Pass through public IP addresses to pfSense

I have a server in my datacenter that has multiple publicly routed IP addresses, and I'm now running ESXi to manage it.

Before, I had some VMs running under the host that created a network:

   inet
[x.x.x.210] -- Host OS
  |-- .211  -- VM 1
  \-- .212  -- VM 2

Now, I'd like to do the following under pfSense and VMware:

   inet                      lan
[x.x.x.210] -- (NAT) -- [192.168.1.1]
  |-- .211  -- VM1        |--     .2 -- VM3
  \-- .212  -- VM2        \--     .3 -- VM4

Where VM3 and VM4 are getting private IPs NATted by pfSense, and where VM1 and VM2 are still passing through on the same adapter, but are now getting their own public IPs.

I'm having trouble navigating pfSense's interface to figure out how this should be done. Preferentially I'd like the public IPs to still be handed out over DHCP so I can add in a IPv6 tunnel once pfSense supports it. Also, still being able to use pfSense as a firewall would be best, too (otherwise it kind of defeats the purpose)


Solution 1:

Sounds like you're looking to add a DMZ in bridged mode.

  1. Create a new virtual switch not connected to any physical interfaces.
  2. Edit properties for new virtual switch and change the vswitch configuration to "ACCEPT" promiscuous mode <--PFSense's bridge mode will not work without.
  3. Add and enable an interface on PFsense, do not assign this interface an IP address.
  4. In PFSense bridge this interface with the WAN interface.
  5. Within vmware add the new PFSense interface to the virtual switch.
  6. Add all systems you would like to have a public IP to the virtual switch and assign public IPs
  7. Create inbound rules for those systems on the WAN Rules tab.
  8. Create Outbound rules for DMZ systems on the DMZ tab <--assuming you named your new PFSense interface DMZ ;)

Points to note:

  • All systems in the DMZ will need at least one rule to let traffic out.
  • Your vswitch MUST accept promiscuous mode
  • Your DMZ interface must be bridged with the WAN interface.

Bonus - Add the snort package to your WAN interface and you have an awesome IDS/IPS firewall!

Solution 2:

Use a dedicated virtual-only vswitch for the public IPs, assign that on the firewall as an additional NIC and assigned interface, and put your servers with public IPs on there. Bridge that interface to WAN, configure your firewall rules accordingly, and you're good to go.