Part1 - pfSense OpenVPN Server on VMWare ESXi for Layer 2 Bridge Client from Site A to Site B

OK, so the goal of this howto is to provision a pfSense 2.0.3 virtual appliance at Site A and Site B (on existing VMWare ESXi infrastructure) behind 2 geographically different private networks and bring up a layer 2 bridge between sites. What this leaves us with is a stretched LAN on the same single subnet across two sites.

This HOWTO guide is seperated into 4 parts

Part 1 - This Page (OpenVPN Client & Server)
Part 2 - This Page (OpenVPN Client & Server)
Part 3 - This Page (OpenVPN Server Only)
Part 4 -  This Page (OpenVPN Client Only)

Why would you want to stretch one subnet across two sites?
There are many requirements for this, whether it be
 - To connect into a clients network to start an in place Server upgrade (Active Directory)
 - To provide your end users with easy/quick access to DR (Disaster Recovery) servers at an offsite location without having to change IP/Gateways etc of hosts.
- Site B was the result of an acquisition and they already use the same subnet as head office.
- Office moves, to allow gradual physical move of office equipment (providing WAN links are fast enough) with minimal downtime.

Environment Variables
In this guide I have used 2 x virtual pfSense appliances with 10GB vHDDs/1 vCPU/1GB RAM and a single E1000 NIC.

This HOWTO assumes the pfSense appliances will be on private networks at site A and site B using source NAT outbound to the internet with destination NAT configured at Site A only for UDP 1194 back to pfSense OpenVPN virtual appliance.

Site A
Internet Gateway: 192.168.2.254 /24
pfSense Virtual Appliance (OpenVPN Server) : 192.168.2.253 /24
DHCP Enabled (.100-.150)

Site B
Internet Gateway: 192.168.2.252 /24
pfSense Virtual Appliance (OpenVPN Server) : 192.168.2.251 /24
 DHCP Enabled (.151-.200)

Step 1 - Setup your Virtual Switch to Accept Promiscuous Mode

a. Login to your VMWare environment - vCenter or direct to ESXi host(s)

b. Click Configuration tab and Click Networking




c. Edit the Properties of your virtual LAN virtual switch. This is the virtual switch you plan to terminate the single E1000 NIC on. Select vSwitch and click Edit. Click the security tab and set Promiscuous Mode to Accept. Click OK, and OK again.


Step 2 - Deploy your virtual appliances at each site

a. Login to your VMWare environment at each site and click File > Deploy OVF Template






b. Enter the URL of a pfSense OVA appliance - pfSense Download mirrors http://www.pfsense.org/mirror.php?section=downloads
As I am in Australia, I have used http://mirror.optus.net/pub/pfSense/downloads/pfSense-2.0.3-RELEASE-amd64.ova


 c. Click Next, Accept / Next , Give the pfSense appliance a name/ Next, select Datastore for appliance / Next, select Thick Provision / Next, select the Network of your LAN which should match the network name from Step 1C (e.g. VM Network) that has Accept Promiscuous Mode/Next, Review and click Finish.




d. Edit the virtual machine and remove a NIC so that the config looks like below


Step 3 - Power on pfSense and setup basic configuration
a. Connect to the VM console of the new pfSense VM Appliance in vSphere by right clicking the VM and clicking Open Console. You should see a prompt asking if you would like to setup VLANs, type n, unless you have other plans outside the scope of this document.


b. Enter the name of your WAN NIC which should be visible at the top of the screen - the only adapter. e.g. em0




c. When prompted for the LAN adapter, leave blank and press enter

d. Review config and enter 'y' to accept


e. When prompted, type 2 to set an IP on site a pfSense appliance WAN interface.2

f. Say no to WAN via DHCP, enter the site A pfSense IP, subnet and say no to DHCP server on WAN. Select y to revert to HTTP
 

g.You will now see the following screen which confirms you will be able to access the pfSense server on the assign IP address (of WAN interface).









Part 2 -  HOW TO pfSense 2.0.3 on VMWare ESXi acting as an OpenVPN Layer 2 Bridge from Site A to Site B

Comments

Popular Posts