Building a VMware vSphere Virtual Lab with VMware Fusion - Part 2: Deploy and Configure a pfSense VM
This is the second part in a series of tutorials on how to build a VMware vSphere Virtual Lab on a Mac with VMware Fusion. In this tutorial, we'll create a pfSense VM and use it as a DNS resolver and firewall for our lab.
The purpose of the pfSense firewall is to be:
- Used as a DNS resolver that lets ESXi hosts and vCenter Server communicate with each other using their hostnames or FQDN.
- Allow hosts and VMs to access the internet.
- It simulates a WAN connection coming into the lab, so we can add new IP addresses to the firewall and 1:1 NAT them with VMs in our DMZ.
- It will allow us to route traffic between VMs on different port groups.
Since this is a series of tutorials, you should have read and followed the steps in Part 1 before continuing with this tutorial.
After completing the steps in Part 1, you will be at a point where you have:
- Installed VMware Fusion*.
- Created two custom VMware Fusion networks.
- Created at least one ESXi VM with 10 GB of RAM and three network adapters.
- The first two network adapters will be connected to the vSphere network and the last one connected to the WAN network.
- ESXi should be installed and the management network configured with
10.1.1.11as the IP address and
10.1.1.251as the gateway and DNS resolver.
Software required for this tutorial:
- For this tutorial you’ll need to download pfSense from the download page of the pfSense website. The steps in this tutorial have been tested with Version 2.4.4-p3.
Once you’ve downloaded the pfSense ISO, we will upload it to the ESXi host, create the VM, then install and configure pfSense on it.
Step 1: Configure the ESXi Network
The first thing we need to do before creating the pfSense VM, is to configure the ESXi network so that we have the required port groups for the VM to connect to.
We will need a new port group for the DMZ and a new switch and port group for the WAN. I also suggest renaming the default VM port group because we’ll only be using it for the vCenter Server appliance to access the management network.
Summary of the steps involved.
- Create a new vSwitch and Portgroup for the WAN
- Create a DMZ port group on the main vSwitch with VLAN 100
- Rename the VM Network port group to Management
OK, let’s begin by logging into the ESXi host.
Click on Networking, Virtual switches and then Add standard virtual switch.
Give the vSwitch a name, select vmnic2 (this is the third network adapter attached to the VMware Fusion VM) for the uplink, then click Add.
Click on the Port groups tab and then Add port group.
Give the new port group a name of WAN, then select the name of the new vSwitch we just created and click Add.
Click Add port group again, give it a name of DMZ, a VLAN ID of 100, select the main vSwitch (this is the vSwitch connected to the first two network adapters of the VMware Fusion VM) and then click Add.
The last thing we need to do is rename the VM Network port group by clicking on its name, clicking Edit settings, giving it a name of Management and then clicking Save.
You should now have a list of port groups like the following image shows:
The network is now configured to a point where we can create the pfSense firewall VM.
Step 2: Upload the pfSense ISO to the ESXi host
I’ve already written a tutorial which contains instructions on how to upload an ISO to an ESXi datastore. Here’s a link to the relevant section: How to upload an ISO to an ESXi datastore.
After following the instructions in the post above, the pfSense ISO should now be on your datastore.
With the ISO now on the ESXi host, we are ready to create the pfSense virtual machine.
Step 3: Create the pfSense VM
Now that we’ve configured the network and uploaded the ISO, we are ready to create the pfSense VM.
Clicn on Virtual Machines then Create / Register VM.
Select Create a new virtual machine then click Next.
Name the virtual machine fw01, select ESXi 6.7 U2 virtual machine for the compatibility, Other for guest OS family, and FreeBSD 11 (64-bit) for the guest OS version, then click Next.
Select the local datastore on the ESXi host and click Next.
Add two extra network adapters by clicking Add network adapter twice. Change the memory to 512 MB and the Hard Disk to 4 GB. Select WAN for the first network adapter, Management for the second and DMZ for the last one.
Scroll down and change CD/DVD Drive 1 to Datastore ISO and select the pfSense ISO that was uploaded to the datastore.
Click Next and then Finish to create the VM.
Wait for the VM to be created and then in the next step we’ll install pfSense.
Step 4: Install pfSense
Click on the fw01 VM, click Power on and then click on the image to open the console window.
Wait for the installer to load and then Accept the agreement to not distribute commercially.
Select Install and click OK.
Select the keyboard map for your location then press Enter.
Select Guided Disk Setup then click OK.
Wait for the installation to finish then click Enter on No.
Reboot the VM by pressing Enter on Reboot.
Wait for the OS to boot and the initial network configuration wizard to load. Choose no for Should VLANs be set up now by typing n and pressing Enter
Assign vmx0 as the interface name for the WAN by typing vmx0 and pressing Enter
Assign vmx1 as the interface name for the LAN by typing vmx1 and pressing Enter
Assign vmx2 as the interface name for Optional 1 (DMZ) by typing vmx2 and pressing Enter
Confirm the interface assignments by typing y and pressing Enter
It might take awhile to assign the interfaces because pfSense will try to assign IP addresses via DHCP and we don’t have DHCP setup on the VMware Fusion networks. Wait for the setup to timeout and load the welcome screen.
