PfSense 2 on VMware ESXi 5 - PFSenseDocs

Search

Personal tools

Log in

PfSense 2 on VMware ESXi 5

From PFSenseDocs

Installing pfSense 2.0 on VMware ESXi 5.0

PfSense 2 on VMware ESXi 5 - PFSenseDocs https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

1 de 33 17/06/2014 11:34

Contents

1 Introduction1.1 Assumptions

2 Basic ESXi Networking2.1 About vmnics, vSwitches, management and virtual machine networks2.2 Creating the LAN2.3 Creating the WAN

3 Configuring the Virtual Machine3.1 Configuration3.2 Name and Location3.3 Storage3.4 Virtual Machine Version3.5 Guest operating System3.6 CPUs3.7 Memory3.8 Network3.9 SCSI Controller3.10 Select a Disk3.11 Create a Disk3.12 Advanced Options3.13 Ready to Complete3.14 Editing the Virtual Machine's Properties

4 Installing pfSense4.1 Booting your VM from CD/DVD4.2 Installing pfSense4.3 Interface Assignment

5 Adding a DMZ5.1 Creating the DMZ network

6 Installing VMware Tools7 A note about time synchronization - NTP

Introduction

As the title says, this is about building a pfSense 2.0 virtual machine on ESXi 5.0. This is not about teachingyou how to install ESXi and it is not about how to configure pfSense to do any of the many amazing things itcan. However, you should have a basic, working pfSense virtual machine at the end of this.

Disclaimer/flame-retardant: If you’re going to be running pfSense as a perimeter firewall for anorganization and want to minimize the “attack surface”, many will say it is preferable to run it unvirtualizedon stand-alone hardware. I’ll leave that decision to you. Now back to the topic.

We’re going to start at the point where we have a virgin ESXi 5.0 install and have connected to it using thevSphere client. If you already have other VMs running on ESXi you probably don’t need to follow thenetworking steps too closely. However, I recommend skimming through it to see what is suggested beforebuilding the pfSense virtual machine part.

Assumptions


2 de 33 17/06/2014 11:34

You already have your ESXi host up and running.You have an understanding of network addressing.

Basic ESXi Networking

About vmnics, vSwitches, management and virtual machine networks

In the vSphere client you can see the network diagram for your ESXi host by clicking Networking on theConfiguration tab:

After you installed ESXi, before you could connect to it with the vSphere client, you had to nominate aphysical network adapter (a “vmnic” in the diagram) which would be the ESXi Management Network. Youalso had to assign an IP address to the ESXi host's Management Network interface, either through DHCP ormanually through the console.

The network diagram above shows that I've assigned the Management Network to vmnic0 and gave it an IPaddress of 192.168.111.30. (192.168.111.0/24 is my home LAN. Yours will probably be different.) Whateversubnet you've chosen, the VMkernel Port in the diagram is your Management Network and that’s what yourvSphere client is now talking to.

ESXi will name the first physical NIC it finds “vmnic0″. If vmnic0 is your management interface, ESXi willhave automatically attached a virtual switch, vSwitch0, to that interface.

In addition to the VMkernel port, ESXi will also attach a Virtual Machine Port Group to the vSwitch. In thediagram above it's labeled as "Virtual Machine Network". The VM Port group is where Virtual Machines canbe attached to this virtual network.

In summary, in the above diagram, vSwitch0 has both a VM Port Group (Virtual Machine Network) and aVMkernel Port (Management Network) attached.

Creating the LAN

In a small network it is quite common to use the Virtual Machine Port Group on vSwitch0 to provide theLAN interface for your pfSense. That allows you to access the LAN side of your pfSense virtual machineand manage your ESXi host, with the vSphere client, from a single PC. Of course, the virtual machine (e.g.,


3 de 33 17/06/2014 11:34

pfSense) and the ESXi management interface must have different IP addresses.

COMMENT: I must say here that I always separate the ESXi Management network from other networks. Iwon’t go into the detail but there are some very good reasons for doing this. Without using VLANs, though,separation would mean that you need an additional NIC on the ESXi host just for ESXi management. What’smore, you would also need another NIC in your vSphere client PC to connect to the management NIC inyour ESXi host. If you want to follow that path and you have enough NICs, simply delete the VirtualMachine Port Group by clicking the Properties link above vmnic0, highlight the VM Port Group and clickRemove.

Assuming you are just working with just two NICs in your ESXi host, rename the VM Port Group from"Virtual Machine Network" to something a bit more meaningful. Click the Properties… link for vmnic0:

Highlight the Virtual Machine Network and click the Edit button.


4 de 33 17/06/2014 11:34

Change the Network label to “LAN” and click OK then Close.

You’ll see how this makes life a little easier when we assign virtual network interfaces to pfSense.

Creating the WAN

As we’re not going to deal with VLANs here, you will need a second physical NIC in your ESXi host. Thiswill be your WAN interface.

HINT: If you have multiple physical interfaces in your ESXi host, it can be a bit of a struggle to work outwhich one has been identified as vmnic1, vmnic2 and so on. If you wrote down the MAC address of each NICand the slot it occupied when you put it in the machine, you’re in business – just look at the NetworkAdapters screen under the Configuration tab to match up the MAC addresses (new to ESXi 5). However, youprobably didn’t think do that so the easiest way match physical NICs to vmnics is to plug a PC or switch into


5 de 33 17/06/2014 11:34

them, one at a time. The speed and duplex on the Networking or Network Adapters screens should change asthe interface comes up. Because VMware didn’t provide a Refresh link on the Network Adapters screen, youmay have to refresh by navigating to somewhere else then going back.

Now we need to link the second physical NIC (vmnic1), to a new vSwitch. Click the Add Networking link atthe top right of the Networking screen and the following dialog will appear.

We are adding a Virtual Machine network so select that option and click Next.


6 de 33 17/06/2014 11:34

We want this NIC to be attached to a new vSwitch so select Create a virtual switch and check vmnic1. ClickNext.

As we did with the LAN, let’s give this VM Port Group a more meaningful name of “WAN”. Click Next.

The next dialog simply lets you check that everything looks OK. Click Finish.


7 de 33 17/06/2014 11:34

Your networking diagram should now look like this:

Now we can configure a new virtual machine on which pfSense will be installed.

Configuring the Virtual Machine

Right click your ESXi host in the left pane of the vSphere client and select New virtual machine…

Configuration


8 de 33 17/06/2014 11:34

In the Configuration window, I always like to take the Custom option. (I’ve never really trusted whatsomeone else thinks is “typical”). Click Next

Name and Location

In the Name and Location window, let’s give the virtual machine a meaningful name like “pfSense” andclick Next


9 de 33 17/06/2014 11:34

Storage

Now we need to decide where disk storage will be allocated to hold the virtual machine's configuration andoperating files. (This is not necessarily the same location as the file system for pfSense, as you'll see later. )There are two datastores on this server – a small 80GB drive on which ESXi is installed and a 500GB discwhich is just for virtual machine storage. Highlight a datastore from your list and click Next.

Virtual Machine Version


10 de 33 17/06/2014 11:34

WARNING

Note that for ESXi 5.5 the default virtual machine version is 10. However, if you select version 10 with theFREE version of ESXi 5.5, you will not be able to edit the virtual machine settings through the vSphere

client. Use virtual machine version 8.

Here is where you tell ESXi the virtual machine version you want to use for pfSense. Note the warningabove. Select version 8 and Click Next.

Guest operating System


11 de 33 17/06/2014 11:34

If you’re really new to pfSense you may not have noticed that it’s built on the FreeBSD operating system,not Linux. Select Other and chose FreeBSD (32-bit) or FreeBSD (64-bit).

Probably the most noticeable difference between the 32 and 64-bit versions is that counters on the 32-bitversion, such as the number of bytes sent and received, will go back to zero after about 4GB. On the 64-bitversion it will take a lot longer to reach the limit.

That said, the 32-bit version is by far the most widely deployed and tested. As you will see a few steps later,the amount of memory needed to run pfSense is unlikely to require a 64-bit operating system. I wouldrecommend that you take the FreeBSD (32-bit) option but, whatever you choose, it must match pfSense ISOimage you're going to install. Click Next.

