Building a VMware vSphere Virtual Lab with VMware Fusion - Part 2: Deploy and Configure a pfSense VM

This is the second part in a series of tutorials on how to build a VMware vSphere Virtual Lab on a Mac with VMware Fusion. In this tutorial, we'll create a pfSense VM and use it as a DNS resolver and firewall for our lab.

Overview

The purpose of the pfSense firewall is to be:

  • Used as a DNS resolver that lets ESXi hosts and vCenter Server communicate with each other using their hostnames or FQDN.
  • Allow hosts and VMs to access the internet.
  • It simulates a WAN connection coming into the lab, so we can add new IP addresses to the firewall and 1:1 NAT them with VMs in our DMZ.
  • It will allow us to route traffic between VMs on different port groups.

Prerequisites

Since this is a series of tutorials, you should have read and followed the steps in Part 1 before continuing with this tutorial.

After completing the steps in Part 1, you will be at a point where you have:

  1. Installed VMware Fusion*.
  2. Created two custom VMware Fusion networks.
  3. Created at least one ESXi VM with 10 GB of RAM and three network adapters.
  4. The first two network adapters will be connected to the vSphere network and the last one connected to the WAN network.
  5. ESXi should be installed and the management network configured with 10.1.1.11 as the IP address and 10.1.1.251 as the gateway and DNS resolver.

Software required for this tutorial:

  • For this tutorial you’ll need to download pfSense from the download page of the pfSense website. The steps in this tutorial have been tested with Version 2.4.4-p3.

Once you’ve downloaded the pfSense ISO, we will upload it to the ESXi host, create the VM, then install and configure pfSense on it.

Step 1: Configure the ESXi Network

The first thing we need to do before creating the pfSense VM, is to configure the ESXi network so that we have the required port groups for the VM to connect to.

We will need a new port group for the DMZ and a new switch and port group for the WAN. I also suggest renaming the default VM port group because we’ll only be using it for the vCenter Server appliance to access the management network.

Summary of the steps involved.

  • Create a new vSwitch and Portgroup for the WAN
  • Create a DMZ port group on the main vSwitch with VLAN 100
  • Rename the VM Network port group to Management

OK, let’s begin by logging into the ESXi host.

Click on Networking, Virtual switches and then Add standard virtual switch.

Screenshot Configure ESX Network Step 1

Give the vSwitch a name, select vmnic2 (this is the third network adapter attached to the VMware Fusion VM) for the uplink, then click Add.

Screenshot Configure ESX Network Step 2

Click on the Port groups tab and then Add port group.

Screenshot Configure ESX Network Step 3

Give the new port group a name of WAN, then select the name of the new vSwitch we just created and click Add.

Screenshot Configure ESX Network Step 4

Click Add port group again, give it a name of DMZ, a VLAN ID of 100, select the main vSwitch (this is the vSwitch connected to the first two network adapters of the VMware Fusion VM) and then click Add.

Screenshot Configure ESX Network Step 5

The last thing we need to do is rename the VM Network port group by clicking on its name, clicking Edit settings, giving it a name of Management and then clicking Save.

Screenshot Configure ESX Network Step 6

You should now have a list of port groups like the following image shows:

Screenshot Configure ESX Network Step 7

The network is now configured to a point where we can create the pfSense firewall VM.

Step 2: Upload the pfSense ISO to the ESXi host

I’ve already written a tutorial which contains instructions on how to upload an ISO to an ESXi datastore. Here’s a link to the relevant section: How to upload an ISO to an ESXi datastore.

After following the instructions in the post above, the pfSense ISO should now be on your datastore.

Screenshot of pfSense ISO on ESXi 6.7 datastore

With the ISO now on the ESXi host, we are ready to create the pfSense virtual machine.

Step 3: Create the pfSense VM

Now that we’ve configured the network and uploaded the ISO, we are ready to create the pfSense VM.

Clicn on Virtual Machines then Create / Register VM.

Screenshot

Select Create a new virtual machine then click Next.

Screenshot

Name the virtual machine fw01, select ESXi 6.7 U2 virtual machine for the compatibility, Other for guest OS family, and FreeBSD 11 (64-bit) for the guest OS version, then click Next.

Screenshot

Select the local datastore on the ESXi host and click Next.

Screenshot

Add two extra network adapters by clicking Add network adapter twice. Change the memory to 512 MB and the Hard Disk to 4 GB. Select WAN for the first network adapter, Management for the second and DMZ for the last one.

Screenshot

Scroll down and change CD/DVD Drive 1 to Datastore ISO and select the pfSense ISO that was uploaded to the datastore.

Screenshot

Click Next and then Finish to create the VM.

Screenshot

Wait for the VM to be created and then in the next step we’ll install pfSense.

Step 4: Install pfSense

Click on the fw01 VM, click Power on and then click on the image to open the console window.

Screenshot

Wait for the installer to load and then Accept the agreement to not distribute commercially.

Screenshot

Select Install and click OK.

Screenshot

Select the keyboard map for your location then press Enter.

Screenshot

Select Guided Disk Setup then click OK.

Screenshot

Wait for the installation to finish then click Enter on No.

Screenshot

Reboot the VM by pressing Enter on Reboot.

Screenshot

Wait for the OS to boot and the initial network configuration wizard to load. Choose no for Should VLANs be set up now by typing n and pressing Enter

Screenshot

Assign vmx0 as the interface name for the WAN by typing vmx0 and pressing Enter

Screenshot

Assign vmx1 as the interface name for the LAN by typing vmx1 and pressing Enter

Screenshot

Assign vmx2 as the interface name for Optional 1 (DMZ) by typing vmx2 and pressing Enter

Screenshot

Confirm the interface assignments by typing y and pressing Enter

Screenshot

It might take awhile to assign the interfaces because pfSense will try to assign IP addresses via DHCP and we don’t have DHCP setup on the VMware Fusion networks. Wait for the setup to timeout and load the welcome screen.

