Tutorial: Using VMWare ESXi and PFsense as a network

firewall/router
obviate.io/2015/08/31/tutorial-using-vmware-esxi-and-pfsense-as-a-network-firewallrouter

Jon August 30, 2015

In most networks, you will have

dedicated hardware to function as
your “edge” (firewall/router). This is
typically for the best, but there are
always cases where you can’t put out
that dedicated hardware. Sometimes
it’s for cost reasons and sometimes
it’s for complexity. In my particular
case, I was installing an ESXi server in
a datacenter and only had 2 amps of
power to work with, of which my server
took up ~1.8amps at peak load. So
cost came into play and we simply
couldn’t afford to put in dedicated
hardware that could push enough bits.
vSphere
In such cases, it is possible the setup
ESXi on the network edge, in a
reasonably secure fashion, with PFSense acting as a firewall.
The most important requirement to this project is that your VMWare ESXi server has at
least two network ports on it. One will be the WAN port, one will be the LAN port. Also
throughout this tutorial I will use PFSense as my firewall/router OS of choice, however it is
just an example that can be easily swapped out with any other virtualized firewall product.
Some options include Palo Alto Networks, Fortinet, and even generic *NIX operating
systems with the right forwarding/firewall setup.

Section 1 – VMWare Setup

Step 1 – Install & Connect to ESXi

You should already have ESXi setup and connected via the VSphere client on Wi
ndows.
It’s recommended that you static the IP address of the VMWare Management int
erface, if you’ve not done so already.
Go to Configuration > Networking
Rename the vSwitch interface you’re using to “LAN”

Step 2 – Add new interface

You want “Virtual Machine” type

1/5
 Step 3 – Select NIC
You want to select your unused NIC (assuming you only have two)

Step 4 – Name it
This is your “WAN” interface

Step 5 – Confirm you’ve got two networks

You’ll notice that we’ve got two vSwitches now. The “LAN” switch has the Management
network and is connected currently. The “WAN” switch has nothing, and the adapter is d
isconnected.

Section 2 – Virtual Machine Setup

Step 1 – New VM

Step 2 – Typical Setup

Step 3 – Name your VM

Step 4 – Select Datastore

Step 5 – OS Type
If you’re using PFSense, select “Other” and “FreeBSD 64bit”

Step 6 – Two NICs

Unlike most VMs with 1 NIC, add 2 NICs to this VM.
Make sure one adapter is on “WAN” network and one adapter is on “LAN” network.

2/5
Step 7 – Allocated HD
PFSense doesn’t need much space, but it should be allocated a 2:1 for swap (e.g. 4096 M
B swap file for 2048 MB of RAM), plus some extra space for packages and logs may be u
seful.

Step 8 – Edit before completion

Step 9 – Final settings

As this is my firewall, I want to make sure it is plenty fast. So I opted for 4 cores and 2 GB
RAM. Also attach the CD drive to PFSense installer (be it datastore ISO or real USB/Optica
l drive).

Step 8 – Verify Network

Hop back to Configuration > Networking and you should see something like this. Note: va
rious VMs are all attached to the LAN vSwitch, however only PFsense VM is attached to b
oth WAN & LAN (just like a real firewall).

Step 9 – VM Startup
Go to Configuration > VM Startup/Shutdown
Click Properties

Step 10 – Set PFSense to first boot order

You may have other VMs that you want to auto-start, but as this is your firewall, it should
be the first to start.

Section 3 – PFSense

Step 1 – Install PFSense

Once you’ve installed PFSense, it will automatically configure its local interface to 19
2.168.1.1

Step 2 (Optional) – Change local network

You can reconfigure the local network either via web interface (at the aforementione
d IP: http://192.168.1.1) or command line

3/5
 Step 3 – Configure WAN
Again, this can be configured either via the web, or command line.

Step 4 – Plug in WAN cable

Step 5 – Test
If you’ve got the ports configured properly (i.e. WAN hardware is WAN in VMWare an
d WAN in PFSense), you should be able to connect to the internet.

There are two big questions after building a setup like this, the first is security. Since
PFSense is the host to provide an interface on the WAN, it should be the only method of
ingress into your network. With no VMware management interface on the WAN, there
should be no way for an outside party to access ESXi directly. I’ve used this setup
successfully (and safely) before, as have others. However, you always need to balance your
particular security concerns with the cost of dedicated devices.

The second question is remote management/maintenance/failure. Managing ESXi

remotely is easy, if you setup a VPN on your PFSense VM. Without that (or similar) you will
not be able to remotely manage the box (by design). But what happens if there is a failure
either in the VMWare hardware or the PFSense virtual machine? That’s the big failing point
of this setup – you’re down. If, for whatever reason, PFsense dies – your network is offline
and you cannot remotely manage it. If this hardware is installed in a dateacenter, you’d
need to either get in there yourself or remote hands reboot. Something to keep in mind
when balancing the cost issue. OF course, if it’s local (say you use this at home), then it’s
not such a big deal.

4/5
I will note that this is the setup I use in my
home network, which doubles as my
homelab. Having a VM for a firewall gives
me a lot of flexibility, like adding an entirely
separate vSwitched network for
experimental VMs. I can also swap out the
firewall VM for another one with next to no
downtime. It also allows me to skip one
more piece of hardware at home which
would add to my otherwise hefty powerbill.

Share
0
9
0

5/5