pfSense VMware ESXi | Ip Address | Computer Network

Part 1: Install pfSense on ESXi 5.5 AUGUST 23, 2014

pfSense is an open source firewall/router based on FreeBSD. It is more than just however, with the ability to be a DNS, VPN, IDS/IPS, DHCP, NTP and cache (using Squid). Why would you dedicate a full system to pfSense when it can easily run as a virtual machine to provide networking to your entire infrastructure. This guide will walk you through replacing your current router with pfSense and how to install pfSense on ESXi 5.5.

What you will need:      

A computer or laptop – to do the configuring ESXi – the hypervisor it will run on Modem – used to connect to the Internet, can be your current modem/router combo RJ45 cables At least two network cards in your server, although you can use one it is easier to spread your connections out as LAN and WAN. KVM or monitor to ESXi, required when changing its IP address.

1

Prerequisites: Think of the private address range you want Private addresses are:  10.0.0.0 to 10.255.255.255 (16777216 addresses)  172.16.0.0 to 172.31.255.255 (1048576 addresses)  192.168.0.0 to 192.168.255.255 (65536 addresses) My current home network is on the 192.168.X.X network but I am hoping to change it to 10.X.X.X to save myself some typing. pfSense uses the 192.168.1.X network by default.

Have a video and keyboard connection to your ESXi box somehow. The best way would be a physical screen and monitor (what I will use), KVM or IPMI (set a static address or else keep in mind the IP address of IPMI may be out of range once you change once you begin to work with the new address range.).This is because you will need to access pfSense, change your ESXi IP to get an address etc.

Let’s Start! Currently your setup may look similar to something like this:

We want it to look something like this:

2

Our modem becomes independent of the router. pfSense becomes the router living as a VM on our ESXi host. A switch may not be needed, but they’re great to have.

pfSense as a virtual machine will sit between your modem and switch to act as a router. It will be able to provide IP addresses to both physical and virtual machines via it’s DHCP server (or you can set the IP manually). One network card on your ESXi host will connect to the modem (WAN) while the other connects to the your switch (LAN). Without a switch, you will only be able to connect one host to your network as there is only one connection!

Installation 1. Set up a LAN and WAN switch in the vSphere client. One NIC (network card) will be the LAN and one NIC will be the WAN. The LAN NIC will act as a router to your VMs as well as anything connected to the switch. The WAN will be connected to your modem to access and provide Internet connectivity to your LAN.

3

Two vSwitches using two different network cards. One network card is responsible for the local network and one is dedicated to the wide area network (Internet)

Give the names WAN and LAN corresponding to the which ever NIC is connected to the Modem (WAN) and Switch (LAN). 2. Create a new Virtual machine with the follow settings:

4

3. Load the pfSense ISO image into the VM and boot from it. Straightforward enough. Make sure to boot from the CD/DVD drive.

5

4. Go with the default boot (number 1) or let the timer run down.

5. Press ‘I’ when prompted again to start the installer. Otherwise you will be running a LiveCD. Restart if this happens. 6

6. Accept all the default settings and wait for it to finish installing.

7. Reboot when finished. pfSense has now been installed. It isn’t doing anything yet so we will need to configure and transition our network over to it. 7

Continued in Part 2: Install pfSense on ESXI 5.5 where we will configure the new installation.

8

Part 2: Install pfSense on ESXi 5.5 AUGUST 23, 2014

In Part 2 of my virtualised pfSense installation on ESXi 5.5 we will be specifying the network interfaces for pfSense, configuring the LAN interface as well as connecting to the pfSense web interface. Part 1 can be found here.

Part 2: Configure the pfSense and LAN After rebooting, let pfSense load to the point where the initial setup begins. This is when you must configure the WAN and LAN for pfSense to work with. If you only have two network cards, the LAN is most likely already plugged into the Router/Modem or switch (recommended) – your connection to the ESXi host. Leave this plugged in for now. I will go with the ESXi and switch configuration so please try and change the configuration steps where applicable. Rethink why you need pfSense if are not going to use a switch… you’ll only have LAN port. Having a switch gives you 4, 8, 16 or even 24 more LAN ports. The goal of the setup is to not lose your connection to ESXi. The moment you do, you won’t be able to get back in and configure it. Either have a remote static connection, a direct connection to the ESXi host or monitor available. 1. Set up the LAN and WAN Say no to set up VLANs. This is for another day.

