Introduction
In the previous post, I showed how to deploy VMware Cloud Foundation 9 in a home lab. This time, we move to the network layer—you’ll see, step by step, how I set up pfSense 2.7.2-RELEASE to serve the entire VCF environment: VLANs, NAT, DHCP, NTP, and (for now, inactive) BGP peerings to NSX-T Edge.
Table of contents
- Hardware requirements & topology
- Installation & first login
- General settings
- Secure administrative access
- Interface assignment
- VLANs on the trunk port
- DHCP servers
- Outbound NAT
- Firewall rules
- FRR + BGP
- NTP server
- System tunables
- Backup & versioning
- Final tests
- Summary
1 Hardware requirements & topology
Virtual machine (e.g., running on ESXi/HomeLab):
| Virtual NIC | Role | vSwitch / PortGroup | MTU |
|---|---|---|---|
| vmx0 | WAN | WAN (192.168.100.0/24) | 9000 |
| vmx1 | trunk (802.1Q) | Lab‑TRUNK | 9000 |
| vmx2 | access network | VCF_LOCAL (172.16.10.0/24) | 9000 |
💡 Jumbo frames (MTU 9000) reduce CPU usage and packet count for vMotion/vSAN.
Diagram:
Internet / Upstream
│
┌─────┴─────┐
│ pfSense │
┌──── 192.168.100.0/24 ────┤ vmx0 (WAN)
│ │
└──── 172.16.10.0/24 ──────┤ vmx2 (VCF_LOCAL)
│
vmx1 trunk (VLAN 20–81)
2 Installation & first login
- Import the pfSense 2.7.2‑RELEASE ISO and create a new VM (FreeBSD 64‑bit).
- Allocate 2 vCPU / 4 GB RAM / 20 GB disk (add more if you plan IDS/IPS).
- After installation, browse to
https://192.168.1.1and log in with admin / pfsense. - Skip the wizard (Click here to bypass) and change the admin password immediately.
3 General settings (System ► General Setup)
| Field | Value | Comment |
|---|---|---|
| Hostname | vcf-rtr | consistent naming for automation |
| Domain | vcf.vworld.lab | private lab domain |
| Primary DNS | 8.8.8.8 | fallback—VCSA/AD will become primary later |
| Time zone | Europe/Warsaw | aligns with ESXi hosts |
| NTP servers | 0.pl.pool.ntp.org 1.pl.pool.ntp.org 2.pl.pool.ntp.org | three sources for redundancy |
Click Save ► Apply.
4 Secure administrative access
- Navigate to System ► Advanced ► Admin Access.
- Under WebGUI, select HTTPS and click Add ► Create internal to generate a self‑signed certificate.
- Enable Secure Shell (tab Secure Shell)—a handy feature for backups and troubleshooting.
🛡️ The GUI will only be reachable from WAN after you add the rule in step 9.
5 Interface assignment
- Open Interfaces ► Assignments.
- Keep the WAN mapped to
vmx0. - Click Add twice to add
vmx1andvmx2. - Configure as follows:
| Interface | Description | IPv4 Type | Address / Prefix | MTU |
|---|---|---|---|---|
| vmx0 | WAN | Static | 192.168.100.145/24 (Gateway 192.168.100.4) | 9000 |
| vmx1 | LAN‑TRUNK | None | – | 9000 |
| vmx2 | VCF_LOCAL | Static | 172.16.10.1/24 | 9000 |
Click Save ► Apply.