CPUs


12 de 33 17/06/2014 11:34

To get started, a single-socket, single-core configuration will do for now. You can always change this andother virtual machine settings later if you want. Click Next

Memory

Depending on the number and type of packages you intend to install, a basic pfSense VM should run very,very comfortably in 512MB. A lot of simple, non-virtual installations run on old PCs with 256MB and less.


13 de 33 17/06/2014 11:34

If you’re really squeezed for physical RAM on your host - perhaps because you intend to run lots of othervirtual machines - you could cut back the allocation to the pfSense VM to, say, 384MB. If you intend to runlots of memory-hungry packages give it more.

To change the memory allocation to one of the sizes shown on the scale of the memory "thermometer", clickthat value on the scale. Click Next

Network

Remember that your two virtual networks were renamed to LAN and WAN. This is where we attach thosenetworks to our pfSense virtual machine.

Select the number of virtual NICs you want to assign to pfSense. In this case it will be 2. Now, using thedrop-down lists assign your virtual machine’s NIC 1 to the LAN network. Assign NIC 2 to WAN. (This iswhy we gave the virtual machine port groups these names – much easier to recognize.)

Note that for each NIC you can also select an Adapter type. Different adapter types may give better orworse performance (and some may not work at all) but you’ll have to study that elsewhere. To get started,choose the dependable E1000 type for each adapter. Make sure that Connect at Power On is checked andclick Next.

SCSI Controller


14 de 33 17/06/2014 11:34

An emulation of an LSI Logic SCSI controller is offered on this system and, as far as I know, therecommendation is based on the operating system of the virtual machine you intend to install. Accept thedefault and click Next.

Select a Disk

This is where the operating system will build its file system.


15 de 33 17/06/2014 11:34

Choose Create a new virtual disk and click Next.

Create a Disk

Here you can see that I’ve given pfSense's virtual disk a capacity of 8GB but I have quite a lot to spare and8GB isn’t really that much these days.

Under Location, keep the virtual machine’s hard disk with the virtual machine itself. If you want to learnmore about this set of options, read the help.

Click Next.

Advanced Options


16 de 33 17/06/2014 11:34

Like it says – these options do not normally need to be changed. Next.

Ready to Complete

Now you'll see a summary of what you've configured for this virtual machine.

Before you finish, check the box Edit virtual machine settings before completion. The label on the Finish


17 de 33 17/06/2014 11:34

button will change to Continue. This will allow you to set up the boot CD from which we’ll install pfSense. Click Continue.

Editing the Virtual Machine's Properties

In the Virtual Machine Properties dialog select the Hardware tab and then the line New CD/DVD (Adding)line. In the right-hand pane choose the location of the CD/DVD drive:

Host Device

If you have a CD/DVD in your ESXi host, select the CD/DVD drive and check Connect at power on. Thischange allows you to pop the pfSense CD/DVD into the host’s drive and start installing a soon as you poweron the virtual machine.

Client Device

If you want to install from the CD/DVD drive in your vSphere Client PC, select the Client Device option. Asthe contents of the CD will be read across your network, this will be a bit slower than using a drive in yourESXi host. In addition, Connect at power on is not available.

Datastore ISO

ISO If you want to install from an ISO image stored in an ESXi datastore, that is also an option but it won’tbe covered here.

Click Finish.

Installing pfSense

Booting your VM from CD/DVD


18 de 33 17/06/2014 11:34

Option 1: Installing from the ESXi host’s CD/DVD drive

If you chose the Host Device option in the Virtual Machine Properties above, slip the pfSenseCD into your ESXi host’s drive.

In the left-hand pane of the vSphere client window, right-click your new pfSense virtualmachine. You will see a number of things you can do with the VM, including Power > Poweron. Select that or highlight your virtual machine and click the green arrowhead in the toolbar.

Now click the Console tab and you should see the virtual machine booting from the CD.

Skip to Installing pfSense.

Option 2: Installing from your client’s CD/DVD driv e

If you chose to use the drive in your client PC, put the CD into its drive. Remember thatConnect at power on was not a choice if using the client’s CD/DVD drive, so you will need todo a little bit of extra work to connect it after you power on the virtual machine.