When prompted for a WAN connection, provide it with the NIC connected to the WAN. You can find the MAC address of the NIC and match it up with what pfSense sees (e.g. em1)

9

Provide the LAN interface similarly (e.g. em0)

Press Enter when prompted for the ‘Optional 1 Interface’

Confirm the interfaces (y) and wait for pfSense finish its configuration and bring you to the main menu.

10

2. Connect to pfSense At this point, you will not be able to access the pfSense web interface because you are still connected to your original router as your gateway/modem/router/access point and it is currently providing your with an IP address. We want pfSense to provide us with an IP address instead. Unplug the WAN device (modem, router, access point) from your switch so you have a LAN without Internet connectivity. You may also lose connectivity to the vSphere Client – just reconnect or have it restart its networking to gain a new IP from DHCP. Release/Renew IP addresses for your computer by unplugging and replugging their cables, and pfSense should provide you with an IP address! If it does not, make sure pfSense is operating on correct network adapter (LAN) and there is not other device on the network that can provide you with an address (other routers, modems and access points). After the changes, your network should look like this:

11

3. Connect to the pfSense web interface Open your browser of choice (Chrome for me) and enter the IP address of the pfSense LAN connection (which is default, 192.168.1.1). Login with the default username ‘admin’ and password ‘pfsense’

12

Run through the setup as you see fit. General the defaults will do for now. When you arrive at the ‘Configure LAN Interface’ do not provide your new private address (e.g. 10.0.0.1) as of yet. We will finish the wizard first. Click ‘Reload’ and pfSense will restart temporarily. If it does not redirect you after 5 minutes, just go to 192.168.1.1 in a new window. At this point you may either change the LAN IP to your own private range or add the WAN interface (Part 3) if you are happy with the 192.168.1.1 range. Click ‘Interfaces’ in the top menu bar than ‘LAN’. Provide the new Static IPv4 address you prefer e.g. 10.0.0.1/24 than click ‘Save’. DO NOT APPLY CHANGES. You will also need to setup your new DHCP range before continuing. DO NOT APPLY CHANGES

Click ‘Services’ in the top menu bar then ‘DHCP Server’. Provide the new range for your DHCP Server. Remember to leave your last address as a Broadcast address (e.g. 10.0.0.255 for 10.0.0.1/24). I placed half of my addresses into 13

DHCP. Hit ‘Save’ then return the ‘Interfaces -> LAN’ page and Apply your changes.

You lose access to pfSense after a little while. Unplug and replug your network cable to get a new address within your new DHCP range. Verify your new network details and access pfSense once again at its new IP (e.g. 10.0.0.1)

In Part 3: Install pfSense on ESXi 5.5 we will configure the WAN (Internet) connection for your LAN.

14

Part 3: Install pfSense on ESXi 5.5 AUGUST 24, 2014

In Part 3 of my virtualised pfSense installation on ESXi 5.5 we will be configurating the WAN (Internet) interface and finalise our transition from our transitional router to a virtualised pfSense router. Part 1 can be found here and Part 2 can be found here.

Part 3: Configure the WAN 1. Connect back to your original modem/router via a cable or WiFi. Connect your workstation (not the ESXi host with pfSense) back to your modem/router. You will be needing to change some settings on it to provide an Internet connection to pfSense without creating a ‘double NAT’ situation in your network. 2. Log into its web interface Generally 192.168.0.1 or 192.168.1.1, depending on the model and brand. I have a Netgear CG3100D-2 from Telstra so it is 192.168.1.1. Check your network gateway, it is generally the address of the device (run ipconfig or ifconfig from command prompt/terminal). 3. Activate bridge mode or disable NAT (same effect) 15

Find and enable the option in the web interface to disable NAT (network address translation) to turn the device into a simple modem. This activatesBridge Mode. You have have to search your device’s manual to find this option and see if it supports it. Restart the device if prompted before continuing.

Disable NAT on your modem router to activate bridge mode

4. Log back into the device It may have a new IP address. Disable everything you will never use again on it to save some energy. For me, WiFi was still enabled so I disabled it.

16

Turn off WiFi on your modem router. It is almost useless when in bridge mode.

