Gendan Enginecheck. Contents • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Introduction This article is about building a pfSense virtual machine on vSphere / ESXi. Article explains how to install any major pfSense version on VMware vSphere versions 5.x and 6.x.

Get a Virtual Smoothwall. Thanks for deciding to download and try the Smoothwall Express VMWare™ images! 'What's the difference between Smoothwall GPL. Get a Virtual Smoothwall. Thanks for deciding to download and try the Smoothwall Express VMWare™ images! 'What's the difference between Smoothwall GPL and Express?'

Article does not cover how to install vSphere or how to configure pfSense to do any of the many amazing things it can. A basic, working, pfSense virtual machine will exist by the end of this document. Disclaimer/flame-retardant: If pfSense will be running as a perimeter firewall for an organization and the 'attack surface' should be minimized, many will say it is preferable to run it unvirtualized on stand-alone hardware.

That is a decision for the user and/or organization to make, however. Now back to the topic. We're going to start at the point where we have a vanilla ESXi install and have connected to it using the vSphere client. If other VMs are already running on ESXi, then it is not likely necessary to follow the networking steps too closely. However, we recommend skimming through it to see what is suggested before building the pfSense virtual machine part. Please report any errors or typos you may find.

Assumptions • vSphere host is up and running • The reader has an understanding of network addressing • You have already uploaded pfSense installation.iso to the datastore. Installing pfSense on vSphere 6.x using vSphere web client The following steps include the necessary vSphere web client configuration required to get pfSense VM running.

After getting to the pfSense setup step, switch to the guide for vSphere client bellow. Basic vSphere web client networking setup Before creating a new VM in vSphere web client, you will need to create two virtual switches and two port groups. We will first create Virtual switches for WAN and LAN and after that two port groups for the WAN and LAN. From the vSphere web client navigator, click on Networking and then click on Virtual switches tab. From there, click on 'Add a new standard virtual switch'.

After ESXi was installed, before it was possible to connect to it with the vSphere client, a physical network adapter (a 'vmnic' in the diagram) had to be nominated to be the ESXi Management Network. An IP address also had to be assigned to Management Network interface on the the ESXi host, either through DHCP or manually through the console. The network diagram above shows that the Management Network was assigned to vmnic0 and it has an IP address of 192.168.111.30. (192.168.111.0/24 is my home LAN. Others will most likely be different.) Whatever subnet was chosen, the VMkernel Port in the diagram is the Management Network and that's what the vSphere client is now talking to. ESXi will name the first physical NIC it finds 'vmnic0″.

If vmnic0 is the management interface, ESXi will have automatically attached a virtual switch, vSwitch0, to that interface. In addition to the VMkernel port, ESXi will also attach a Virtual Machine Port Group to the vSwitch. In the diagram above it's labeled as 'Virtual Machine Network'. The VM Port group is where Virtual Machines can be attached to this virtual network. In summary, in the above diagram, vSwitch0 has both a VM Port Group (Virtual Machine Network) and a VMkernel Port (Management Network) attached. Creating the LAN In a small network it is quite common to use the Virtual Machine Port Group on vSwitch0 to provide the LAN interface for pfSense. That allows access to the LAN side of the pfSense virtual machine and to manage the ESXi host with the vSphere client from a single PC.

Of course, the virtual machine (e.g., pfSense) and the ESXi management interface must have different IP addresses. COMMENT: I must say here that I always separate the ESXi Management network from other networks. I won't go into the detail but there are some very good reasons for doing this. Without using VLANs, though, separation would mean that an additional NIC on the ESXi host would be dedicated only for ESXi management. What's more, another NIC would be required in the vSphere client PC to connect to the management NIC on the ESXi host. To follow that path and enough NICs are available, simply delete the Virtual Machine Port Group by clicking the Properties link above vmnic0, highlight the VM Port Group and click Remove. Assuming there are only two NICs in the ESXi host, rename the VM Port Group from 'Virtual Machine Network' to something a bit more meaningful.