1

Wanted to segment VM traffic with VLANs. I have the following set up:

ESXi Host -> Switch -> pfSense Router -> Internet

My ESXi Host is single NIC

I created a VLAN (VLAN 10) in pfSense using my LAN interface that goes back to the switch (a Cisco 3750). I enabled the VLAN interface in pfSense and gave it an IP address of 192.168.10.1/24.

I gave my ESXi Host an IP of 192.168.10.10/24 and made the sure the Management Network Port Group was using VLAN 10 tagging.

On the Cisco switch, I made the switchport to the ESXi Host and to pfSense both trunks, and allowed VLAN 1 (Native) and VLAN 10. I made sure the trunks were state active.

I cannot get my ESXi host to ping the default gateway of 192.168.10.1, and I can't ping the ESX host from the default gateway. Oddly enough, setting up a DHCP server on the VLAN interface lets my ESXi host pull an IP.

I've done all sorts of troubleshooting, I don't have the ability to do a packet capture anywhere to see what the issue is, so I'm hoping this is some small oversight I forgot to check. What do I need to do to allow this router on a stick setup to work?

Things I've tried:

  • Setting up a new port group with a different VLAN, going through the same process as above.
  • Setting the vSwitch to Promiscuous Mode
Improve this question
8
  • 2
    A) I think pfSense blocks ICMP traffic. Please try to see if you can host a quick web server and connect to it from esxi to firewall and back. B) pfsense treats VLAN interfaces as separate NICs from the switch I believe, so the best option is to setup DHCP server on the main switch and bridge the VLANs over. C) After that, assign an IP to the VLAN like so (see first answer)
    – rassa45
    Commented Dec 17, 2017 at 20:20
  • Thanks for the help. I'm less concerned with DHCP, as my VMs will have static IPs. Does your solution still apply?
    – Patrick
    Commented Dec 17, 2017 at 20:21
  • Where is your gateway IP pointing to? pfSense? switch? router?
    – rassa45
    Commented Dec 17, 2017 at 20:23
  • Default Gateway on ESX is pointed to the VLAN interface IP on pfsense.
    – Patrick
    Commented Dec 17, 2017 at 20:24
  • Spun up a VM, created a new tagged port group, cannot hit default gateway or hit anything on the Internet. The only thing the VM can ping is the ESX host.
    – Patrick
    Commented Dec 17, 2017 at 21:50

1 Answer 1

Reset to default
1

Figured out it was a firewall issue with pfSense.

Previously, I had a rule that allowed any IPv4 TCP traffic from the VLAN network to any destination. This needed to be changed to allow IPv4 with allow any protocol for ICMP to work

Also my Native VLAN on my switch was configured, but the trunk port going to the ESXi host didn't allow the Native VLAN on the trunk port.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .