We are completely stumped - VIPs just are not visible outside vsphere, and we dont know how to solve it.
In production we have many pfsense firewalls (pfsense is a free BSD open source based firewall and load balancer SW)
We want to create a copy of production in vspshere for staging and test.
However, this does not seem possible.
The vsphere 5 server has 2 physical NICs. One is configured only for vsphere management.
The other nic is connected to a 10.10.10.0/24 network, which we call the staging WAN.
We have a pfsense virtual appliance connected to its WAN interface to a virtual switch which also has the staging WAN nic connected. We gave it a WAN ip of 10.10.10.2
From any box on the staging WAN (e.g. 10.10.10.2 or 10.10.10.200), we can "see" the pfsense box. We can ping it, we can ssh to it from our VPN networks, we can even open the pfsense gui, as we have rules to allow 80/443, ICPM etc from any source, any dest. See below.
So far so good.
We need to create some VIPs to allow the load balancing part to work. in pfsense this is done thusly:
So here we have VIPs of 10.10.10.150.
These VIPs are allowed in via the "any" source and "any" destination for 80/443 and icmp.
From any virtual machine on the LAN (the network below pfsense), we can ping 10.10.10.150, and also we can wget it on port 80 to retrieve the haproxy stats page. (haproxy is sitting on tthe VIP supplying load balanced web pages).
However, from the WAN, the VIPs are invisible. If I put a physical server or notebook on say 10.10.10.200, it can ping the virtual pfsense box on 10.10.10.2, it can bing the physical router on 10.10.10.1, but it cant ping the VIPs of 10.10.10.150 etc. It also cant see the haproxy stats page on http:/10.10.10.150/haproxystas. So the vip is totally unavailable on the physical network outside of vmware.
The vsphere host staging wan NIC is connected to a dell manages switch to a prort with VLAN of 100. The router at 10.10.10.1 is also plugged into the same switch on teh same VLAN. A test machine is also plugged into the same switch, same VLAN 100.
In vsphere admin client, I have set the port group properties for the staging-wan switch to VLAN ID: None(0). If I set it to 100, nothing works (nothing on the 10.10.10.0 network can see the pfsense box. If I set it to all (4096), is the same as setting it to None(0).
if we run tcp dump on the pfsense box (i.e. 10.10.10.2), we dont see any packets for 10.10.10.150 if we ping it or try to access port 80 from a pysical server (e.g. at 10.10.10.200).
Teh VIPs have to be CARP for haproxy to work. We have set the CARP VIPs addresses to master, and told it not to sync
Maybe the default security policies (forged transmits, MAC address changes etc) defined on the vSwitch WAN portgroup have something to with it?
Just a thought... don't know pfsense very well..
Thats it! I set it to accept Permiscuous mode, and it works. I had set it previosly to promiscuous mode, but move the nic, so it must have reset it.
Perfect.. Happy to hear that it now works 🙂