Building a VCF lab with pfSense (Part 2)

VCF, VLC

Part 2: Configuring pfSense

In the last article, I explained the environment that we would work towards building out. Now that we have the plan down, let’s get started by getting pfSense configured.

I won’t cover how to deploy the pfSense VM, as it’s a fairly simple process. Just make sure you add two NICs to the VM and connect one to your home network via the appropriate portgroup and the other to the trunked portgroup.

The first thing you will want to do is define all the VLAN interfaces. Add all the VLANs we need so that the configuration page resembles this:

After you get the VLANs configured, you can move to the Interface Assignments page and assign the VLANs to a network port. If you look at the following picture, you will see we have two ‘physical’ network ports, em0 and em1. Each of the VLANs we configured earlier is assigned to one network port (em1), while the other is connected to the home network (aka WAN).

Now as you go through and enable each of the interfaces, you will want to check a few things. Of course, make sure each interface is enabled. Also set the MTU for each of the VLAN interfaces to 8940. This allows for the overhead that we have with the nested environment. Note that you will note be able to set the MTU unless the parent interface supports it. So make sure you set the parent interface to a MTU of 8940 or higher. Lastly, make sure each interface has a static IP assigned to it. Remember, in our configuration the pfSense router will use the first IP in each network (i.e., the .1 address).

Next, we’re going to effectively disable the firewall operation. Now technically, we don’t have to do this with every network. However, this is a lab and this will reduce the amount of things that could possibly cause us issues.

To do this, we will go into Firewall/Rules and add a rule on each of the VLANs to pass any IPv4 protocol from any source to any destination. When you do this, you will see a line listed in the list of rules for the interface like this:

Ensure you see a line like this for each VLAN interface before continuing.

Next, we need to configure all the services that the pfSense router will provide. This includes NTP, DHCP, and BGP.

Starting with NTP, we will just configure pfSense to use the pool of time servers to sync to and listen on the management network (VLAN 10).

Next, let’s configure DHCP. We only need the DHCP server on the VLAN (14) for our host TEP network (172.16.0.0/24). For each ESXi host we will have in the VCF environment, we will have two NIC interfaces. Each NIC is given an IP address on the host TEP network. This means we need (2*(number_of_hosts)) number of IPs available in the DHCP scope. In a production environment, we might add more to account for growth. In this lab environment, we can go a bit overboard and make the DHCP scope go from 172.16.0.100 to 172.16.0.199.

Below the range, you’ll see an option to specify a DNS server. In this environment, I will set this to the IP for the AD server which will be providing the DNS services.

Most important, you will see an option a bit further down to specify a gateway address. Set this to the IP of the pfSense router on this network. In this case, you would set this to 172.16.0.1.

Lastly, lets setup BGP. There are a few different ways to do this with pfSense. In our case, we’re going to use the FRR routing daemon. However, this is not installed by default with pfSense. Never fear though, the installation is as simple as going to System/Package Manager/Available Packages, finding the FRR package and adding it. Once this completes, you should see it listed in the Installed Packages tab like this:

After you install FRR, you will see some new menu items under the Services tab. Select the FRR BGP menu item to go to the BGP configuration page.

Before we can start to work on configuring BGP, we need to first go to the Global Settings tab. Here, you will enable FRR and set the master password and router ID. The screen should look something like this:

Once FRR is enabled, then click on the BGP tab. Here, we will enable BGP routing and set the local AS number to 65001. In my case, I’ve also specified to redistribute the 10.0.0.0 network and the 0.0.0.0 network. I’ve also set it to redistribute IPv4 routes, including any static routes. When done, the configuration screen would look like this:

Next, click on the Neighbors tab. Here, we want to add an entry for each BGP neighbor we will have. You’ll remember from the first part in this series, I mentioned that we will be deploying VCF with AVNs. This means that we will have two edges deployed. Each edge has two uplinks that would be cross-connected to a pair of Top-of-rack switches in a real environment. In our case, these uplinks are just on different VLANs and they will all talk to the pfSense router. As a result, we will want four total entries here, as shown below:

As you are adding the neighbor entries, it’s important to use the remote AS number of 65003 for the neighbors. You also need to set the password that will be used to establish this connection. Remember this, as you will need it later when you are editing the JSON file used for the bringup process.

Here is an example of adding in a neighbor entry and all the field that need to be changed:

This completes the configuration needed for pfSense. Join me in Part 3 where we will kick off the deployment of VCF using VLC!