As you can see the WAN and OPT1 (DMZ) have no IP assigned. Also, the LAN isn’t the correct IP shown in the diagram (Figure 1 in the Part 1). We’ll assign the correct IP addresses in the next step.
Step 5: Configure the pfSense IP addresses
In order to login to the pfSense firewall we first need to assign the correct IP addresses to the interfaces.
WAN 198.18.0.3/24 LAN 10.1.1.251/24 DMZ 10.1.2.1/24
Let’s configure the WAN IP address first by typing 2 and pressing Enter
Press 1 and then Enter to select the WAN interface.
Say no to DHCP.
Type in the IP address of
198.18.0.3 for the WAN and press Enter.
24 for the subnet mask of the WAN and press Enter.
198.18.0.2 for the gateway and press Enter. This is the address that lets the VM use the internet connection of the Mac using NAT.
Say yes to the rest of the options until you’re taken back to the welcome screen.
Do the same thing for the LAN and DMZ but don’t assign a gateway for these interfaces. Also choose no when asked to enable DHCP.
With the interfaces configured, the welcome screen should look like the one in the image below.
If everything is configured correctly, you should be able to ping the LAN address from the Mac host.
ping 10.1.1.251 PING 10.1.1.251 (10.1.1.251): 56 data bytes 64 bytes from 10.1.1.251: icmp_seq=0 ttl=64 time=2.528 ms 64 bytes from 10.1.1.251: icmp_seq=1 ttl=64 time=0.862 ms --- 10.1.1.251 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.862/1.695/2.528/0.833 ms
We’re now ready to login to the firewall and do the final configuration steps.
Step 6: Login and configure pfSense
Type the LAN address (10.1.1.251) into a web browser then enter the following login credentials:
Username: admin Password: pfsense
Click SIGN IN.
Click the Change the password in the User Manager link.
Provide a new strong password (since its just a lab, I used
Pa$$w0rd), scroll to the bottom and click Save.
Now click System and General Setup.
Enter fw01 for the hostname and graspingtech.com (or whatever domain you’ve been using) for the Domain, scroll to the bottom and click Save.
Click the pfSense logo to go to the dashboard. You should notice there’s an internet connection (if your Mac has internet) because the version section displays the last time the version information was updated.
You should also be able to ping an external website like Google from your ESXi hosts.
[root@esxi01:~] ping google.com PING google.com (22.214.171.124): 56 data bytes 64 bytes from 126.96.36.199: icmp_seq=0 ttl=127 time=21.052 ms 64 bytes from 188.8.131.52: icmp_seq=1 ttl=127 time=19.023 ms 64 bytes from 184.108.40.206: icmp_seq=2 ttl=127 time=20.386 ms
Step 7: Add Hosts to DNS resolver
We’re almost done for this tutorial. The last thing we need to do is add our hosts to the DNS resolver so that vCenter Server can resolve the FQDN of itself and the ESXi hosts.
You’ll notice, we can’t resolve IP addresses when trying to ping other ESXi hosts or vCenter.
[root@esxi01:~] ping esxi02.graspingtech.com getaddrinfo() for "esxi02.graspingtech.com" failed (-2: Name or service not known) [root@esxi01:~] ping vc01 getaddrinfo() for "vc01" failed (-2: Name or service not known)
Adding the hosts to the DNS Resolver in pfSense will fix this.
Click on Services and then DNS Resolver.
Type the name of the host, domain and IP address in the host, domain and IP address fields.
Scroll to the bottom and click Save
Do the same thing for each ESXi host and the vCenter Server. Scroll to the bottom of the DNS Resolver page to see the list of hosts added.
Now scroll back up and click Apply Changes.
You can test to see if the hosts resolve to the IP addresses provided by trying to ping any of the hosts from the esxi01 machine. You should see that the IP address is resolved, even if there is no reply from the hosts yet.
[root@esxi01:~] ping vc01 PING vc01 (10.1.1.101): 56 data bytes --- vc01 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss [root@esxi01:~] ping esxi02 PING esxi02 (10.1.1.12): 56 data bytes --- esxi02 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss
That’s all we need to do with the firewall for now and we’re ready to deploy the vCenter Server appliance, which we’ll do in the next part of the series.
After performing the steps in Part 1 and this tutorial, we now have three ESXi virtual machines and a virtual pfSense firewall that allows us to access the internet, and resolve IP addresses of all the hosts in our lab.
The next tutorial in the series will explain how to deploy the vCenter Server Appliance onto the first ESXi host and run through the initial configuration.
Read Next - Part 3: Deploying vCenter Server Appliance to ESXi 6.7
As I’m sure you’re aware, there’s only so much information that can go into a blog post, which is why you might want to check out the book titled Mastering VMware vSphere 6.7* Mastering VMware vSphere 6.7* (Marshall, Brown, Fritz, Johnson) to get a more in depth understanding of vSphere.