In the left-hand pane of the vSphere client window, right-click your new pfSense virtualmachine. Here you will see a number of things you can do. Select Power > Power on.Alternatively, just highlight your virtual machine and click the green arrowhead in the toolbar.

Now, with your virtual machine highlighted, click the Console tab.

Because the CD drive is not attached to the virtual machine yet, you may see it trying to bootfrom the network or it may be showing an Operating system not found or some other error.Don’t worry about this.

At this point (and only after you have powered up the virtual machine) you can attach yourvirtual machine to your client PC’s CD/DVD drive. Click on the toolbar icon that looks like aCD with a spanner. CD/DVD Drive 1 will be offered in the menu and you’ll see the choicesavailable. Select Connect to D: (or whatever drive letter represents your client PC's CD/DVDdrive).


19 de 33 17/06/2014 11:34

Right click your virtual machine in the left pane of the Sphere client and select Guest > SendCtl+Alt+Del. This will reboot your virtual machine without disconnecting the CD/DVD drive.

In the Console tab you should now see pfSense booting from the CD.

Installing pfSense

If everything has gone well you will soon see the pfSense boot menu.

What follows is very much a standard pfSense installation procedure. However, it's included here tosave you jumping around between documents.

NOTE that to enter information through the virtual machine's console you must click inside the consolewindow. To release the cursor, press Ctl+Alt.

You can allow the timer to expire and boot pfSense from the “Live CD”.

When you see the following console message:


20 de 33 17/06/2014 11:34

Type “i” to launch the pfSense installer.

The next few screens are the standard pfSense install screens and are fairly self explanatory. Take thehighlighted choice in each of the following screenshots:


21 de 33 17/06/2014 11:34


22 de 33 17/06/2014 11:34

At this point the pfSense virtual machine will reboot and you should remove the CD from the drive.

Interface Assignment

Next up, the pfSense boot menu returns.

As pfSense is already installed on the virtual disk, just allow the timer to expire.

Once pfSense has booted you will see the message: Network interface mismatch – Running interfaceassignment option. This just means that you haven’t yet told pfSense which virtual network interface isLAN and which is WAN.

First of all, though, as you don’t need to assign VLANs, type n and press return.


23 de 33 17/06/2014 11:34

The order that the virtual NICs were assigned to pfSense when you set up the virtual machine is importanthere. ESXi presents those network interfaces to pfSense in sequence. That is, your pfSense virtual machinesees NIC 1 (LAN) as em0, NIC 2 (WAN) as em1, etc.

Note that the MAC addresses assigned to the virtual NICs and seen by pfSense are also virtual. They are notthe MAC addresses of the physical NICs. If you've forgotten which network (LAN or WAN) was assigned towhich virtual NIC, right-click the virtual machine and choose Edit settings. You can see the NIC to Networkassociation in there.

So go ahead and enter the WAN interface name, "em1", and press return.

Now enter the LAN interface name, "em0", and press return.


24 de 33 17/06/2014 11:34

As we don’t have any OPT interfaces, yet, press return.

Lastly, check that you’ve got the interface assignments around the right way, enter "y" and press return.


25 de 33 17/06/2014 11:34

After a short interval pfSense will reconfigure itself, restart and you should be presented with the mainpfSense screen, above.

If you had your modem connected to the physical WAN port of your ESXi host, you'll see that the WANinterface has received an IP address, via DHCP, from your ISP or your modem. Other types of WANconnections and configurations are beyond the scope of this article. You'll need to go elsewhere to read up onthose.

The LAN interface has its installation default IP address of 192.168.1.1. If want to use another networkaddress and/or subnet you’ll need to start reading the pfSense documentation. Remember that my LAN, asshown at the beginning, was 192.168.111.0/24

Adding a DMZ

Having a WAN and a LAN is fine but perhaps you would like to add another virtual machine to your virtualnetwork – maybe a mail server or a web server. After all, that is likely to be one of the reasons you decidedto use ESXi in the first place – as an alternative to running multiple physical machines.

You probably want to make these servers accessible from the Internet but, at the same time, protect them byputting them behind your pfSense firewall. That way you can control all access to them from both the LANand the WAN.