5. Connect the WAN interface on your ESXi host You are ready to connect the WAN port. Connect the NIC from your ESXi host into the any port on the modem. Disconnect your computer from the modem and back into the switch. Your network should look like this:

17

You can plug in your WAN connection now. Plug a cable from your bridged modem router to the ESXi host running pfSense. Make sure it is into the network card you have specified as your WAN.

18

Your network is ready. Having a switch allows you to have more LAN connections. pfSense has now become your router, firewall, DHCP and DNS server.

If successful, you should get an Internet connection! Log back into pfSense and verify your WAN connection has an IP address. If you do not for whatever reason, go into ‘Interfaces -> WAN’ and give pfSense a hostname under ‘DHCP client configuration’. In Part 4, we will be wrapping up the installation with some necessities.

Part 4: Install pfSense on ESXi 5.5 AUGUST 24, 2014

Now that our pfSense installation is set up and working, we will have to wrap up our installation with a few necessities such as VMware Tools. You can find follow along our installation in Part 1, Part 2 and Part 3.

Part 4: Necessities and Wrap-up Install Native VMWare Tools for pfSense. 19

VMware Tools are available for FreeBSD, if you selected it as the virtual machine’s operating system. VMware Tools are important for increasing performance by allowing it to interact better with its hypervisor. It is extremely important in pfSense because it offers 10Gbp network cards via the vmxnet3 driver. Ensure your pfSense can access the internet. 1. Access the pfSense shell Either through the console (option number 8) or by enabling Secure Shell (SSH) within ‘System -> Advanced’. Connect to pfSense via any SSH utility you have if you prefer SSH (e.g. Putty).

Enable SSH in within the pfSense web interface via ‘System -> Advanced’

2. Enable downloading of packages pfSense by default prevents you from downloading packages for good reason, it could break your firewall! The safest thing to do would be to build the packages on a separate system and copy them over to pfSense. But if you insist to be able to install packages straight from the pfSense shell (like me) there is a simple workaround. First you will need to change where pfSense gets its packages from. As of this post, pfSense 2.1.4 is based off FreeBSD 8.3-RELEASE-p16. Find the URL that fits your version. Run the follow commands in the shell: For 64 bit: 1

setenv PACKAGESITE "http://ftpmirror.your.org/pub/FreeBSD-Unofficial-Packages/83amd64default/Latest/"

For 32 bit: 1

setenv PACKAGESITE "http://ftpmirror.your.org/pub/FreeBSD-Unofficial-Packages/83i386default/Latest/"

Once the package site has been set, install ‘perl’ 1 pkg_add -rv perl

Finally install the compatibility library for your version of pfSense For 64 bit: 1 pkg_add -rv compat6x-amd64

For 32 bit: 20

1 pkg_add -rv compat6x-i386

Use Putty to SSH into pfSense. Putty makes it easier to copy and paste code instead of typing it which almost always leads to spelling mistakes…

3. Load VMware Tools into pfSense Open the vSphere Client and connect to your ESXi host. Locate your pfSense VM and ensure the Guest OS matches FreeBSD (32 or 64 bit depending on your version). This lets ESXi know which VMware Tools package to provide it with.

21

I am running the 64 bit version of pfSense. This lets VMware know which version of VMware Tools to install.

Open a console to the pfSense virtual machine and click: ‘VM -> Guest -> Install/Upgrade VMware Tools’ or if you are in VMware workstation: ‘VM -> Install VMware Tools’ 4. Mount and install VMware Tools Run the following line by line to mount the the VMware Tools disk, unpack its contents and install i: 1 mount -t cd9660 /dev/acd0 /mnt/ 2 cd /tmp 3 tar xvzf /mnt/vmware-freebsd-tools.tar.gz 4 cd vmware-tools-distrib/ 5 ./vmware-install.pl -d

If it fails to install the first time, run the final line again for a reinstall. Remove the leftovers after the installation: 1 rm -f /etc/vmware-tools/not_configured

5. Set VMware Tools to start on boot A script is required to add the compat6x library to boot time or VMware tools will not start properly. Enter these lines into the shell: 1 echo '#!/bin/sh' > /usr/local/etc/rc.d/000-ldconfig.sh 2 3 echo '/sbin/ldconfig -m /usr/local/lib/compat' >> /usr/local/etc/rc.d/000-ldconfig.sh

