Performance Cloud VMware – Deploy a NVA (Network Virtual Appliance)



Introduction

This guide describes how to setup your own firewall appliance in Performance Cloud VMware instead of using the default Edge gateway firewall. For this example, we will use a PFSense firewall appliance, but the same steps would be required on other firewall appliance devices.

Notes

Some steps assume that you have a foundation for creating virtual machines and for creating virtual networks. Please refer to the first steps guide or online articles for more details.

Schema of the setup (Scenario example)

  • The routed LAN network 10.0.0.0/24 was chosen as example but could be different per your requirements.
  • The isolated LAN network 192.168.0.0/24 was chosen as example but could be different per your requirements.
  • The gateway IP 192.168.0.1 of the PFSense was chosen as example but could be different.


Configure required virtual networks

The first steps will be to create the required network in Performance Cloud portal

Create the routed network (10.0.0.0/24 in this example)

  1. Login into Performance Cloud VMWare portal
     
  2. Click on your virtual datacenter



  3. Go to Networking -> Networks



  4. Click NEW
      
  5. Configure the Network like this













     

Create the isolated network (192.168.0.0/24 in this example)

  1. Go to Networking -> Networks


     
  2. Click NEW

  3. Configure the Network like this:







    Note: we configured gateway CIDR by using 192.168.0.254 because if we would have entered 192.168.0.1, we would not be able to use it for our PFsense appliance. However, we could have entered 192.168.0.1 and configured the LAN on the PFSense appliance to use another IP, which would be used by the VMs behind the appliance.






Deploy the appliance

Here you have few options to deploy your firewall appliance.

 

For this example, we created a catalog, uploaded my iso and created a blank VM to map the ISO and install PFSense on it:



  1. Create the blank VM





    Notes:
    • Make sure to select the proper network (VNET-Edge-LAN in this example). This will represent the WAN interface of your pfsense. Make sure to configure the proper desired IP as well
    • I used an E1000E Network adapter type since the default install of PFSense does not support VMXNet3 network adapter until we install open-vm-tools package in the pfsense. Once you deployed the PFSense, you can install the package then delete the E1000E adapter type and recreate a VMXNet 3 adapter type and reconfigure the PFSense WAN on this new Network adapter.

  2. Once the VM is created, power on the virtual machine, boot with the ISO file and follow the provider instructions to deploy the operating system.

     
  3. Configure your WAN NIC for 10.0.0.2








Configure the Edge gateway

  1. Go to Networking -> Edges- Select your Edge GW


     
  2. Click on SERVICES

     
  3. Go to Firewall and create a new rule to allow Any-Any (since the firewall rules will be managed by the PFsense appliance). You could still restrict some traffic at the edge gateway level if you desire instead of opening Any-Any.


     
  4. Go to NAT and create the following NAT rules:
    • New DNAT Rule (to point to the WAN IP of the PFSense)





    • New SNAT Rule (for the VNET-Edge-LAN)



    • New SNAT Rule (for the VNet-PFSense-Lan)




       
  5. Go to Routing, then Static Routes.

     

      
  6. Create a new route and click on KEEP.

     


  7. At this point, you should now be able to access your firewall appliance by using the external IP address.



    Note: you can also configure the VNET-Edge-LAN on a different virtual machine and access the firewall appliance with its internal IP to access it. For example, I added a NIC in the VNET-Edge-LAN on my Windows VM:



Configure PFSense

  1. Now that you have access to the PFSense, you can install the open-vm-tools package



  2. Once installed, you can delete the E1000E NIC while the PFSense VM is running, it will take 10 seconds to un-configure the NIC inside the server.
     
  3. Once you waited 10 seconds to let the old NIC to be unconfigured in the PFSense, you can now shutdown then completely poweroff the virtual machine.



  4. Now you can reconfigure your WAN on a VMXNet3 NIC from the console like we did previously from the console during the initial setup.



  5. You now need to configure the firewall rules on your PFSense (For WAN). For this example, I allowed Any-Any but you should restrict the traffic coming from the WAN interface (such as web configurator port, etc)



  6. Once you have changed for VMXNet3 and everything is working, you can now add the VNET-PFSense-LAN (Note: make sure the PFSense is completely powered off or you will have issues with the NIC)



  7. You can now assign the LAN interface



  8. Configure the LAN



  9. Disable outbound NAT in PFSense to prevent double natting (Edge + PFsense). It would still work if it is enabled thought. But you would not required the static route in EdgeGW and the SNAT rule for 192.168.0.0/24 for double NAT.

Configure your Virtual Machine behind PFSense

  1. Configure the network adapter of your virtual machine on the VNET-PFSense-LAN



  2. Configure the network adapter of your VM



  3. You should be able to access internet from the Virtual machine behind your PFSense

Create your NAT rules on PFSense (Example – RDP to a Windows VM behind PFSense)

  1. On your PFSense, you create your NAT Rule. In this example, I will open RDP Port to my Windows VM

  2. Test RDP to your external IP

Example - Configure site to site VPN from External PFSense to PFSense in Performance Cloud VMware behind the Edge Gateway

 Here is an example of a VPN Configuration between an external PFSense and the PFSense in Performance Cloud VMware.

 

External PFsense configuration

Phase 1 Configuration


Phase2 Configuration



Firewall rules:


Status:

 

Firewall rule to allow traffic in VPN

 

 

PFSense configuration in Performance Cloud VMWare

Phase 1 Configuration

Note: make sure to configure the External IP of the Edge Gateway as your identifier because if you put your WAN Address, it will use 10.0.0.2 instead of the external IP.


Phase2 Configuration




 

Firewall rule to allow traffic in VPN

 
 

 

Ping test in VPN

From PFsense external to a VM behind PFsense in Performance Cloud VMware:

 

 

From VM behind Performance Cloud VMware PFsense to PFsense external: