next »

[louis-m]

just had a thought..... i have an alix board (for low power consumption) and i think it may get maxed out with the wan connection i'm about to get.
i have an esxi server running that has spare capacity. rather than buy a new router (unsure yet as the alix might do), would i be better using esxi 5 and a virtual pfsense? i'm thinking it would give me the grunt but with no additional power consumption as the hardware router would not be part of the equation.
the esxi has 4 intel nics (1 x free) with a 24 port managed switch.

[Xuridisa]

I've used pfSense (both for myself and customers) on VMware ESX for quite a few years now and it's always worked great.  Make sure you install the Open-VM-Tools package.

[louis-m]

thanks. have you tried it with one nic? ie seperate vlans for incoming and outgoing? i was thinking of putting the modem into the switch rather than the nic on the esxi server.

[Xuridisa]

In my case I have the WAN (router) going to a switch "access port" on a particular VLAN, and also a number of other VLANs for LAN, DMZ etc.  In ESX I have a number of VM Networks all with the various VLAN IDs configured.  Then I have a number of virtual NICs on the pfSense VM.

But you could also do it the way you propose, a single virtual NIC and then do the VLAN stuff inside pfSense.  You'd just need to set eh VLAN ID on the a VM Network in ESX to 4095 so that it will pass all VLANs as a trunk to be dealt with by ESX.

Cheers,
Andrew

[marcelloc]

thanks. have you tried it with one nic? ie seperate vlans for incoming and outgoing? i was thinking of putting the modem into the switch rather than the nic on the esxi server.

I have it running with no issues

[louis-m]

thanks guys.
could anybody comment on this setup and confirm it's ok?

modem > switch port 1 (untagged member of vlan30)

switch port 2 (tagged member of vlan30) to pfsense WAN (vlan30)

pfsense LANS (vlan40, vlan41, vlan42) connect back to switch port 2 which is tagged member of vlan40,41,42

so basically switch port 2 would be running the WAN (vlan30) down and LAN's (vlan40,41,42) up

is this safe?

[marcelloc]

In my oppinion, yes.

did you installed vm-tools do change network driver to vmx?

[louis-m]

not yet. i can't seem to get it going.
i create a pfsense vm and assign it 2 x virtual nic on vswitch2
vnic1 = em0_vlan30 = public IP
vnic2 = em1_vlan40 = 192.168.40.1/24

i can't seem to get my manangement network vswitch0 with vlan40 to speak to vswitch2 with vlan40

any ideas?

[marcelloc]

There is an option on esx to tag all vlans from switch to virtual switch. As I don't remember what is that option, try to search the forum or vmware site.

You can do this setup with only one interface too.
If your wan vlan is just for modem and esx, you can untag it for vmware port too.

Keep in mind that you can't use tag and untagged vlans  on the same port.

[louis-m]

DOH! finally got it going. i was setting a virtual switch vlan and then setting the vlans on a physical switch.
everytime i set the vlan in pfsense, it wouldn't communicate.

quick question. am i better setting the vlan's in:

1. physical switch & virtual switch (with pfsense just having normal interfaces eg wan, lan1, lan2)
2. physical switch & pfsense (with virtual switch just having a normal interface)

I certainly need the physical switch with vlans so the wan and lans can be on the same physical cable.

[wallabybob]

quick question. am i better setting the vlan's in:

1. physical switch & virtual switch (with pfsense just having normal interfaces eg wan, lan1, lan2)
2. physical switch & pfsense (with virtual switch just having a normal interface)

I expect it will depend on configuration information I don't think you have provided. Also I'm not familiar with the details of what is provided in esxi.

1. is probably required if other VMs need to share the physical interface used by the pfSense VLANs.

If not and it is possible in esxi for a VM to have exclusive control of a physical interface then I would grant exclusive access of one of the NICs to the pfSense VM and do all the VLAN work for pfSense in pfSense on the grounds that the next time you have to troubleshoot this it will almost certainly be easier if all the VLAN configuration is in pfSense rather than in pfSense and esxi.

[louis-m]

well, i definetely need the physical swithc to be vlan'd to get the wan and lans on the same physical cable.

i've played about with it a little and it doesn't make much difference to be fair.
you can either:
1. use multiple normal interfaces on pfsense eg WAN, LAN1, LAN2, LAN3 and then connect each one to a seperate virtual switch which does the vlans to the phyical switch
2. use vlans with pfsense and connect them to a seperate (non vlan'd virtual switch) and allow the traffic to be mananged from within pfsense.

i think it basically depends on where you want to manage your vlans. in my case, i've chosen to do it within pfsense (which would mirror the way you would do it in the physical world)

[bdwyer]

In ESXi, it is possible to leave dot1q tagging untouched on the vSwitch, allowing you to configure VLAN's on pfSense as you would running a trunk port to it.  VLAN 4095 is a special case VLAN on ESXi and lets you run trunk's directly into your virtual machines.  This is the feature marcelloc and Xuridisa were referring to.  This would allow you to do the tagging/untagging on pfsense rather than multiple vSwitches.  If you are moving a lot of traffic you should probably compare the performance hit of having pfsense doing the tagging/untagging vs. multiple vswitches and multiple virtual NIC's.  I have often wondered myself where that would best be done in this exact situation.

[louis-m]

i came from an alix and i have noticed a 1.5-2ms longer ping difference on the wan when it's a vm compared to the alix.
i might try and give it a shot to see if there is a difference between what you say.

[cmb]

all my ESX boxes and all the customer ones I've been on, which adds up to a ton, add a very tiny fraction of 1 ms latency. Shouldn't have 1.5-2 ms added by ESX. Especially comparing to an ALIX, generally you're running ESX on vastly faster hardware than a 500 MHz Geode and it actually has less latency through it (though we're still talking small fractions of 1 ms).