- Tanzu Homelab: Overview
- Tanzu Homelab: Storage Policy and Content Library
- Tanzu Homelab: Network Planning
- Tanzu Homelab: Deploy pfSense
- Tanzu Homelab: Deploy HAProxy
- Tanzu Homelab: Deploy Tanzu
- Tanzu Homelab: Final Configurations
For my requirements, pfSense is going to be the router for the second network which will be the workload network. This translates to pfSense having two nics. One nic will be on my main home network, and the second nic will be on the workload network.
The two IP addresses for PFSense will be:
- Management IP: 192.168.2.199
- Workload IP: 192.168.1.253
This workload IP will also be the gateway for the workload subnet
VM Deployment
After downloading pfSense from the download site, and uploading the iso to a datastore, it is time to deploy a new VM.
Most of this is a straightforward VM deployment:
Select the compute resource.
Select Storage
For guest OS we need to choose FreeBSD 14 or later
For hardware customization, there are a few items we need to change. First, we need to set the SCSI controller to LSI Logic SAS as opposed to VMware Paravirtual. Secondly, we need to add a second nic and connect it to the workload subnet. Lastly, we need to add the ISO file we downloaded previously.
After those changes, the hardware should look like this.
Great. Now we finish the deployment and turn on the VM. Once the VM is deployed we connect to it through the vSphere console.
pfSense Installation
The first screen we see is a copyright notice.
Followed by the installer.
And a question about keymapping.
For how to partition the disk, please choose BIOS.
The install kicks off and we wait. My installation took quite a while, which is likely due to my slow storage. Yours may be quicker.
We do not want to choose Manual Configuration.
Next we reboot and make sure to remove the attached ISO or it will boot back to the installation prompts.
Once rebooted enter the console again.
IP Configuration
The first question asks if configuring vLANs, which I decided against in my environment. The second question is which nic is going to be the WAN interface. Because my first nic is the nic I assigned the Main subnet, this will be our WAN on vmx0.
As one might guess, the next question is which nic is the LAN interface. My Workload subnet is on the second nic which is vmx1. Then select “y” to proceed assigning the interfaces.
On completion, we can start to configure our nics by selecting “Set interface(s) IP address”, which is #2.
Select the WAN interface, and configure the IP address and subnet to match your environment. The WAN in this instance is my normal home subnet.
Enter a gateway IP, choose whether to DHCP6, and revert the webConfigurator protocol.
Now that the WAN is configured we need to do the same to the LAN. Choose the option to set the IP addresses and this time we will choose the LAN interface.
Set the IP and the subnet mask.
Now that the IP addresses are configured we have one last thing to do in the console. By default there are firewall rules that will block traffic from the WAN to the LAN. This prevents us from getting to the web interface of pfSense located on the LAN. The two options are to have a jumpbox on the LAN that will allow us to connect to the web interface, or create a firewall rule to allow traffic.
In this instance, I create a firewall rule, then temporarily disabled the firewall. Not super recommended in any kind of production environment, but I am good with it here.
Select option “8” for Shell and enter the command
easyrule pass wan any any any
This creates an allow any/any rule between the WAN and LAN in pfsense. There is also one other command we need to run.
pfctl -d
This command effectively disables the firewall. It should be noted this is very temporary. If pfsense reboots, or if there are other changes to pfsense, the firewall will be reloaded, and you may need to run this command again.
You may wonder why we are creating a firewall rule just to disable the firewall….which is a great question. Despite the any/any rule, there are still a couple of pieces that may prevent us from accessing the web interface until we make some additional changes. The any/any rule will hopefully just save us a step or two later on.
Now the firewall rule is set, let’s hit the web interface by going to the IP address of the WAN interface in a browser.
Web Interface Configuration
The default credentials for pfsense are admin: pfsense
The next is a wizard to do the initial configuration. A number of fields here should be populated by how we configured the interfaces previously.
First is general info about the appliance. In this instance, hostname, domain, DNS info. Enter what makes sense for your environment.
Followed by NTP info. I left the defaults here.
Next up is WAN info, this information should be mostly completed. We also want to deselect the RFC1918 and the BOGON rule.
Since our “WAN” is a private IP range, this could and will still prevent us from accessing PFsense and other resources on the workload network despite our any/any rule.
LAN Info
Change the default password
Reload
Now we are complete with our initial configuration. Finish
Once on the dashboard, there is full access to different configuration sections. For our purpose though we are complete.
If for some reason your dashboard doesn’t load, you may have missed the easyrule added earlier, or forgot to deselect the RFC1918 and the BOGON rule. If that is the case you will need to disable the firewall again, and then navigate to this interface and configure those settings.
If everything is working you should get this page.
Next up will be our HAProxy configuration.