6 VLANs on the trunk port (vmx1)
Create the following VLANs under Interfaces ► Assignments ► VLANs ► Add and then assign each vmx1.x MTU 9000:
| Tag | Description | Gateway IP |
|---|---|---|
| 20 | vMotion | 172.16.20.1/24 |
| 30 | vSAN | 172.16.30.1/24 |
| 40 | Overlay | 172.16.40.1/24 |
| 50 | Supervisor | 172.16.50.1/24 |
| 60 | ESX_MGMT | 172.16.60.1/24 |
| 70 | VCF_MGMT | 172.16.70.1/24 |
| 80 | T0UPLINK01 | 172.16.80.1/24 |
| 81 | T0UPLINK02 | 172.16.81.1/24 |
7 DHCP servers (Services ► DHCP Server)
| Network | Range | Gateway | DNS |
|---|---|---|---|
VCF_LOCAL 172.16.10.0/24 | 172.16.10.100‑200 | 172.16.10.1 | 172.16.10.10 |
Overlay 172.16.40.0/24 | 172.16.40.10‑200 | 172.16.40.1 | 172.16.10.10 |
Supervisor 172.16.50.0/24 | 172.16.50.10‑200 | 172.16.50.1 | 172.16.10.10 |
ESX_MGMT 172.16.60.0/24 | 172.16.60.100‑200 | 172.16.60.1 | 172.16.10.10 |
❌ No DHCP on VCF_MGMT—management components will get static addresses.
8 Outbound NAT
- Firewall ► NAT ► Outbound → set mode to Hybrid.
- Add a rule: Interface WAN, Source
172.16.0.0/12, Translation Interface address.
9 Firewall rules
9.1 WAN
| Action | Source | Destination | Proto | Description |
|---|---|---|---|---|
| Pass | 192.168.100.0/24 | 172.16.10.0/24 | any | VCF_LOCAL |
| Pass | 192.168.100.0/24 | 172.16.40.0/24 | any | Overlay |
| Pass | 192.168.100.0/24 | 172.16.50.0/24 | any | Supervisor |
| Pass | 192.168.100.0/24 | 172.16.60.0/24 | any | ESX_MGMT |
| Pass | 192.168.100.0/24 | 172.16.70.0/24 | any | VCF_MGMT |
| Pass | any | (self) 123 | UDP | NTP to pfSense |
| Pass | any | (self) | ICMP | Ping |
| Pass | 192.168.100.0/24 | 192.168.100.145 443 | TCP | GUI HTTPS |
9.2 Internal networks
Add a single “Allow all” rule on each internal interface.
10 FRR + BGP
- Install FRR 2.0. x from the Package Manager.
- FRR Global: enable, set Router ID
192.0.2.2. - BGP: enable, Local ASN
65000, redistribute connected / static / kernel. - Add neighbors:
| Neighbor | Remote ASN | Description |
|---|---|---|
172.16.80.2 | 65001 | Edge‑Uplink‑01 |
172.16.81.2 | 65001 | Edge‑Uplink‑02 |
172.16.80.3 | 65001 | Edge‑Uplink‑01‑b |
172.16.81.3 | 65001 | Edge‑Uplink‑02‑b |
🔄 Sessions will remain Idle/Connect until NSX‑T Edge is configured.
11 NTP server
Enable Services ► NTP, select WAN + all internal interfaces, set Preferred server to 0.pl.pool.ntp.org.
12 System tunables
| Tunable | Value | Note |
|---|---|---|
net.link.ether.inet.garp_accept | 0 | ignore gratuitous ARP |
kern.ipc.maxsockbuf | 16777216 | larger buffers for FRR |
13 Backup & versioning
Go to Diagnostics ► Backup & Restore ► Download Configuration, grab the XML file, and store it in a secure location (such as an encrypted Git repository or an offline disk).
14 Final tests
- From a host on the WAN network ping
172.16.10.1—it should reply. - DHCP: attach a VM to the VCF_LOCAL PortGroup; verify it receives an address in
172.16.10.100‑200. - FRR: run
vtysh -c "show ip bgp summary"—sessions should show Idle/Connect. iperf3between vMotion (VLAN 20) and ESX_MGMT (VLAN 60) ➔ >9 Gb/s thanks to jumbo frames.
15 Summary
With pfSense 2.7.2‑RELEASE in place, your VCF 9 Home Lab is ready: VLAN segmentation, NAT, DHCP, NTP, and a prepared BGP edge.
👉 In the next article, I’ll configure NSX‑T Edge
Questions or feedback? Leave a comment—I’ll be happy to help!