Sie sind auf Seite 1von 29

Part 1: Install pfSense on

ESXi 5.5
AUGUST 23, 2014

pfSense is an open source firewall/router based on FreeBSD. It is more than


just however, with the ability to be a DNS, VPN, IDS/IPS, DHCP, NTP and
cache (using Squid). Why would you dedicate a full system to pfSense when it
can easily run as a virtual machine to provide networking to your entire
infrastructure. This guide will walk you through replacing your current router
with pfSense and how to install pfSense on ESXi 5.5.

What you will need:

A computer or laptop to do the configuring


ESXi the hypervisor it will run on
Modem used to connect to the Internet, can be your current
modem/router combo
RJ45 cables
At least two network cards in your server, although you can use one it is
easier to spread your connections out as LAN and WAN.
KVM or monitor to ESXi, required when changing its IP address.

Prerequisites:
Think of the private address range you want
Private addresses are:

10.0.0.0 to 10.255.255.255 (16777216 addresses)

172.16.0.0 to 172.31.255.255 (1048576 addresses)

192.168.0.0 to 192.168.255.255 (65536 addresses)


My current home network is on the 192.168.X.X network but I am hoping to
change it to 10.X.X.X to save myself some typing. pfSense uses the
192.168.1.X network by default.

Have a video and keyboard connection to your ESXi box


somehow.
The best way would be a physical screen and monitor (what I will use), KVM or
IPMI (set a static address or else keep in mind the IP address of IPMI may be
out of range once you change once you begin to work with the new address
range.).This is because you will need to access pfSense, change your ESXi IP
to get an address etc.

Lets Start!
Currently your setup may look similar to something like
this:

We want it to look something like this:

Our modem becomes independent of the router. pfSense becomes the router living as a VM on our
ESXi host. A switch may not be needed, but theyre great to have.

pfSense as a virtual machine will sit between your modem and switch to act as
a router. It will be able to provide IP addresses to both physical and virtual
machines via its DHCP server (or you can set the IP manually). One network
card on your ESXi host will connect to the modem (WAN) while the other
connects to the your switch (LAN). Without a switch, you will only be able to
connect one host to your network as there is only one connection!

Installation
1. Set up a LAN and WAN switch in the vSphere client. One NIC (network
card) will be the LAN and one NIC will be the WAN. The LAN NIC will act as a
router to your VMs as well as anything connected to the switch. The WAN will
be connected to your modem to access and provide Internet connectivity to
your LAN.

Two vSwitches using two different network cards. One network card is responsible for the local
network and one is dedicated to the wide area network (Internet)

Give the names WAN and LAN corresponding to the which ever NIC is
connected to the Modem (WAN) and Switch (LAN).
2. Create a new Virtual machine with the follow settings:

3. Load the pfSense ISO image into the VM and boot from it.
Straightforward enough. Make sure to boot from the CD/DVD drive.

4. Go with the default boot (number 1) or let the timer run down.

5. Press I when prompted again to start the installer.


Otherwise you will be running a LiveCD. Restart if this happens.
6

6. Accept all the default settings and wait for it to finish installing.

7. Reboot when finished.


pfSense has now been installed. It isnt doing anything yet so we will need to
configure and transition our network over to it.
7

Continued in Part 2: Install pfSense on ESXI 5.5 where we will configure the
new installation.

Part 2: Install pfSense on


ESXi 5.5
AUGUST 23, 2014

In Part 2 of my virtualised pfSense installation on ESXi 5.5 we will be specifying


the network interfaces for pfSense, configuring the LAN interface as well as
connecting to the pfSense web interface. Part 1 can be found here.

Part 2: Configure the pfSense and LAN


After rebooting, let pfSense load to the point where the initial setup begins. This
is when you must configure the WAN and LAN for pfSense to work with.
If you only have two network cards, the LAN is most likely already plugged into
the Router/Modem or switch (recommended) your connection to the ESXi
host. Leave this plugged in for now. I will go with the ESXi and
switch configuration so please try and change the configuration steps where
applicable. Rethink why you need pfSense if are not going to use a switch
youll only have LAN port. Having a switch gives you 4, 8, 16 or even 24 more
LAN ports.
The goal of the setup is to not lose your connection to ESXi. The moment you
do, you wont be able to get back in and configure it. Either have a remote static
connection, a direct connection to the ESXi host or monitor available.
1. Set up the LAN and WAN
Say no to set up VLANs. This is for another day.

