Performance Cloud VMware – Deploy a NVA (Network Virtual Appliance)

TABLE OF CONTENT

• Introduction
• Notes
• Schema of the setup (Scenario example)
• Configure required virtual networks
  • Create a routed network
  • Create an isolated network
• Deploy the appliance
• Configure the Edge gateway
• Configure PFSense
• Configure your Virtual Machine behind PFSense
• Create your NAT rules on PFSense (Example – RDP to a Windows VM behind PFSense)
• Example - Configure site to site VPN from External PFSense to PFSense in Performance Cloud VMware behind the Edge Gateway
  • External PFsense configuration
  • PFSense configuration in Performance Cloud VMWare
    • Phase 1 Configuration
    • Firewall rule to allow traffic in VPN
  • Ping test in VPN

Introduction

This guide describes how to setup your own firewall appliance in Performance Cloud VMware instead of using the default Edge gateway firewall. For this example, we will use a PFSense firewall appliance, but the same steps would be required on other firewall appliance devices.

Notes

- Some steps assume that you have a foundation for creating virtual machines and for creating virtual networks. Please refer to main articles in the Getting Started Guide if needed.

- Please note that Sherweb's support for a NVA (Network Virtual Appliance) is very limited.

Schema of the setup (Scenario example)

• The routed LAN network 10.0.0.0/24 was chosen as example but could be different per your requirements.
• The isolated LAN network 192.168.0.0/24 was chosen as example but could be different per your requirements.
• The gateway IP 192.168.0.1 of the PFSense was chosen as example but could be different.

Configure required virtual networks

Create a routed network

Use this article to create a routed network. (10.0.0.0/24 named CIS-Network in this example)

Create an isolated network

Use this article to create an isolated network. (192.168.0.0/24 named VNet-PFSense-Lan in this example)

(same steps but choosing Isolated instead of Routed)

Note: we configure gateway CIDR by using 192.168.0.254/24 because if we would have entered 192.168.0.1, we would not be able to use it for our PFsense appliance. However, we could have entered 192.168.0.1 and configured the LAN on the PFSense appliance to use another IP, which would be used by the VMs behind the appliance.

Deploy the appliance

Here you have few options to deploy your firewall appliance.

• Import the appliance from OVF Template (see existing guide)
• Import the appliance into a Catalog and deploy it from catalog (see existing guide)
• Import ISO in a Catalog and create a new VM. Map the Uploaded iso to the VM and proceed with your install. (see existing guide)

For this example, we created a catalog, uploaded an .ISO file and created a blank VM to map the .ISO file and install PFSense on it:

1. Create the blank VM
   
   
   
   
   
   Notes:
   • Make sure to select the proper network (VNET-Edge-LAN in this example). This will represent the WAN interface of your pfsense. Make sure to configure the proper desired IP as well
   • I used an E1000E Network adapter type since the default install of PFSense does not support VMXNet3 network adapter until we install open-vm-tools package in the pfsense. Once you deployed the PFSense, you can install the package then delete the E1000E adapter type and recreate a VMXNet 3 adapter type and reconfigure the PFSense WAN on this new Network adapter.
     
     
2. Once the VM is created, power on the virtual machine, boot with the ISO file and follow the provider instructions to deploy the operating system.
   
    
3. Configure your WAN NIC for 10.0.0.2
   
   
   
   
   
   
   
   
   

Configure the Edge gateway

1. Go to Networking -> Edges- Select your Edge GW
   
   
    
2. Click on SERVICES
   
    
3. Go to Firewall and create a new rule to allow Any-Any (since the firewall rules will be managed by the PFsense appliance). You could still restrict some traffic at the edge gateway level if you desire instead of opening Any-Any.
   
   
    
4. Go to NAT and create the following NAT rules:
   • New DNAT Rule (to point to the WAN IP of the PFSense)
     
     
     
     
     
     
   • New SNAT Rule (for the VNET-Edge-LAN)
     
     
     
     
   • New SNAT Rule (for the VNet-PFSense-Lan)
     
     
     
     
      
5. Go to Routing, then Static Routes.
   
    
     
6. Create a new route and click on KEEP.
   
    
   
   
7. At this point, you should now be able to access your firewall appliance by using the external IP address.
   
   
   
   Note: you can also configure the VNET-Edge-LAN on a different virtual machine and access the firewall appliance with its internal IP to access it. For example, I added a NIC in the VNET-Edge-LAN on my Windows VM:
   
   
   
   

Configure PFSense

1. Now that you have access to the PFSense, you can install the open-vm-tools package
   
   
   
   
2. Once installed, you can delete the E1000E NIC while the PFSense VM is running, it will take 10 seconds to un-configure the NIC inside the server.
    
3. Once you waited 10 seconds to let the old NIC to be unconfigured in the PFSense, you can now shutdown then completely poweroff the virtual machine.
   
   
   
   
4. Now you can reconfigure your WAN on a VMXNet3 NIC from the console like we did previously from the console during the initial setup.
   
   
   
   
5. You now need to configure the firewall rules on your PFSense (For WAN). For this example, I allowed Any-Any but you should restrict the traffic coming from the WAN interface (such as web configurator port, etc)
   
   
   
   
6. Once you have changed for VMXNet3 and everything is working, you can now add the VNET-PFSense-LAN (Note: make sure the PFSense is completely powered off or you will have issues with the NIC)
   
   
   
   
7. You can now assign the LAN interface
   
   
   
   
8. Configure the LAN
   
   
   
   
9. Disable outbound NAT in PFSense to prevent double natting (Edge + PFsense). It would also work if it is enabled. But you would not required the static route in EdgeGW and the SNAT rule for 192.168.0.0/24 for double NAT.
   
   

Configure your Virtual Machine behind PFSense

1. Configure the network adapter of your virtual machine on the VNET-PFSense-LAN
   
   
   
   
2. Configure the network adapter of your VM
   
   
   
   
3. You should be able to access internet from the Virtual machine behind your PFSense
   
   

Create your NAT rules on PFSense (Example – RDP to a Windows VM behind PFSense)

1. On your PFSense, you create your NAT Rule. In this example, I will open RDP Port to my Windows VM
   
   
2. Test RDP to your external IP
   
   

Example - Configure site to site VPN from External PFSense to PFSense in Performance Cloud VMware behind the Edge Gateway

 Here is an example of a VPN Configuration between an external PFSense and the PFSense in Performance Cloud VMware.

External PFsense configuration

Phase 1 Configuration

Phase2 Configuration

Firewall rules:

Status:

Firewall rule to allow traffic in VPN

PFSense configuration in Performance Cloud VMWare

Phase 1 Configuration

Note: make sure to configure the External IP of the Edge Gateway as your identifier because if you put your WAN Address, it will use 10.0.0.2 instead of the external IP.

Phase2 Configuration

Firewall rule to allow traffic in VPN

Ping test in VPN

From PFsense external to a VM behind PFsense in Performance Cloud VMware:

From VM behind Performance Cloud VMware PFsense to PFsense external: