VMware Cloud Community
mephistopoa
Enthusiast
Enthusiast
‎05-26-2019 02:10 PM

using PVLAN with virtualised firewall and trunk ports

Hi guys,

I'm testing pfsense running as a VM in ESXi 6.7U2 and I'm having some difficulty with PVLAN on ESXi side and regular VLAN on the firewall side. So far I understood, for example primary PVLAN 10 will be promiscuous, and PVLAN 11 would be isolated, that means I need to have the firewall with a vnic connected to the group port that is promiscuous and the VM in the isolated PVLAN, that works fine. The problem is that for every PVLAN I will need to create a new vnic connected to the virtual firewall.

I was hoping I could have some sort of trunk port at PVLAN level so the VLAN10 is tagged when it arrives on the virtual firewall. That way I can simply create additional VLANs on the firewall without need to add more vnics.

I can't find a way to make the PVLAN10 be tagged when going to the firewall, it seems it only works as an untagged vlan port.

Is there a way around this? I can't find anything on the documentation, so I would really appreciate if I could get some directions Smiley Happy

Reply
0 Kudos
3 Replies
mephistopoa
Enthusiast
Enthusiast
‎05-26-2019 02:35 PM

By the way, I also tested a portgroup as a trunk port on the same dvswitch in hopes I would be able to use VLAN10 tagged on my virtual firewall, but that was not the case. I can only make it work assigning a vnic to the virtual firewall, no setup I've tried so far made it work with the firewall using vlan10

Reply
0 Kudos
mephistopoa
Enthusiast
Enthusiast
‎05-26-2019 03:06 PM

I was doing a bit more research, juniper documentation talks about trunk ports on PVLANs Private VLANs - TechLibrary - Juniper Networks which I think is what I must be missing on vsphere.

I can't find a way to setup a trunk port on a dvswitch with pvlan, so am I missing something here?

Reply
0 Kudos
dygobel
Contributor
Contributor
‎04-20-2021 03:30 PM

Encountered similar issue, PfSense isn’t PVLAN aware, or some call it Isolated VLAN. It’s not the switch layer, when dealing with 1 one switch only, although the community is just tagged with a vlan number, Let say vlan 11 is a created community. On Pfsene we are missing the option to create/ads a community vlan on the interface where the subnet is living.

Reply
0 Kudos