When prompted for a WAN connection, provide it with the NIC connected to the
WAN. You can find the MAC address of the NIC and match it up with what
pfSense sees (e.g. em1)

Provide the LAN interface similarly (e.g. em0)

Press Enter when prompted for the Optional 1 Interface

Confirm the interfaces (y) and wait for pfSense finish its configuration and bring
you to the main menu.

10

2. Connect to pfSense
At this point, you will not be able to access the pfSense web interface because
you are still connected to your original router as your
gateway/modem/router/access point and it is currently providing your with an IP
address. We want pfSense to provide us with an IP address instead. Unplug the
WAN device (modem, router, access point) from your switch so you have a LAN
without Internet connectivity. You may also lose connectivity to the vSphere
Client just reconnect or have it restart its networking to gain a new IP from
DHCP. Release/Renew IP addresses for your computer by unplugging and
replugging their cables, and pfSense should provide you with an IP address! If it
does not, make sure pfSense is operating on correct network adapter (LAN)
and there is not other device on the network that can provide you with an
address (other routers, modems and access points).
After the changes, your network should look like this:

11

3. Connect to the pfSense web interface


Open your browser of choice (Chrome for me) and enter the IP address of the
pfSense LAN connection (which is default, 192.168.1.1). Login with the default
username admin and password pfsense

12

Run through the setup as you see fit. General the defaults will do for now. When
you arrive at the Configure LAN Interface do not provide your new private
address (e.g. 10.0.0.1) as of yet. We will finish the wizard first. Click Reload
and pfSense will restart temporarily. If it does not redirect you after 5 minutes,
just go to 192.168.1.1 in a new window.
At this point you may either change the LAN IP to your own private range or add
the WAN interface (Part 3) if you are happy with the 192.168.1.1 range.
Click Interfaces in the top menu bar than LAN. Provide the new Static IPv4
address you prefer e.g. 10.0.0.1/24 than click Save. DO NOT APPLY
CHANGES. You will also need to setup your new DHCP range before
continuing.
DO NOT APPLY CHANGES

Click Services in the top menu bar then DHCP Server. Provide the new range
for your DHCP Server. Remember to leave your last address as a Broadcast
address (e.g. 10.0.0.255 for 10.0.0.1/24). I placed half of my addresses into
13

DHCP. Hit Save then return the Interfaces -> LAN page and Apply your
changes.

You lose access to pfSense after a little while. Unplug and replug your network
cable to get a new address within your new DHCP range.
Verify your new network details and access pfSense once again at its new IP
(e.g. 10.0.0.1)

In Part 3: Install pfSense on ESXi 5.5 we will configure the WAN (Internet)
connection for your LAN.

14

Part 3: Install pfSense on


ESXi 5.5
AUGUST 24, 2014

In Part 3 of my virtualised pfSense installation on ESXi 5.5 we will be


configurating the WAN (Internet) interface and finalise our transition from our
transitional router to a virtualised pfSense router. Part 1 can be found
here and Part 2 can be found here.

Part 3: Configure the WAN


1. Connect back to your original modem/router via a cable or WiFi.
Connect your workstation (not the ESXi host with pfSense) back to your
modem/router. You will be needing to change some settings on it to provide an
Internet connection to pfSense without creating a double NAT situation in your
network.
2. Log into its web interface
Generally 192.168.0.1 or 192.168.1.1, depending on the model and brand. I
have a Netgear CG3100D-2 from Telstra so it is 192.168.1.1. Check your
network gateway, it is generally the address of the device (run ipconfig or
ifconfig from command prompt/terminal).
3. Activate bridge mode or disable NAT (same effect)
15

Find and enable the option in the web interface to disable NAT (network
address translation) to turn the device into a simple modem. This
activatesBridge Mode. You have have to search your devices manual to find
this option and see if it supports it. Restart the device if prompted before
continuing.

Disable NAT on your modem router to activate bridge mode

4. Log back into the device


It may have a new IP address. Disable everything you will never use again on it
to save some energy. For me, WiFi was still enabled so I disabled it.

16

Turn off WiFi on your modem router. It is almost useless when in bridge mode.

