reply
0 Kudos
dariusd
VMware Employee
VMware Employee

Looks like you're understanding things correctly.  Your host will not need IPv4/IPv6 (or any protocols at all really) bound to the physical NIC connected to the modem because the host's IPv4/IPv6 traffic will all go out via pfsense, and pfsense (via VMware Workstation) will be the only thing "talking" to your modem, and it'll just be talking raw Ethernet.  Your host will need IPv4/IPv6 bound to whatever is connected to the other virtual NIC (either the host's bridged second physical NIC port or the host's virtual network adapter), and it should configure itself using DHCP – It'll obtain an address from the pfsense DHCP server.  (You might need to use the Repair function once the pfsense DHCP server is running... The host NIC will probably get an 169.254.xxx.xxx APIPA address at boot before DHCP is available.)

The most important part though is the protocol binding configuration, which is managed through Windows under the NICs' Properties pages... make sure you understand what you'll need to do there, because once you start unbinding protocols, things will quickly stop working, and it's difficult to post a "HELP I'M STUCK" message here if you end up without Internet access.  :smileysilly:

How is your vmnet1 configured?  The default vmnet1 will include its own DHCP service, which will interfere with pfsense's DHCP service.  If needed, go into Workstation's Virtual Network Editor and create your own custom network which has no DHCP service provided by Workstation.

Cheers,

--

Darius

Reply
0 Kudos
MrRango
Contributor
Contributor

Darius. Big thanks. Two more questions so i'm clear before i start disconnecting things. btw i will use my phone to post if needed Smiley Happy

You said:

Your host will need IPv4/IPv6 bound to whatever is connected to the other virtual NIC (either the host's bridged second physical NIC port or the host's virtual network adapter), and it should configure itself using DHCP – It'll obtain an address from the pfsense DHCP server.  (You might need to use the Repair function once the pfsense DHCP server is running... The host NIC will probably get an 169.254.xxx.xxx APIPA address at boot before DHCP is available.)

The host you're referring to that's my physical desktop pc. Ok so that pc will NOT have ipv4/6 enabled. On physical nic1 i run comcast modem. On physical nic2 i run asus switch.

So my desktop (host) will use what to talk to internet virual machine correct? You lost me with this sentence: "Your host will need IPv4/IPv6 bound to whatever is connected to the other virtual NIC (either the host's bridged second physical NIC port or the host's virtual network adapter)"


What do you mean ipv4 bound? I thought my desktop has ipv4 disabled? So what should i bound or do extra ?

You said:

How is your vmnet1 configured?  The default vmnet1 will include its own DHCP service, which will interfere with pfsense's DHCP service.  If needed, go into Workstation's Virtual Network Editor and create your own custom network which has no DHCP service provided by Workstation.

I have no vmnet1 configured. In fact nothing is configured as far as private or separate networks. You lost me here. Am i using screenshot 2 with vmnet1 custom or bridge both virtual adapters in screenshots 1?



Will i be able to get onto pfsense web interface from desktop (host) as from what i understand it can't be accessed from wan but lan only so 192 ip only?

Reply
0 Kudos
MrRango
Contributor
Contributor

Hey guys when i remove ip4/6 the nic is gone and vmware won't pick up ip from comcast. I think i'm not setting up the networking info right. Any ideas?

NICS-ALL.PNG

pfsense-status.PNG

NICS-VM.PNG

Reply
0 Kudos
dariusd
VMware Employee
VMware Employee

Sorry for the delay, I had to set up a quick test environment to obtain more precise steps and a screenshot.  :smileycool:

Unbind everything from WAN Int, like this:

Unbind IPv4 and IPv6.png

(That's under Control Panel > Network and Internet > View network status and tasks, then choose Change adapter settings from the left bar, right-click on WAN Int, and choose Properties, and untick everything under "This connection uses the following items:".)

This way, Windows will not attempt to configure any address at all on WAN Int.  The WAN Int adapter should not show up at all in the output of the ipconfig /all command, because the adapter will no longer have anything to do with TCP/IP.

In the Virtual Network Editor, choose Add Network... and create a new virtual network "vmnet2", configured as Bridged, with LAN Int selected in the drop-down list (which will bridge your LAN side of pfsense to the physical LAN), and with Connect a host virtual adapter to this network enabled (which will provide Internet service via pfsense for your Windows host) and with Use local DHCP service disabled (because you'll presumably be configuring pfsense to act as a NAT router and DHCP server).

