2020.04.1 – Building a VMware vSphere Virtual Lab with VMware Fusion – Part 2: Deploy and Configure a pfSense VM

Overview

I read a blog and I plan to apply all info and steps. I will publish all I do!

Important Photos necessary for each step are here: https://photos.app.goo.gl/29QzKLFLvhpN6H7H7

Mine lab parts:

GraspingTech’s helping guid:

This is the second part in a series of tutorials on how to build a VMware vSphere Virtual Lab on a Mac with VMware Fusion. In this tutorial, I’ll create a pfSense VM and I’ll use it as a DNS resolver and firewall for mine lab.

Overview

The purpose of the pfSense firewall is to be:

  • Used as a DNS resolver that lets ESXi hosts and vCenter Server communicate with each other using their hostnames or FQDN.
  • Allow hosts and VMs to access the internet.
  • It simulates a WAN connection coming into the lab, so I can add new IP addresses to the firewall and 1:1 NAT them with VMs in our DMZ.
  • It will allow me to route traffic between VMs on different port groups.

In Part 1 article I describe how to install ESXi_04_6.x but in next Parts I will use ESXi_01_6.x, ESXi_02_6.x and ESXi_03_6.x. Maybe I will include somewhere ESXi_04_6.x or/and ESXi 6.x but in this moment I do not know If I will do so or not ….

Prerequisites

Since this is a series of tutorials, I’ve followed the steps in Part 0 and Part 1.  

Now I am at the point where I have:

  • Installed VMware Fusion
  • Created custom VMware Fusion networks
  • Created fief ESXi VM with three network adapters ore more than three network adapters
  • The first two network adapters are connected to the vSphere network and the next one is connected to the WAN network.
  • ESXi are installed and the management network configured with 10.1.1.10 to 10.1.1.14 as the IP addresses and 10.1.1.251 as the gateway and DNS resolver.

Software required for this tutorial:

  • For this tutorial I’ll need to download pfSense from the download page of the pfSense website. The steps in this tutorial have been tested with Version 2.4.5: pfSense-CE-2.4.5-RELEASE-amd64.iso

After downloading the pfSense ISO, I upload it to the ESXi host, I create the VM, then I install and configure pfSense on it.

Step 1: Configure the ESXi Network

The first thing I need to do before creating the pfSense VM, is to configure the ESXi network so that I have the required port groups for the VM to connect to.

I will need a new port group for the DMZ and a new switch and port group for the WAN. I also I receive the suggestion to rename the default VM port group because I’ll only be using it for the vCenter Server appliance to access the management network.

Summary of the steps involved.

  • Create a new vSwitch and Portgroup for the WAN
  • Create a DMZ port group on the main vSwitch with VLAN 100
  • Rename the VM Network port group to Management

OK, let’s begin by logging into the ESXi host.

  • I click on NetworkingVirtual switches and then Add standard virtual switch. I give the vSwitch a name vSwitch1, I select vmnic2 (this is the third network adapter attached to the VMware Fusion VM) for the uplink, then click Add.
  • I click on the Port groups tab and then Add port group .. times:
  1. Fist time I give the new port group a name of WAN, then I select the name of the new vSwitch1 I just created and I click Add.
  2. Second time I give it a name of DMZ, a VLAN ID of 100, select the main vSwitch0 and then I click Add.

The last thing I need to do is rename the VM Network port group by clicking on its name, clicking Edit settings, giving it a name of Management and then clicking Save.

  • Now I have a list of port groups like the following image shows:

The network is now configured to a point where I can create the pfSense firewall VM.

Step 2: Upload the pfSense ISO to the ESXi host

  • I expand the Storage tree view on the left pane and then I click on the datastore I want to upload the ISO to. Then I click on Datastore browser.
  1. I click Upload.
  2. I select the pfSense-CE-2.4.5-RELEASE-amd64.iso on my local machine.
  3. I click Open.
  4. Then I wait for the ISO image to finish uploading then I click Close.

With the ISO now on the ESXi host, I am ready to create the pfSense virtual machine.

Step 3: Create the pfSense VM

Now that I’ve configured the network and uploaded the ISO, I am ready to create the pfSense VM.