5. Connect the WAN interface on your ESXi host


You are ready to connect the WAN port. Connect the NIC from your ESXi host
into the any port on the modem. Disconnect your computer from the modem
and back into the switch. Your network should look like this:

17

You can plug in your WAN connection now. Plug a cable from your bridged modem router to the ESXi
host running pfSense. Make sure it is into the network card you have specified as your WAN.

18

Your network is ready. Having a switch allows you to have more LAN connections. pfSense has now
become your router, firewall, DHCP and DNS server.

If successful, you should get an Internet connection! Log back into pfSense and
verify your WAN connection has an IP address. If you do not for whatever
reason, go into Interfaces -> WAN and give pfSense a hostname under DHCP
client configuration.
In Part 4, we will be wrapping up the installation with some necessities.

Part 4: Install pfSense on


ESXi 5.5
AUGUST 24, 2014

Now that our pfSense installation is set up and working, we will have to wrap up
our installation with a few necessities such as VMware Tools. You can find
follow along our installation in Part 1, Part 2 and Part 3.

Part 4: Necessities and Wrap-up


Install Native VMWare Tools for pfSense.
19

VMware Tools are available for FreeBSD, if you selected it as the virtual
machines operating system. VMware Tools are important for increasing
performance by allowing it to interact better with its hypervisor. It is extremely
important in pfSense because it offers 10Gbp network cards via the vmxnet3
driver.
Ensure your pfSense can access the internet.
1. Access the pfSense shell
Either through the console (option number 8) or by enabling Secure Shell (SSH)
within System -> Advanced. Connect to pfSense via any SSH utility you have if
you prefer SSH (e.g. Putty).

Enable SSH in within the pfSense web interface via System -> Advanced

2. Enable downloading of packages


pfSense by default prevents you from downloading packages for good reason, it
could break your firewall! The safest thing to do would be to build the packages
on a separate system and copy them over to pfSense. But if you insist to be
able to install packages straight from the pfSense shell (like me) there is a
simple workaround.
First you will need to change where pfSense gets its packages from. As of this
post, pfSense 2.1.4 is based off FreeBSD 8.3-RELEASE-p16. Find the URL that
fits your version. Run the follow commands in the shell:
For 64 bit:
1

setenv PACKAGESITE "http://ftpmirror.your.org/pub/FreeBSD-Unofficial-Packages/83amd64default/Latest/"

For 32 bit:
1

setenv PACKAGESITE "http://ftpmirror.your.org/pub/FreeBSD-Unofficial-Packages/83i386default/Latest/"

Once the package site has been set, install perl


1 pkg_add -rv perl

Finally install the compatibility library for your version of pfSense


For 64 bit:
1 pkg_add -rv compat6x-amd64

For 32 bit:
20

1 pkg_add -rv compat6x-i386

Use Putty to SSH into pfSense. Putty makes it easier to copy and paste code instead of typing it
which almost always leads to spelling mistakes

3. Load VMware Tools into pfSense


Open the vSphere Client and connect to your ESXi host. Locate your pfSense
VM and ensure the Guest OS matches FreeBSD (32 or 64 bit depending on
your version). This lets ESXi know which VMware Tools package to provide it
with.

21

I am running the 64 bit version of pfSense. This lets VMware know which version of VMware Tools to
install.

Open a console to the pfSense virtual machine and click:


VM -> Guest -> Install/Upgrade VMware Tools
or if you are in VMware workstation:
VM -> Install VMware Tools
4. Mount and install VMware Tools
Run the following line by line to mount the the VMware Tools disk, unpack its
contents and install i:
1 mount -t cd9660 /dev/acd0 /mnt/
2 cd /tmp
3 tar xvzf /mnt/vmware-freebsd-tools.tar.gz
4 cd vmware-tools-distrib/
5 ./vmware-install.pl -d

If it fails to install the first time, run the final line again for a reinstall.
Remove the leftovers after the installation:
1 rm -f /etc/vmware-tools/not_configured

5. Set VMware Tools to start on boot


A script is required to add the compat6x library to boot time or VMware tools will
not start properly. Enter these lines into the shell:
1 echo '#!/bin/sh' > /usr/local/etc/rc.d/000-ldconfig.sh
2
3 echo '/sbin/ldconfig -m /usr/local/lib/compat' >> /usr/local/etc/rc.d/000-ldconfig.sh

22

4
5 echo '/usr/local/etc/rc.d/vmware-tools.sh restart' >> /usr/local/etc/rc.d/000-ldconfig.sh
6
7 echo '/usr/local/bin/vmware-config-tools.pl -d' >> /usr/local/etc/rc.d/000-ldconfig.sh
8
9 chmod a+x /usr/local/etc/rc.d/000-ldconfig.sh[/sourcecode]

As bad as this is script is, it seems to fix the problem where the vSphere Client
says it is not running even though everythng else says it is (terminal commands,
guest VM options, VMXNET3 working). VMware Tools also does not start
because it wants to run through setup again. Hopefully this fixes all of that.
6. Add the VMXNET3 network cards
Shutdown the VM either through the shell (type exit then choose option 6) and
add the VMXNET3 NICs as desired to replace your WAN and LAN network
cards.

23

You have to shutdown the virtual machine first before removing and adding network adapters. Make
sure the adapter type is VMXNET3. Note the MAC addresses as well.

7. Configure the VMXNET3 network adapters


Power on the VM and pfSense will alert you to set the interfaces once again. It
you did everything correctly, they should show up as VMware Vmxnet3
Ethernet Controller.
NOTE THEM DOWN BEFORE PFSENSE SCROLLS!

pfSense will notify you there is a network interface mismatch by swapping the network cards.

You will have to enter vmx3f0 or vmx3f1 depending on the interface (not the
entire name). Make sure you link the correct network adapter to the correct
interface. Check the MAC addresses like we did in Part 2.

24

Specify the network adapter which has been allocated for both your WAN and LAN. They will be
either vmx3f0 or vmx3f1.

Link the MAC addresses to the VMs settings if you are unsure which is the LAN
and WAN.
8. Make sure everything is working!
VMware Tools should be successfully installed natively on pfSense

25

When finished, pfSense will return to its usual screen retaining all your previous changes and IP
addresses.

10Gbps networking!

Credits:
https://doc.pfsense.org/index.php/VMware_Tools
http://www.v-front.de/2013/06/how-to-install-or-update-VMware-tools.html
26

Give ESXi a static IP


You wont be able to access your ESXi box through the vSphere Client as ESXi
would not have a working IP address at this moment. It is best to give it a
STATIC address over a DYNAMIC (DHCP) address as pfSense is a VM which
starts after ESXi boots up. Therefore ESXi would not be able to obtain an
address from DHCP and you would not be able to connect to it.
1. Access your ESXi box however you can
Either by a physical monitor and keyboard, KVM or IPMI (which may not work
as it also needs its own IP address. Simply unplug and replug it to refresh its IP
and find it under DHCP Leases in pfSense.)
2. Hit F2 and log in.
Provide your ESXi credentials, typically the username is root
3. Configure the management network
Select Configure Management Network then IP Configuration.
4. Enter your new details
Highlight the radio and press space to select static. Enter an IP address that is
not within the DHCP range you have specified in pfSense.

Ensure all the details are correct.

5. Restart the network configuration


Return to the main screen and restart when your management network when
prompted. You should now be able to connect to it from the vSphere client
through its new and static IP address.

Make pfSense auto-start with ESXi


27

If pfSense is now your router, it is very important to auto-start it with ESXi.


1.
2.
3.

Open the vSphere Client and connect to ESXi


Select your host and click on the Configuration tab
Select Virtual Machine Startup/Shutdown and click on Properties in
the top right corner.
4.
Select the VM and click Move Up until it reaches Automatic Startup.
Adjust the delay if necessary. Click OK when done.

Set pfSense to start up with ESXi

Ending thoughts:
Our installation may be finished but pfSense offers many more features than
such a router, firewall, DNS and DHCP server. In the future I will cover a range
of popular features, packages and guides for pfSense that I feel arent covered
well enough.

pfSense is now your router, it must be on and running to get a connection


to the Internet
Dont put your server into maintenance mode, ESXi will never start
pfSense and you wont be able to access it without plugging and unplugging

28

a bunch of things to be able to access the vSphere client and exit


maintenance mode.
Make regular back ups of the pfSense VM. One wrong move and your
network will collapse.
Always give static addresses to important infrastructure like ESXi, IPMI,
IMM, Switches, Modems and of course, pfSense.

29