22

4 5 echo '/usr/local/etc/rc.d/vmware-tools.sh restart' >> /usr/local/etc/rc.d/000-ldconfig.sh 6 7 echo '/usr/local/bin/vmware-config-tools.pl -d' >> /usr/local/etc/rc.d/000-ldconfig.sh 8 9 chmod a+x /usr/local/etc/rc.d/000-ldconfig.sh[/sourcecode]

As bad as this is script is, it seems to fix the problem where the vSphere Client says it is not running even though everythng else says it is (terminal commands, guest VM options, VMXNET3 working). VMware Tools also does not start because it wants to run through setup again. Hopefully this fixes all of that. 6. Add the VMXNET3 network cards Shutdown the VM either through the shell (type exit then choose option 6) and add the VMXNET3 NICs as desired to replace your WAN and LAN network cards.

23

You have to shutdown the virtual machine first before removing and adding network adapters. Make sure the adapter type is VMXNET3. Note the MAC addresses as well.

7. Configure the VMXNET3 network adapters Power on the VM and pfSense will alert you to set the interfaces once again. It you did everything correctly, they should show up as ‘VMware Vmxnet3 Ethernet Controller‘. NOTE THEM DOWN BEFORE PFSENSE SCROLLS!

pfSense will notify you there is a network interface mismatch by swapping the network cards.

You will have to enter vmx3f0 or vmx3f1 depending on the interface (not the entire name). Make sure you link the correct network adapter to the correct interface. Check the MAC addresses like we did in Part 2.

24

Specify the network adapter which has been allocated for both your WAN and LAN. They will be either vmx3f0 or vmx3f1.

Link the MAC addresses to the VM’s settings if you are unsure which is the LAN and WAN. 8. Make sure everything is working! VMware Tools should be successfully installed natively on pfSense

25

When finished, pfSense will return to its usual screen retaining all your previous changes and IP addresses.

10Gbps networking!

Credits: https://doc.pfsense.org/index.php/VMware_Tools http://www.v-front.de/2013/06/how-to-install-or-update-VMware-tools.html 26

Give ESXi a static IP You wont be able to access your ESXi box through the vSphere Client as ESXi would not have a working IP address at this moment. It is best to give it a STATIC address over a DYNAMIC (DHCP) address as pfSense is a VM which starts after ESXi boots up. Therefore ESXi would not be able to obtain an address from DHCP and you would not be able to connect to it. 1. Access your ESXi box however you can Either by a physical monitor and keyboard, KVM or IPMI (which may not work as it also needs its own IP address. Simply unplug and replug it to refresh its IP and find it under DHCP Leases in pfSense.) 2. Hit F2 and log in. Provide your ESXi credentials, typically the username is ‘root’ 3. Configure the management network Select ‘Configure Management Network’ then ‘IP Configuration’. 4. Enter your new details Highlight the radio and press space to select static. Enter an IP address that is not within the DHCP range you have specified in pfSense.

Ensure all the details are correct.

5. Restart the network configuration Return to the main screen and restart when your management network when prompted. You should now be able to connect to it from the vSphere client through its new and static IP address.

Make pfSense auto-start with ESXi 27

If pfSense is now your router, it is very important to auto-start it with ESXi. 1. 2. 3.

Open the vSphere Client and connect to ESXi Select your host and click on the ‘Configuration’ tab Select ‘Virtual Machine Startup/Shutdown’ and click on ‘Properties…’ in the top right corner. 4. Select the VM and click ‘Move Up’ until it reaches Automatic Startup. Adjust the delay if necessary. Click ‘OK’ when done.

Set pfSense to start up with ESXi

Ending thoughts: Our installation may be finished but pfSense offers many more features than such a router, firewall, DNS and DHCP server. In the future I will cover a range of popular features, packages and guides for pfSense that I feel aren’t covered well enough.  

pfSense is now your router, it must be on and running to get a connection to the Internet Don’t put your server into maintenance mode, ESXi will never start pfSense and you wont be able to access it without plugging and unplugging

28

 

a bunch of things to be able to access the vSphere client and exit maintenance mode. Make regular back ups of the pfSense VM. One wrong move and your network will collapse. Always give static addresses to important infrastructure like ESXi, IPMI, IMM, Switches, Modems and of course, pfSense.

29