I have an existing lab network that I'm attempting to "simply" insert the UTM transparently using it in bridged mode. To complicate matters I have multiple VLANs on a managed switch and a dual-nic ESXi box where the router/firewall (pfsense) and sophos UTM running the latest release are virtualized.
Network info
WAN vlan101: 192.168.1.0/24
LAN vlan10: 10.0.1.0/24
USER vlan11: 10.0.11.0/24
GUEST vlan12: 10.0.12.0/24
SAN vlan13: 10.0.13.0/24
MGMT vlan20: 10.0.20.0/24
Esxi
Esxi box has two NICs; both connect to the 2816. vmnic1 connects to an untagged port on vlan101. vmnic0 connects to a tagged port assigned vlan10,11,12,13,20. I have two vSwitches defined for both hardware nics:
vswitch1 connects vmnic1. this has one port group for the WAN.
vswitch0 connects vmnic0. this has port groups for each vlan (to allow access for vms), plus a trunk group set for vlan 4095. Esxi management IP is 10.0.1.10 on vlan10.
pfsense fw/rtr
this is performing the firewall, routing, dns, dhcp for each vlan.
i have nic1 (vmswitch1 vlan0) on the WAN at 192.168.1.60, nic2 (vmswitch0 vlan4095) on the vlan trunk at 10.0.XX.1, and nic3 (vmswitch0 vlan20) at 10.0.20.3.
I have the VLANs defined to perform the vlan routing.
each interface has a firewall rule allowing from vlan net to any, other than the mgmt vlan which is limited to keep traffic inside its subnet.
in this configuration my network works beautifully. physical machines connected to various untagged/access switch ports work as expected, vms connected to esxi tagged ports work as expected.
i attempted to add the UTM "inline" but in bridge mode to keep my pfsense vm performing the routing, providing network services like DNS and DHCP, and transparent to clients on the vlans. to accomplish this i added a new vmswitch2 with one port group set to vlan4095 to act as a trunk like before. i moved the pfsense nic2 from vmswitch0 to vmswitch2. the utm will bridge vmswitch2 to vmswitch0. so the new topology should be:
wanvmswitch1pfsensevmswitch2utmvmswitch0
utm
this has three nics assigned as well. nic1 (vmswitch2 trunk) and nic2 (vmswitch0 trunk) are bridged, br0, without an ip. nic3 (vmswitch0 vlan20) is 10.0.20.2. i have vlan10,11,12,13 on br0 each defined as Ethernet VLAN with ips matching 10.0.XX.2/24, with vlan10 additionally having the default gw set to 10.0.1.1.
i have one firewall rule set to allow any,any,any with logging on.
in this configuration i ping from/to all pfsense and sophos ip's from those vm's themselves. the utm can route out to the internet. HOWEVER i cannot ping from the utm or pfsense to my esxi ip. nor can a workstation on vlan10 ping its default gw 10.0.1.1 or 10.0.1.2. the utm firewall log shows nothing of value.
what am i missing or doing wrong? is passing the vlan routing up through the bridge even possible? my google searches haven't turned up anything of value.
This thread was automatically locked due to age.
