VMware Cloud Community
FireFoxII
Contributor
Contributor
‎10-05-2020 10:22 AM

create WAN and LAN on esxi 6.5 for pfsense installation

Hi all and sorry for my english...

I have a dedicated server online where is installed esxi 6.5 that I'm using for the first time...

The problem internet connection with VM...

This is my situation

WAN IP xxx.xxx.xxx.xxx that is attached to NIC vmk0 -> Portgroup Management Network

2 physical NiCs, 1 connected 1000 full duplex, 1 down

a vSwitch0, 2 Port Groups, 1 Uplink

2 port group VM Network and a Management Network

Seems that I need a virtual router to use VM for internet, than I have downloaded pfSense. I have created a new vswitch (2 times, with and without uplink) and a portgroup (NAT Network) to this vSwitch. In pfSense the 2 network adapters are VM Network and Nat Network, but can't get WAN working ...

What am I doing wrong? I can use another NICs, is this the problem?

Thanks a lot

Tags (2)
0 Kudos
11 Replies
scott28tt
VMware Employee
VMware Employee
‎10-05-2020 12:20 PM

It will be easier for others if you could post a screenshot of your vSwitch and port group and uplink topology.


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
a_p_
Leadership
Leadership
‎10-05-2020 12:40 PM

Welcome to the Community,

do you have a second public (WAN) IP address for the virtual router? The first one cannot be used because it's already in use for the ESXi Management.


André

0 Kudos
FireFoxII
Contributor
Contributor
‎10-05-2020 02:22 PM

These are all my network tabs

tcp_ip.png

---------

nics.png

here I can add another VMKernel Nics

---------

ph_nics.png

---------

switches.png

---------

port_group.png

0 Kudos
FireFoxII
Contributor
Contributor
‎10-06-2020 04:14 AM

Than I must ask for another IP address ?

0 Kudos
nachogonzalez
Commander
Commander
‎10-06-2020 05:04 AM

Hey, hope you are doing fine:

If you place the ESXi management network on the WAN what you'll accomplish is exposing esxi over internet, and that's not ideal.

What you need to do is to add a portgroup named (for example) DMZ in which pfsense will reside. That portgroup needs to have the same VLAN ID as your WAN interface.

To your PFsense VM you will connect on one nic you DMZ porgroup and on the other nics your additional networks.

Blog Nachogonzalez.com.ar Twitter @nachogon_
0 Kudos
Lalegre
Virtuoso
Virtuoso
‎10-06-2020 05:21 AM

Hey FireFoxII​,

As they say below you should not expose the ESXi over the internet as it is a risk in a security perspective even if you are NATing is as the ESXi does not need Internet access at all. Regarding your routing configuration, the PfSense should be configured like this:

  • One interface connected to the WAN Portgroup.
  • One interface connected to the LAN.

If you share the same vmnic you will need VLAN tagging and the physical port of your ESXi into Trunk Mode.

On the pfsense you can do a SNAT rule to translate the whole VM Network into one WAN IP and after that you can configure the needed routing to reach the next hop and finally the Internet. To which equipment will your pfSense be connected?

I made the next diagram assuming a lot of things based on what you described:

VMTN - WAN Connectivity (NAT).jpg

0 Kudos
NathanosBlightc
Commander
Commander
‎10-06-2020 06:28 AM

First I suggest to use an easier router to work, for example a Mikrotik routing configuration is easier to setup in front of the pfsense that you chose.

Next I think it's better to setup your networking from the scratch. I mean for a moment don't consider the current WAN connection (WAN IP on VMK0). Then create two separate standard vSwitch and for each of them add a single port group: PG-LAN in VSS1 and PG-WAN in VSS2.

Then add that down pNIC to the LAN vSwitch (You should actually connect it physically) and then configure IP addresses for your virtual router. Add an internal IP address from the LAN network and add your WAN connection (IP address , PPPoE and etc based on your design).

At last step when you test the VM connection inside the internal network and it is actually Ok, then you can add the current pNIC that handle the VMK0 traffic to the WAN vSwitch. Anyway I know it's not a safe way because you may lose your connectivity temporarily, but It seems you don't have any additional WAN IP address and I think you have no choice to do ... But I did it many time in similar situation

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos
NathanosBlightc
Commander
Commander
‎10-06-2020 06:34 AM

For safe of the networking setup and, insurance that you don't lose the connection, yes if it's possible for you, request another WAN IP address from your ISP ...

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos
FireFoxII
Contributor
Contributor
‎10-07-2020 06:52 AM

Sorry, I'm always stuck.................

NathanosBlightcaller

I can't connect physically a LAN swicth because it's a dedicated server, it's located in a datacenter

Lalegre

Can you help me about this?

> If you share the same vmnic you will need VLAN tagging and the physical port of your ESXi into Trunk Mode.

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎10-07-2020 07:51 AM

What I am suggesting is configure the physical switch port in Trunk mode and tag the VLANs there. Could you please do a quick diagram of your network construction?

0 Kudos
NathanosBlightc
Commander
Commander
‎10-07-2020 02:58 PM

When I mentioned LAN means every internal network in your datacenter. For example port groups with their corresponding VLAN IDs that are defined in the virtual switch and, as you know you should configure the physical ports (vmnics) as trunk ports in the physical switch.

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos