pfSense install on VMWare ESXi as a network firewall/router  – Section 3 – Install pfSense

Step 1 – Install pfSense
Once you’ve installed PFSense, it will automatically configure its local interface to 192.168.1.1

pfSense install on VMWare ESXi as a network firewall/router  - Section 3 – Install pfSense

Step 2 (Optional) – Change local network

You can reconfigure the local network either via web interface (at the aforementioned IP: http://192.168.1.1) or command line

pfSense install on VMWare ESXi as a network firewall/router  - Section 3 – Install pfSense

Step 3 – Configure WAN
Again, this can be configured either via the web, or command line.

pfSense install on VMWare ESXi as a network firewall/router  - Section 3 – Install pfSense

Step 4 – Plug in WAN cable

pfSense install on VMWare ESXi as a network firewall/router  - Section 3 – Install pfSense

Step 5 – Test
If you’ve got the ports configured properly (i.e. WAN hardware is WAN in VMWare and WAN in PFSense), you should be able to connect to the internet.

pfSense install on VMWare ESXi as a network firewall/router  - Section 3 – Install pfSense

There are two big questions after building a setup like this, the first is security. Since PFSense is the host to provide an interface on the WAN, it should be the only method of ingress into your network. With no VMware management interface on the WAN, there should be no way for an outside party to access ESXi directly. I’ve used this setup successfully (and safely) before, as have others. However, you always need to balance your particular security concerns with the cost of dedicated devices.

The second question is remote management/maintenance/failure. Managing ESXi remotely is easy, if you setup a VPN on your PFSense VM. Without that (or similar) you will not be able to remotely manage the box (by design). But what happens if there is a failure either in the VMWare hardware or the PFSense virtual machine? That’s the big failing point of this setup – you’re down. If, for whatever reason, PFsense dies – your network is offline and you cannot remotely manage it. If this hardware is installed in a dateacenter, you’d need to either get in there yourself or remote hands reboot. Something to keep in mind when balancing the cost issue. OF course, if it’s local (say you use this at home), then it’s not such a big deal.

IMG_0712 I will note that this is the setup I use in my home network, which doubles as my homelab. Having a VM for a firewall gives me a lot of flexibility, like adding an entirely separate vSwitched network for experimental VMs. I can also swap out the firewall VM for another one with next to no downtime. It also allows me to skip one more piece of hardware at home which would add to my otherwise hefty powerbill.

Comments

comments