Setting up pfSense in ESXi on a server without KVM/IPMI

So you’ve ordered a dedicated server and have installed ESXi on it. It only has one IPv4 address, so you want to set up some sort of NAT to divvy up connectivity to multiple guests… but still want to be able to access the ESXi management interface.

Here’s a rough outline of how to achieve that, starting from scratch, tested on ESXi 6.0.

The easy bits:

  • enable ESXi SSH access
  • download your pfSense + guest OS installation media to your datastore
  • create another vSwitch for “LAN” and use the existing one for “WAN”
  • install pfSense
  • connect a VMkernel port to your “LAN” vSwitch and enable management traffic
  • install your guest OS
  • confirm your guest OS can access the management interface
  • set up an avenue for remote access to your guest OS (e.g. SSH, RDP)
  • configure automatic startup for pfSense and your guest OS, making sure that pfSense is set to start up first

At this point, you should have:

  • a working pfSense installation, configured the way you want it (DHCP, etc.), but with no WAN connectivity
  • a working guest OS installation, configured the way you want it, with the ability to access the pfSense webUI and the ESXi management interface, but with no WAN connectivity

Now the sketchy bits:

  • set up port forwarding to SSH/whatever for your guest OS in pfSense
  • disconnect pfSense’s networking to “WAN”, but make sure it’s set to [re]connect at power-on
  • in pfSense, clone the MAC address that’s designated to get a public IPv4 address
  • power off your pfSense/guest OS
  • back in the ESXi management console, disable IPv4 connectivity to WAN

At this point, you’ll be locked out. Request a remote reboot of your server.

If things were set up correctly, you should be able to SSH into your guest OS afterwards. Phew.

There’s probably a better way to do this, but this layout worked for me
A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.