VMware Workstation Home Lab Part 1 - PFSense Networking

In any VMware environment, you need several networks and DNS as a prerequisite. To replicate the network aspect in a nested situation, I decided to use a PFSense VM to function as a firewall, router, and DNS server for the other VMs. The WAN interface is connected to the VMware Workstation NAT network, and then other interfaces are connected to Host-Only networks. This way, we can create and fully control new networks like management, vMotion, and vSAN the way we would manage them in a physical environment.

This is a critial step in a lab environment, so it’s important to plan it out and execute it correctly to avoid problems later on.

Initital Setup

1. In VMware Workstation, go to Edit > Virtual Network Editor and create new Host-Only networks. I used VMNet2-VMNet6. Give them Subnet IPs that make sense, I chose 192.168.102-106. Disable DHCP on all of those, as we will manage that through PF Sense.
2. Download the PFSense AMD64 ISO from https://www.pfsense.org/download/
3. Create the VM in VMware workstation and point to the ISO. This is fairly straightfoward. I chose all the defaults, but I set the hard drive to 4GB. Before you power the VM on, customize the hardware and add NICs fore each of the Host-Only networks created earlier.
4. Boot the VM and run through the installer wizard. One note is that the default storage configuration is to use ZFS. Select BIOS instead.
5. From the console wizard, select em0 as the WAN interface.
6. Once the installation is complete, log into the web interface. You can select all the defaults here as well and set up the admin password. The default login credential is admin with password pfsense
7. This is optional, but I always like to do this. Go to System > Package Manager > Available Packages and search for VMware Tools. Go ahead and install that package.
8. Before you get too far, you want to create a firewall rule to allow yourself into the web interface from the WAN network. By default, it will block that access once a LAN network is created. So go to Firewall > Rules, select WAN, click Add (Up arrow). Select the defaults for everything, but set source match to “any” and destination match “WAN address” and destination port range HTTPS (443). Click Save and Apply Settings.
9. If you miss this step or otherwise mess it up, open the console of the VM, press 8 to enter shell, and enter pfctl -d to disable the firewall.

Configure Interfaces

1. Go to Interface > Assignments and we’ll assign all those Host-Only connections.
2. Starting with em1, simply click “Add” for each interface. Click Save.
3. For each interface, click the name to the left of it (ie, LAN)
4. Check the box “Enable this interface”
5. Rename the networks to match their function (Management, vMotion, vSAN, Hyp TEP, Edge TEP)
6. Set the static IP as the .254 of each network (ie, 192.168.102.254) and set the “/” to 24
7. Click Save, then Apply Settings

Configure Firewall Rules

1. By default, PFSense blocks all traffic on all its networks. So the networks you just created can’t reach the internet or even each other. This is fine for the vMotion and vSAN networks, but the hyp and edge TEP networks will need to be able to route to each other.
   1. Go to Firewall > Rules
   2. Select HYPTEP, then Add.
   3. Create a rule to PASS Protocol any from source HYPTEP net to destination EDGETEP net.
   4. Create another rule to PASS from source EDGETEP net to destination HYPTEP net.
   5. Create the same rules on the EDGETEP network.
2. The Management will need to reach the internet, but that rule is created by default (you should see a “Default allow LAN to any rule”). So at this point we should be all set as far as firewalling goes.

Configure DHCP

1. This is probably not how most places would do things, but for my homelab purposes I’m going to enable DHCP for everything so that I don’t need to manage IP addresses.
2. Go to Services > DHCP Server
3. For each network, check the box to enable DHCP on that interface
4. Create the range as the .100-.200 addresses of that network (so we can still use static IPs if we want). So for management, the range is 192.168.102.100-192.168.102.200.
5. Leave everything else as default.
6. Click Save.

Configure DNS

1. Conveniently, PFSense comes with its own DNS service. Click on Services > DNS Resolver.
2. Since we’re already being lazy with DHCP, we’re going to take advantage of DHCP registration so that we can kind of just fire up VMs and not worry about the rest.
3. Change Network Interfaces and Outgoing Network Interfaces to Management and Localhost (ctrl click to select both).
4. About halfway down the page, check the boxes for Register DHCP leases in the DNS Resolver and Register DHCP static mappings in the DNS Resolver.
5. Click Save and Apply Settings.
6. If you didn’t in the initial setup, go to System > General Setup and set the domain name (ie homelab.local or some such)

Conclusion

So at this point, we should be all set to start installing our virtual infrastructure. One note around accessing the management network – the VMware Workstation network should have given your desktop an interface on the host-only networks, but in my experience it doesn’t always work right off the bat. You may need to reset it a bit by editing the network and uncheck/recheck “Connect a host adapter to this network.” Then you may also need to add a route to that network so your desktop knows how to send traffic there. In my case, my host adapter IP was 192.168.102.100. So to add the route I did route add 192.168.102.0 mask 255.255.255.0 192.168.102.100. Now you’re kind of bypassing the PFSense directly, but that’s something we need to do for this case, otherwise you’d need to create a VPN into it or otherwise advertise the routes on your local network which most consumer routers don’t support.