IPV6 on pfsense VM on ESXi

#1

Hello,

I have a VM on ESXi, with pfsense installed and IPv6 settings, but it’s not working, can’t ping, can’t route …

I want to use pfsense as a router for my ipv6 LAN using the ESXi port, but IPV6 is not working.

My settings on the WAN port of the pfsense vm are:

IPv6: DHCP6
Prefix lenght 64
The DUID inserted as commented in another post in the community, as the settings, but no luck.

What’s wrong? Is this allowed from Online, to use IPV6 without IPfailover using the ESXi as hypervisor?

Thanks in advance, help apreciatted !!

#2

It seems you don’t need IPv6 or two public IP addresses to install a VM as FW and continue to access to web sphere interface just follow theses steps (tested with ESXi 6.5) :

  • Create another vswitch without physical nic
  • Create 2 port groups associated with the new vswitch with the same vlan ID, for example :
    • “Mgt network”
    • “LAN”
  • Create another vmkernel nic in the “Mgt network” port group, for example :
    • IP : 10.0.0.1
    • Mask : 255.255.255.0
  • Configure a VM with two nic :
    • Nic 1 :
      • Associated with the default group port in the original vswitch
      • MAC address : clone the physical nic MAC address of the server (it don’t interrupt vsphere access. you can access Internet but, at this step, you can’t access to this VM)
      • IP : public IP of your server
      • Mask : mask of you server
      • Gateway : gateway of you server
    • Nic 2 :
      • Associated with new group port “LAN”
      • IP : 10.0.0.254
      • Mask : 255.255.255.0
    • I don’t use Pfsense so I just explain for a Linux Debian install :
      • Install package iptables-persistent
      • Authorize ipv4 forwarding
        • Edit /etc/sysctl.conf:
          net.ipv4.ip_forward = 1

        • enable this forwarding
          Prompt>sysctl -p /etc/sysctl.conf

        • Create a file, for example “firewall.sh” to put your iptables rules, for example:

#!/bin/bash
# variables
LAN=10.0.0.0/24
ExtNIC=[FW external nic name ]
LANNIC=[ FW nic name in LAN ]
# Loopback address
LOOP=127.0.0.1
# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -t nat -F
# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i $ExtNIC -s $LOOP -j DROP
iptables -A FORWARD -i $ExtNIC -s $LOOP -j DROP
iptables -A INPUT -i $ExtNIC -d $LOOP -j DROP
iptables -A FORWARD -i $ExtNIC -d $LOOP -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i $ExtNIC -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i $ExtNIC -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i $ExtNIC -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $ExtNIC -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $ExtNIC -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $ExtNIC -s 10.0.0.0/8 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow services such as ssh
## ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#forward and nat
iptables -A FORWARD -s $LAN -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN -o $ExtNIC -j MASQUERADE
iptables -A FORWARD -i $LANNIC -o $ExtNIC -s $LAN -j ACCEPT
##portforwarding vsphere
iptables -t nat -A PREROUTING -i $ExtNIC -p tcp --dport 443 -j DNAT --to-destination 10.0.0.1:443
iptables -A FORWARD -i $ExtNIC -p tcp --dport 443 -d 10.0.0.1 -j ACCEPT
# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o $ExtNIC -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o $ExtNIC -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Save the iptables config
iptables-save > /etc/iptables/rules.v4

  • Perform a chmod 0700 on this file and execute it
  • You can install openvpn or another VPN, just don’t forget to open used ports in the firewall.sh file and reload it.
  • In the Esxi TCP/IP stack add a IPv4 gateway : 10.0.0.254 (FW IP)
  • Activate the esxi autostart (/ui/#/host/manage/system/autostart)
  • Increase the autostart priority of the FW VM
  • Suppress the original nic vmkernel

Your FW in now accessible in ssh and you can access to your web vsphere interface with the portforwding rule