  • I click on Virtual Machines then Create / Register VM. Then I select Create a new virtual machine then click Next.
  • I name the virtual machine fw01, I select ESXi 6.7 U2 virtual machine for the compatibility, Other for guest OS family, and FreeBSD 11 (64-bit) for the guest OS version, then I click Next.
  • I select the local datastore on the ESXi host, esxi01, and I click Next.
  • I add two extra network adapters by clicking Add network adapter twice. I change the memory to 512 MB and the Hard Disk to 4 GB. I select WAN for the first network adapter, Management for the second and DMZ for the last one.
  • I scroll down and change CD/DVD Drive 1 to Datastore ISO and I select the pfSense ISO that was uploaded to the datastore.
  • I click Next and then Finish to create the VM.
  • I wait for the VM to be created and then in the next step I’ll install pfSense.

Step 4: Install pfSense

  • I click on the fw01 VM, I click Power on and then I click on the image to open the console window.
  • I wait for the installer to load and then Accept, pressing enter, the agreement to not distribute commercially.
  • I select Install and click OK or I press enter.
  • I select the keyboard map for your location then I press Enter.
  • I select Guided Disk Setup then I click OK.
  • I wait for the installation to finish then I click Enter on No.
  • I reboot the VM by pressing Enter on Reboot.
  • I wait for the OS to boot and the I initial network configuration wizard to load. I choose no for Should VLANs be set up now by typing n and pressing Enter
  • I assign vmx0 as the interface name for the WAN by typing vmx0 and pressing Enter
  • I assign vmx1 as the interface name for the LAN by typing vmx1 and pressing Enter
  • I assign vmx2 as the interface name for Optional 1 (DMZ) by typing vmx2 and pressing Enter
  • I confirm the interface assignments by typing y and pressing Enter
  • It might take awhile to assign the interfaces because pfSense will try to assign IP addresses via DHCP and I don’t have DHCP setup on the VMware Fusion networks. I wait for the setup to timeout and load the welcome screen.

As I can see the WAN and OPT1 (DMZ) have no IP assigned. Also, the LAN isn’t the correct IP shown in the diagram. I’ll assign the correct IP addresses in the next step.

Step 5: Configure the pfSense IP addresses

In order to login to the pfSense firewall I first need to assign the correct IP addresses to the interfaces.

These are:

WAN 198.18.0.3/24 
LAN 10.1.1.251/24 
DMZ 10.1.2.1/24
  • I’ll configure the WAN IP address first by typing 2 and pressing Enter
  • I press 1 and then Enter to select the WAN interface.
  • I say no to DHCP.
  • I type in the IP address of 198.18.0.3 for the WAN and I press Enter.
  • I type in 24 for the subnet mask of the WAN and I press Enter.
  • I type in 198.18.0.2 for the gateway and I press Enter. This is the address that lets the VM use the internet connection of the Mac using NAT.
  • I say yes to the rest of the options until I’ll taken back to the welcome screen.
  • I do the same thing for the LAN and DMZ but I don’t assign a gateway for these interfaces. Also I choose no when asked to enable DHCP.
  • With the interfaces configured, the welcome screen should look like the one in the image below.
  • As everything is configured correctly, I am able to ping the LAN address from the Mac host.

I’m now ready to login to the firewall and do the final configuration steps.

Step 6: Login and configure pfSense

  • I type the LAN address (10.1.1.251) into a web browser then enter the following login credentials:
Username: admin 
Password: pfsense
  • I click SIGN IN.
  • I click the Change the password in the User Manager link.
  • I provide a new strong password, I scroll to the bottom and I click Save. After this I click System and General Setup.
  • I enter fw01 for the hostname and silvique.ro for the Domain, I scroll to the bottom and I click Save.
  • I get a message and I read it
  • I click the pfSense logo (up and left) to go to the dashboard. I notice there’s no internet connection. I do not know why…
  • I should be able to ping an external website like Google from mine ESXi hosts.
[root@esxi01:~] ping yahoo.com
PING yahoo.com (98.138.219.232): 56 data bytes
64 bytes from 98.138.219.232: icmp_seq=0 ttl=127 time=169.916 ms
64 bytes from 98.138.219.232: icmp_seq=1 ttl=127 time=172.067 ms
64 bytes from 98.138.219.232: icmp_seq=2 ttl=127 time=171.476 ms


--- yahoo.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 169.916/171.153/172.067 ms

I had the following problem but I solved it. Details are in 2020.04.11 – Virtual Network Customization in VMware Fusion.

