Vmware ESXI Host and Virtual PFsense - Multiple VLAN deployments

Before moving to the main deployment you must know basics of Virtual VLAN concept. If you know the basics of EST VST VGS then feel free to jump to the main deployment.

 Vlan Tagging and use cases of VLAN ID 4095

It was quite surprising for me to learn how useful VLAN 4095 can be, but let me start from the basics.

There are 3 main approches for vlan tagging - External Swich Tagging (EST), Virtual Switch Tagging (VST), and Virtual Guest Tagging (VGT).

External Swich Tagging

With this approach ESX host doesn't see any vlan tags. All of them are stripped off by external physical switch and then traffic is sent to corresponding physical port. Therefore, you will need one vmnic per vlan from the ESXi  perspective. 

I really don't know in which situations such config might be useful.

Virtual Switch Tagging

This is the most popular way of connecting vSphere to physical network. All traffic down to the vSwitch is tagged with vlan id. It is responsibility of vSwitch now to strip off the vlan tag and send packet to virtual machine in corresponding port group. Thereby, you can run all vlans over one vmnic, but I guess you would like to have another vmnic for redundancy. The same logic is implemented to the packet travelling from virtual machine to physical infrastructure. Packet is delivered to vSwitch and before it is sent to physical switch the packet is tagged with vlan id according to the port group memebership of originating virtual machine.

Virtual Guest Tagging

In some occasions you  might need to deliver traffic with vlan tags directly to VM and let your VM decide what to do with it. To achieve such functionality you need to assign this VM to port group with vlan id 4095 and configure Guest OS Nics with needed vlans. Interresingly, as soon as you put vlan id 4095 it is automatically changed to All (4095).

I didn't pay too much attention to reading about EST and VGT for the simple reasons it is not used at all in our vSphere farms and I don't want to spend time on something I will never have hands on experience with. However, when I questioned myself how I can sniff traffc on vSwitch google lead me directly to vlan 4095. 

Here are the two popular use cases for vlan 4095:

1. Traffic sniffing - from time to time you face networking problems and woud like to use some sniffing tool (or network protocol analyzer in case of Wireshark) to see what is going on behind the scene. Usually, you could enable promiscious mode on specific port group and use one of the VM in this port group to listen to the traffic. However, this leads to additional security risks as Promiscious mode lets all VMs of this port group to detect all frames passed on the vSwitch in allowed vlan. This also doesn't let you to sniff traffic from different vlans simultaneously. That's why you would prefer to use special port group with vlan 4095 and Promiscious mode enabled, where you can connect virtual adapter of VM you will use for traffic sniffing.  

2. IDS - Another good use case of vlan 4095 is to provide your virutal IDS with possibility to inspect all vSwich traffic. According to "VMware VSphere and Virtual Infrastructure Security: Securing the Virtual Environment" book this is quite a common scenario for virtual IDS placement. 

If you know more situations where vlan 4095 can be useful feel free to share in comments. I really like to learn vSphere features with real life examples. 

If you find this post useful please share it with any of the buttons below. 

MAIN DEPLOYMENT

I supposed you have already installed pfsense inside ESXI Host with all pre-configurations so my focus is only on VLAN side of ESXI and Pfsense.

Configurations as per my LAB 

ESXI:

• 2 online Physical NICs connected with physical switch
• VM Network is default Port Group and vSwitch0 is Virtual Switch by default configured when you install ESXI
• I configured another vSwitch named as vSwitch-WAN for Second physical NIC Available on ESXI Server for WAN traffic. 
• 
  
• 
  

Pfsense:

• Pfsense VM is configured with two Virtual NICs. 1st is added with the Network of vSwitch-WAN portgroup for pfsense WAN port and 2nd is added with the Network of VM Network portgroup for pfsense LAN port.
• Our main focus is Pfsense LAN: ESXI VM Network which is default portgroup configured in VM against virtual Switch: vSwitch0.
• 
  

 

VLAN Scenarios

1- Pfsense configurations with ESXI VLAN PortGoups/vSwitch only

2- Pfsense configurations with VLAN configurations inside pfsense and ESXI VLAN PortGroups/VSwitch

Scenario 01: Pfsense configurations with ESXI VLAN PortGoups/vSwitch only

Configure port groups in ESXI Networking and make sure you have selected vSwitch0 while adding port groups otherwise you will missed it all.

I have added below 5 new port groups as vlan125 vlan124 with their respective VLAN IDs e.g 125 124 etc.

Note: Remember VLAN ID for each VLAN this is important!

And then you simply need to add 5 vNICs dedicated to each vlan separately with specified port group.

You must select correct portgroup (created in previous step) while adding new interface in Pfsense VM. 

PFsense VM vNIC added against each portgroups/VLANs already created

This is it. Now you can assign IPs inside PFsense for each interface and other side of LAB-VM(VM or physical server you want to communicate on specific portgroup/VLAN ID) should have same portgroup assigned and same subnet IP as configured in pfsense for that VLAN.  

Scenario 02: Pfsense configurations with multiple VLANs inside pfsense and ESXI VLAN PortGroups/VSwitch.

In this case you have to configure portgroups inside ESXI Networking same you did in scenario 01. In addition to this you must configure one more portgroup with same vSwitch0(selected during other portgroups configuration) and VLAD ID: 4095. About ID: 4095 already explained at the started of this article. 

Portgroup with ID: 4095 will act as as a TRUNK port so i given it name as TRUNK.

You also need to enable promiscuous mode: Accept as shown below

Next you need to assign TRUNK portgroup to PFsense LAN network interface as I did

 

Rest you need to configure VLANs in pfsense as I created same vlans as of portgroup created in ESXI Host. 

You must remember VLAN ID Number created in ESXI Networking and VLAN Tag Numbre in pfsense MUST be same. 

 Also select lan interface as Parent Interface for VLAN

Now add interface in Interface Assignment Section of Pfsense

So multiple VLAN will look like this on Pfsense when all created. 

Now you need to configure IP for each VLAN interface. 

I have shown just vlan27 interface here. you need to configure IP for each VLAN interface inside Pfsense. 

Done! Now you can assign new interface on your LAB VM with desired port group and assign same subnet IP inside your VM OS and try to ping VLAN IP configured in pfsense. 

For vlan 27 I have added IP:192.168.27.1/24 on pfsense and inside LAB VM OS i have given IP:192.168.27.10/24. Now I pinged 192.168.27.1 inside LAB VM and ping was SUCCESSFUL.

Your questions are welcome. Also let me know if you have any better idea about my implementation.