Screenshot

As you can see the WAN and OPT1 (DMZ) have no IP assigned. Also, the LAN isn’t the correct IP shown in the diagram (Figure 1 in the Part 1). We’ll assign the correct IP addresses in the next step.

Step 5: Configure the pfSense IP addresses

In order to login to the pfSense firewall we first need to assign the correct IP addresses to the interfaces.

These are:

WAN 198.18.0.3/24
LAN 10.1.1.251/24
DMZ 10.1.2.1/24

Let’s configure the WAN IP address first by typing 2 and pressing Enter

Screenshot

Press 1 and then Enter to select the WAN interface.

Screenshot

Say no to DHCP.

Screenshot

Type in the IP address of 198.18.0.3 for the WAN and press Enter.

Screenshot

Type in 24 for the subnet mask of the WAN and press Enter.

Screenshot

Type in 198.18.0.2 for the gateway and press Enter. This is the address that lets the VM use the internet connection of the Mac using NAT.

Say yes to the rest of the options until you’re taken back to the welcome screen.

Screenshot

Do the same thing for the LAN and DMZ but don’t assign a gateway for these interfaces. Also choose no when asked to enable DHCP.

With the interfaces configured, the welcome screen should look like the one in the image below.

Screenshot

If everything is configured correctly, you should be able to ping the LAN address from the Mac host.

ping 10.1.1.251
PING 10.1.1.251 (10.1.1.251): 56 data bytes
64 bytes from 10.1.1.251: icmp_seq=0 ttl=64 time=2.528 ms
64 bytes from 10.1.1.251: icmp_seq=1 ttl=64 time=0.862 ms

--- 10.1.1.251 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.862/1.695/2.528/0.833 ms

We’re now ready to login to the firewall and do the final configuration steps.

Step 6: Login and configure pfSense

Type the LAN address (10.1.1.251) into a web browser then enter the following login credentials:

Username: admin
Password: pfsense

Click SIGN IN.

Screenshot

Click the Change the password in the User Manager link.

Screenshot

Provide a new strong password (since its just a lab, I used Pa$$w0rd), scroll to the bottom and click Save.

Screenshot

Now click System and General Setup.

Screenshot

Enter fw01 for the hostname and graspingtech.com (or whatever domain you’ve been using) for the Domain, scroll to the bottom and click Save.

Screenshot

Click the pfSense logo to go to the dashboard. You should notice there’s an internet connection (if your Mac has internet) because the version section displays the last time the version information was updated.

Screenshot

You should also be able to ping an external website like Google from your ESXi hosts.

[root@esxi01:~] ping google.com
PING google.com (216.58.213.14): 56 data bytes
64 bytes from 216.58.213.14: icmp_seq=0 ttl=127 time=21.052 ms
64 bytes from 216.58.213.14: icmp_seq=1 ttl=127 time=19.023 ms
64 bytes from 216.58.213.14: icmp_seq=2 ttl=127 time=20.386 ms

Step 7: Add Hosts to DNS resolver

We’re almost done for this tutorial. The last thing we need to do is add our hosts to the DNS resolver so that vCenter Server can resolve the FQDN of itself and the ESXi hosts.

You’ll notice, we can’t resolve IP addresses when trying to ping other ESXi hosts or vCenter.

[root@esxi01:~] ping esxi02.graspingtech.com
getaddrinfo() for "esxi02.graspingtech.com" failed (-2: Name or service not known)
[root@esxi01:~] ping vc01
getaddrinfo() for "vc01" failed (-2: Name or service not known)

Adding the hosts to the DNS Resolver in pfSense will fix this.

Click on Services and then DNS Resolver.

Screenshot

Type the name of the host, domain and IP address in the host, domain and IP address fields.

Screenshot

Scroll to the bottom and click Save

Screenshot

Do the same thing for each ESXi host and the vCenter Server. Scroll to the bottom of the DNS Resolver page to see the list of hosts added.

Screenshot

Now scroll back up and click Apply Changes.

Screenshot

You can test to see if the hosts resolve to the IP addresses provided by trying to ping any of the hosts from the esxi01 machine. You should see that the IP address is resolved, even if there is no reply from the hosts yet.

[root@esxi01:~] ping vc01
PING vc01 (10.1.1.101): 56 data bytes

--- vc01 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

[root@esxi01:~] ping esxi02
PING esxi02 (10.1.1.12): 56 data bytes

--- esxi02 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Conclusion

That’s all we need to do with the firewall for now and we’re ready to deploy the vCenter Server appliance, which we’ll do in the next part of the series.

After performing the steps in Part 1 and this tutorial, we now have three ESXi virtual machines and a virtual pfSense firewall that allows us to access the internet, and resolve IP addresses of all the hosts in our lab.

Coming next

The next tutorial in the series will explain how to deploy the vCenter Server Appliance onto the first ESXi host and run through the initial configuration.

Read Next - Part 3: Deploying vCenter Server Appliance to ESXi 6.7

Further reading

As I’m sure you’re aware, there’s only so much information that can go into a blog post, which is why you might want to check out the book titled Mastering VMware vSphere 6.7* (Marshall, Brown, Fritz, Johnson) to get a more in depth understanding of vSphere.

Written by Tony

I'm a blogger, software developer and sysadmin, with a degree in applied computing and 16+ years experience managing IT systems. Get in touch: tony@graspingtech.com

Tags: ESXi Fusion pfSense