Install and configure pfSense in vCloud Director
I got many customers, mainly small and medium, who like to use at their sites custom built firewall using open source solutions. Many are using pfSense since it’s really a great piece of software.
Among the several features it has, there is also the possibility to create a stretched LAN between two pfSense devices. This allows to have two sites with the same IP addressing, and it can be a good solutions when you have to move workloads and virtual servers without reconfiguring their network configuration.
One of the usage for this configuration is having a local vSphere environment at customer site, with its own pfSense firewall connected to another pfSense deployed inside a vCloud tenant. In this way even small customers can have a sort of Disaster Recovery solution, hosted inside e vCloud tenant. There are some cons in doing this instead of using the integrated vShield Edge, but at the moment pfSense is (in my really humble opinion) a better solution than Edge.
In this series of articles, I will show you how to deploy, configure and use pfSense in vCloud Director to create the stratched lan.
Prepare your vCloud environment
First, you need to create the internal network. if all your remote VMs will be part of the same vApp, you can create a vApp Network for the internal part rather than a Organization network. This network will have gateway and static IP pool compatible with the local lan you already have. Choose if you want to have a static IP pool or if you are going to manually assing IPs (or have a dhcp in the remote pfSense). Be careful since this network will have the same subnet as the one at the existing customer’s site, so you need to avoid duplicated IPs.
Deploy and configure the remote pfSense
Then, you need to create the remote pfSense inside vCloud. After uploading the ISO image in a catalog, you create the VM. It will need to have two NICs, one for the outside connection via direct mode, and the other one on the inside (the network you created before) to become the gateway of the whole tenant (or the vApp if you choose so). It’s outside the scope of this article to show you how to install and configure pfSense, but I’m giving you anyway some tips.
After initial configuration of the two networks, you will have to go to the webGUI to finish configuration. Two problems may arise: first, if the external network of vCloud has no dhcp, the WAN link will get no IP address. You can configure it manually as I’m showing you in the next screenshot, but you wil still lack the gateway to let pfSense reach the internet. If you open VMRC, this is what you will see:
From here, choose 8 to open the local Shell, and run:
route add default x.x.x.x
This will add the route for reaching the WAN gateway. in order to reach the WebGUI from the WAN you would have two options: deploy a VM inside vCloud and connect it to the LAN segment, and from here open the WebGUI; or enable the WAN administration and save money from not deploying a new VM. To do so, still into the shell run:
this will temporary disable the firewall and you will be able to open a browser to the WAN ip address of pfSense and open the WebGUI and the setup wizard:
Among the several configuration options you will find in the wizard, you will need to configure the gateway, since the route you added via shell will not survive a reboot:
Last, assign a really strong password to the admin user (remember you are running the management interface on the public internet!!!) and reload the configuration. At every configuration change, PF will be re-enabled, so you would need to disable it several times to complete the configuration via WAN, unless you don’t choose to let it open to do remote administration. In this case, better switch to HTTPS and even add source rules to connect to it only from certain IP addresses.
Install and configure pfSense in vCloud Director by Luca Dell'Oca is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported
This post is also available in: Italian
|Print article||This entry was posted by Luca Dell'Oca on July 12, 2012 at 16:00, and is filed under Tutorial. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
No comments yet.
No trackbacks yet.
about 2 months ago - 2 comments
TweetVMware PEX (Partner Exchange) is live in these days, and as on many other occasions, several companies take advantage of these occasions to announce their new products and solutions. Veeam has decided to start at PEX a long advertising campaign to go with their clients (and someone new I guess …) up to the release…
about 10 months ago - 1 comment
TweetIn a previous article, I described how to install pfSense in a vCloud tenant to become its gateway. In this article I will show you how to create a stretched lan between this firewall, and another one installed at a customer site. A stretched LAN is a connection between two sites where you can use…
about 11 months ago - No comments
TweetModern servers does not have anymore ant cdrom drive, and virtualization has made these peripherals even useless. Why do we would have to have it, if every installation is done using the .ISO files directly loaded in some datastore? The only left use case is the hypervisor installation, the only “bare metal” component of the…
about 1 year ago - No comments
TweetThis session, hosted by Bryan Evans (Product Manager, BCDR, VMware, Inc.) and Craig McLellan (CTO, Hosting.com) has been focused on the evolution of SRM. We heard of the new functions of the 5.0 version (vSphere Based Replication, Automatic FailBack…) as some of the new ones we are supposed to have in the future. Next releases…