  • TIP:
    • I can connect to the host via SSH after enabling the SSH service on the ESXi host. The first step in this tutorial shows how to enable it, then as I know, by typing ssh root@esxi01 from the Mac terminal.
    • I delete and install again ESXi with the same name. If I try to enter in it via Terminal I had a problem but it exist a solution:
Last login: Wed Apr  8 06:32:04 on ttys000


murgescusilvia@Murgescus-MacBook-Pro ~ % ssh root@esxi01   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:74geKkAfEPTecPxAiziocUz9eM8xwaxaW131PoiTpx0.
Please contact your system administrator.
Add correct host key in /Users/murgescusilvia/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/murgescusilvia/.ssh/known_hosts:15
RSA host key for esxi01 has changed and you have requested strict checking.
Host key verification failed.


murgescusilvia@Murgescus-MacBook-Pro ~ % ssh-keygen -R esxi01
# Host esxi01 found: line 15
/Users/murgescusilvia/.ssh/known_hosts updated.
Original contents retained as /Users/murgescusilvia/.ssh/known_hosts.old


murgescusilvia@Murgescus-MacBook-Pro ~ % ssh root@esxi01     
The authenticity of host 'esxi01 (10.1.1.11)' can't be established.
RSA key fingerprint is SHA256:74geKkAfEPTecPxAiziocUz9eM8xwaxaW131PoiTpx0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'esxi01,10.1.1.11' (RSA) to the list of known hosts.
Password: 
The time and date of this login have been sent to the system logs.


WARNING:
   All commands run on the ESXi shell are logged and may be included in
   support bundles. Do not provide passwords directly on the command line.
   Most tools can prompt for secrets or accept them from standard input.


VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.


The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.


[root@esxi01:~]

Step 7: Add Hosts to DNS resolver

The last thing I need to do is add our hosts to the DNS resolver so that vCenter Server can resolve the FQDN of itself and the ESXi hosts.

I’ll notice, we can’t resolve IP addresses when trying to ping other ESXi hosts or vCenter.

[root@esxi01:~] ping esxi02.silvique.ro getaddrinfo() for "esxi02.silvique.ro" failed (-2: Name or service not known) 

[root@esxi01:~] ping vc01 getaddrinfo() for "vc01" failed (-2: Name or service not known)

Adding the hosts to the DNS Resolver in pfSense will fix this.

  • I click on Services and then DNS Resolver.
  • I go to Edit Host Override and I type the name of the host, domain and IP address in the host, domain and IP address fields.
  • I scroll to the bottom and click Save
  • I do the same thing for each ESXi host and in the future I will do for the vCenter Server. I scroll to the bottom of the DNS Resolver page to see the list of hosts added. I will update after Part 3.
  • Now I scroll back up and I click Apply Changes.

I should I can test to see if the hosts resolve to the IP addresses provided by trying to ping any of the hosts from the esxi01 machine. I should see that the IP address is resolved, even if there is no reply from the hosts yet.

The simple IP value responds to ping:

murgescusilvia@Murgescus-MacBook-Pro ~ % ssh root@esxi01


[root@esxi01:~] ping 10.1.1.11
 PING 10.1.1.11 (10.1.1.11): 56 data bytes
 64 bytes from 10.1.1.11: icmp_seq=0 ttl=64 time=0.263 ms
 64 bytes from 10.1.1.11: icmp_seq=1 ttl=64 time=0.230 ms
 64 bytes from 10.1.1.11: icmp_seq=2 ttl=64 time=0.201 ms
 

 --- 10.1.1.11 ping statistics ---
 3 packets transmitted, 3 packets received, 0% packet loss
 round-trip min/avg/max = 0.201/0.231/0.263 ms
 

 [root@esxi01:~] ping 10.1.1.12
 PING 10.1.1.12 (10.1.1.12): 56 data bytes
 64 bytes from 10.1.1.12: icmp_seq=0 ttl=64 time=1.391 ms
 64 bytes from 10.1.1.12: icmp_seq=1 ttl=64 time=1.152 ms
 64 bytes from 10.1.1.12: icmp_seq=2 ttl=64 time=1.194 ms
 

 --- 10.1.1.12 ping statistics ---
 3 packets transmitted, 3 packets received, 0% packet loss
 round-trip min/avg/max = 1.152/1.246/1.391 ms
 

 [root@esxi01:~] ping 10.1.1.13
 PING 10.1.1.13 (10.1.1.13): 56 data bytes
 64 bytes from 10.1.1.13: icmp_seq=0 ttl=64 time=1.163 ms
 64 bytes from 10.1.1.13: icmp_seq=1 ttl=64 time=1.294 ms
 64 bytes from 10.1.1.13: icmp_seq=2 ttl=64 time=0.938 ms
 