Another interesting aspect of virtualization is that you don't have to stop at one DMZ. Because the DMZnetwork can be completely virtual, you don't need any additional physical NICs. You could, for example,attach a virtual mail server to one DMZ and a virtual web server to another. Then, by connecting themthrough pfSense with virtual NICs, you can fully control all access between the DMZs. In addition, if oneserver is compromised, access to any of the others will be just that little but harder.

That's not to say that a DMZ can't also be connected to a real physical network as well. You may want toconnect a game console or video/music server behind pfSense but not have it directly connected to yourLAN. All you need to do is connect a physical NIC to the DMZ.

Creating the DMZ network

Go to your vSphere client and highlight your ESXi host. Click the Configuration tab and the Networking


26 de 33 17/06/2014 11:34

link. You will see your ESXi network diagram.

Click the Add Networking link near the top right of the Network pane.

We want to add a new virtual machine network, so select that option and click Next.


27 de 33 17/06/2014 11:34

Chose the option to Create a vSphere standard switch. We aren’t going to need a physical NIC – it’s justgoing to be virtual - so just make sure that, if you have more physical NICs in your ESXi host, none of themare selected, then click Next

As with the LAN and WAN, give the new network a name. “DMZ” would be good. Click Next.


28 de 33 17/06/2014 11:34

Click Finish.

Now your Networking diagram will look like this - just a vSwitch and a Virtual Machine Port group called“DMZ” with no physical NICs attached.


29 de 33 17/06/2014 11:34

The next step is to connect the pfSense to this new DMZ network. Right-click your pfSense virtual machineand select Edit Settings. Click the Add button.


30 de 33 17/06/2014 11:34

Choose Ethernet adapter and click Next.

As you did for LAN and WAN, choose the E1000 type of virtual network adapter. Select DMZ from thedrop-down list of available networks and choose Connect at power on. Click Next.


31 de 33 17/06/2014 11:34

Now your network diagram should look like the above.

Note that you can do all of this while the pfSense virtual machine is still running. To make pfSense aware ofthe changes, though, you will need to restart it and go through assigning the interfaces again.

Now you can attach additional virtual machines to the DMZ network.

Installing VMware Tools

There are a number of benefits to installing the VMware tools, including better memory management, aswell as improved network and disk performance. I can't vouch for those benefits but I find the most usefulfeature is the ability to shutdown or reboot a virtual machine without needing to log in to it directly. I use thisto have all my VMs and the ESXi host gracefully shutdown in the event of a power outage that mightexhaust the UPS battery ... but that's another story.

The VMware Tools have been made available as a pfSense package, which makes the install very quick andeasy.

Log in to the pfSense Web GUI and click System > Packages.

From the Available Packages list, look for the Open-VM-Tools package and click the + button on the right toinstall the package. Confirm that you want to install the package.

There is really nothing to configure with this package, it should just work.

Alternately, the official VMware tools can be used, but it is a much more manual process. See here: VMwareTools

A note about time synchronization - NTP

Vmware Tools will allow you to have the clock of the pfSense virtual machine synchronized with the clock


32 de 33 17/06/2014 11:34

of the ESXi host. You would need to have the ESXi host use NTP to maintain its own clock for that to workbut you also need to disable NTP on the pfSense virtual machine.

Unfortunately, using the host to control the clock of the pfSense virtual machine has been known to cause aproblem with the time appearing, to pfSense, to run backwards.

My recommendation is to have pfSense and the ESXi host maintain their clocks independently.

You should never use a virtual machine as a time source for the ESXi host.

Some more information can be found in this VMware document: Timekeeping in Virtual Machines(http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf)

Retrieved from "https://doc.pfsense.org/index.php?title=PfSense_2_on_VMware_ESXi_5&oldid=5875"Categories: Howto Virtualization VMware Installation

Privacy policy About PFSenseDocs Disclaimers

This page was last modified on 19 April 2014, at 17:31. This page has been accessed 161,180 times.


33 de 33 17/06/2014 11:34

Documents

PfSense 2 on VMware ESXi 5 - PFSenseDocs