In the VM's settings in Workstation, set the first virtual Ethernet adapter to be bridged directly to WAN Int (so that pfsense can talk directly to your cable modem through its WAN interface, just like your Windows machine was doing before).  Set the second virtual Ethernet adapter to connect to vmnet2 (to connect pfsense's LAN interface through to your physical LAN and to the Windows host).

Now launch your pfsense VM and try to have it acquire your WAN IP address.

--

Darius

Reply
0 Kudos
MrRango
Contributor
Contributor

Darius no problem and thank you very much. Ok i did that but i can't add vmnet2 as it gives me this error (see first screnshot).

So i used vmnet0 which is already configured as bridge. I just changed instead of automatic to my LAN Int (intel adapter #1 which is connected to asus switch)

Would you be so kind and actually post a screenshots? I'm not sure what you meant here: [ "...and with Connect a host virtual adapter to this network enabled" ] ???

With this configuration as posted below using vmnet0 i still didn't get wan ip. Got private ip instead. Not sure what issued it?


vmnet2 error

vmnet2 error.PNG


So i used vmnet0 which is already configured as bridge. I just changed instead of automatic to my LAN Int (intel adapter #1 which is connected to asus switch)

vmnet0 is bridged to my LAN int (adapt #1) which is my asus switch in AP mode.

Asus probably has a 192 ip assigned when i used it previously. I didn't reset Asus switch to default. Not sure if this would cause any issue but i thought i would mention that i may have 192 ip assigned or may not.

Its definitely in AP mode so no dhcp, no routing, no nat in asus.

virtual editor.PNG

Here is how physical nics are setup. I verified phys wan int and phys lan int by unplugging the cable from modem so it's showed as disconnected but when connected it shows enabled for wan int.

Disregard REaltek nic as this is what' i'm using now to post this. It's disabled when i'm doing the cable modem reset. I only use Intel pro for both wan and lan.

Adapters.PNG

Physical Wan Int Adapter #2 all protols disabled with exception of vmware bridge protocol. I think this was checked automatically and should be there ?

Wan Int Protocols disabled.PNG

Wan Int Protocols 2 disabled.PNG


VM Net adapter #1 is physical Wan Int (physical adapter #2) connected to modem checked by looking at mac in pfsense

VM Net adapter #2 is Lan Int (physical adapter #1) connected to asus switch checked by looking at mac in pfsense

These were verified when i compared virtual mac and when i booted pfsense up when it shows virtual macs.

wmware nic setup.PNG


How NICs look like. Only LAN Int (Adapter #1) is listed her. Wan Int (adapter #2) is not as all protocols have been unchecked as u said.

NICS.PNG


Pfsense private ip only ??? Got private ip instead on wan int. Not sure what issued it?


pfsense192.PNG

Reply
0 Kudos
dariusd
VMware Employee
VMware Employee

It looks like you have everything on the host configured correctly – as far as I understand, at least.  So, pfsense's LAN interface is configured with the static address 192.168.1.1, and is giving out addresses in the 192.168.1.100-ish range to the LAN, but somehow pfsense's WAN interface is obtaining an address in that range from somewhere...  Can you force pfsense to renew that DHCP lease?  It might just be a stale lease from an earlier configuration.

Cheers,

--

Darius

Reply
0 Kudos
MrRango
Contributor
Contributor

Thanks for helping me out with this.Well i couldn't get to web interface using this ip.I'm using my desktop pc so not sure if i need to setup another virtual host on different network?

I either end up with 192 ip as wan or blank field and 192 in lan. Most of the time blank field. I've been playing aroudn with this this afternoon for few hours with different configuraton but no luck.

One thing i noticed if you see dns suffix it's says localdomain, that is default domain in pfsense so it looks like pfsense it's talking to nic card as it's filling dns suffix with localdomain. I don't have localdomain setup so it's 100% pfsense.

This was fresh install meaning i deleted entire instance of pfsense then i installed it and this was first try. Also what i did as test of pfsense only few days ago i installed it on physical old Pentium 3 box and got comcast ip at first try so then i moved on to virtualization setup. Thing is i don't want to use noisy box in my room where i sleep and it's too old to do vpn speeds. Electricity usages comes into play too and my main pc is 4.2Ghz, 16gb ram so i wanted to utilize this a bit.

Reply
0 Kudos