 --- 10.1.1.13 ping statistics ---
 3 packets transmitted, 3 packets received, 0% packet loss
 round-trip min/avg/max = 0.938/1.132/1.294 ms

It seems the simple small name of ESXis does not respond to ping:

[root@esxi01:~] ping esxi01
PING esxi01 (10.1.1.11): 56 data bytes
64 bytes from 10.1.1.11: icmp_seq=0 ttl=64 time=0.128 ms
64 bytes from 10.1.1.11: icmp_seq=1 ttl=64 time=0.310 ms
64 bytes from 10.1.1.11: icmp_seq=2 ttl=64 time=0.310 ms


--- esxi01 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.128/0.249/0.310 ms



[root@esxi01:~] ping esxi02


[root@esxi01:~] ping esxi03


[root@esxi01:~]

But using ping with a full name of ESXi responds OK:

[root@esxi01:~] ping esxi01.silvique.ro
PING esxi01.silvique.ro (10.1.1.11): 56 data bytes
64 bytes from 10.1.1.11: icmp_seq=0 ttl=64 time=0.160 ms
64 bytes from 10.1.1.11: icmp_seq=1 ttl=64 time=0.312 ms
64 bytes from 10.1.1.11: icmp_seq=2 ttl=64 time=0.332 ms


--- esxi01.silvique.ro ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.160/0.268/0.332 ms


[root@esxi01:~] ping esxi02.silvique.ro
PING esxi02.silvique.ro (10.1.1.12): 56 data bytes
64 bytes from 10.1.1.12: icmp_seq=0 ttl=64 time=0.633 ms
64 bytes from 10.1.1.12: icmp_seq=1 ttl=64 time=1.072 ms
64 bytes from 10.1.1.12: icmp_seq=2 ttl=64 time=1.172 ms


--- esxi02.silvique.ro ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.633/0.959/1.172 ms


[root@esxi01:~] ping esxi03.silvique.ro
PING esxi03.silvique.ro (10.1.1.13): 56 data bytes
64 bytes from 10.1.1.13: icmp_seq=0 ttl=64 time=0.480 ms
64 bytes from 10.1.1.13: icmp_seq=1 ttl=64 time=1.432 ms
64 bytes from 10.1.1.13: icmp_seq=2 ttl=64 time=1.026 ms


--- esxi03.silvique.ro ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.480/0.979/1.432 ms

Also using ping into MacBook Pro with the small nameI get the correct responses:

murgescusilvia@Murgescus-MacBook-Pro ~ % ping esxi01   
PING esxi01.silvique.ro (10.1.1.11): 56 data bytes
64 bytes from 10.1.1.11: icmp_seq=0 ttl=64 time=0.365 ms
64 bytes from 10.1.1.11: icmp_seq=1 ttl=64 time=0.437 ms
^C
--- esxi01.silvique.ro ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.365/0.401/0.437/0.036 ms


murgescusilvia@Murgescus-MacBook-Pro ~ % ping esxi02
PING esxi02.silvique.ro (10.1.1.12): 56 data bytes
64 bytes from 10.1.1.12: icmp_seq=0 ttl=64 time=0.340 ms
64 bytes from 10.1.1.12: icmp_seq=1 ttl=64 time=0.601 ms
^C
--- esxi02.silvique.ro ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.340/0.471/0.601/0.130 ms


murgescusilvia@Murgescus-MacBook-Pro ~ % ping esxi03
PING esxi03.silvique.ro (10.1.1.13): 56 data bytes
64 bytes from 10.1.1.13: icmp_seq=0 ttl=64 time=0.523 ms
64 bytes from 10.1.1.13: icmp_seq=1 ttl=64 time=0.706 ms
64 bytes from 10.1.1.13: icmp_seq=2 ttl=64 time=0.575 ms
^C
--- esxi03.silvique.ro ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.523/0.601/0.706/0.077 ms


murgescusilvia@Murgescus-MacBook-Pro ~ % 

Important Photos necessary for each step are here: https://photos.app.goo.gl/29QzKLFLvhpN6H7H7

Conclusion

That’s all I need to do with the firewall for now and I’m ready to deploy the vCenter Server appliance, which I’ll do in the next part of the series.

After performing the steps in Part 0, Part 1 and this tutorial, I now have three ESXi virtual machines and a virtual pfSense firewall that allows me to access the internet, and resolve IP addresses of all the hosts in mine lab.