I got many customers, mainly small and medium, who like to use at their sites custom built firewall using open source solutions. Many are using pfSense since it’s really a great piece of software.
Among the several features it has, there is also the possibility to create a stretched LAN between two pfSense devices. This allows to have two sites with the same IP addressing, and it can be a good solutions when you have to move workloads and virtual servers without reconfiguring their network configuration.
One of the usage for this configuration is having a local vSphere environment at customer site, with its own pfSense firewall connected to another pfSense deployed inside a vCloud tenant. In this way even small customers can have a sort of Disaster Recovery solution, hosted inside e vCloud tenant. There are some cons in doing this instead of using the integrated vShield Edge, but at the moment pfSense is (in my really humble opinion) a better solution than Edge.
In this series of articles, I will show you how to deploy, configure and use pfSense in vCloud Director to create the stratched lan.
Prepare your vCloud environment
First, you need to create the internal network. if all your remote VMs will be part of the same vApp, you can create a vApp Network for the internal part rather than a Organization network. This network will have gateway and static IP pool compatible with the local lan you already have. Choose if you want to have a static IP pool or if you are going to manually assing IPs (or have a dhcp in the remote pfSense). Be careful since this network will have the same subnet as the one at the existing customer’s site, so you need to avoid duplicated IPs.
Deploy and configure the remote pfSense
Then, you need to create the remote pfSense inside vCloud. After uploading the ISO image in a catalog, you create the VM. It will need to have two NICs, one for the outside connection via direct mode, and the other one on the inside (the network you created before) to become the gateway of the whole tenant (or the vApp if you choose so). It’s outside the scope of this article to show you how to install and configure pfSense, but I’m giving you anyway some tips.
After initial configuration of the two networks, you will have to go to the webGUI to finish configuration. Two problems may arise: first, if the external network of vCloud has no dhcp, the WAN link will get no IP address. You can configure it manually as I’m showing you in the next screenshot, but you wil still lack the gateway to let pfSense reach the internet. If you open VMRC, this is what you will see:
From here, choose 8 to open the local Shell, and run:
route add default x.x.x.x
This will add the route for reaching the WAN gateway. in order to reach the WebGUI from the WAN you would have two options: deploy a VM inside vCloud and connect it to the LAN segment, and from here open the WebGUI; or enable the WAN administration and save money from not deploying a new VM. To do so, still into the shell run:
pfctl -d
this will temporary disable the firewall and you will be able to open a browser to the WAN ip address of pfSense and open the WebGUI and the setup wizard:
Among the several configuration options you will find in the wizard, you will need to configure the gateway, since the route you added via shell will not survive a reboot:
Last, assign a really strong password to the admin user (remember you are running the management interface on the public internet!!!) and reload the configuration. At every configuration change, PF will be re-enabled, so you would need to disable it several times to complete the configuration via WAN, unless you don’t choose to let it open to do remote administration. In this case, better switch to HTTPS and even add source rules to connect to it only from certain IP addresses.