Deploy a NVA (Network Virtual Appliance) with Performance Cloud VMware (NSX-T)

TABLE OF CONTENTS

• Introduction
• Important Notes
• Schema of the setup (Scenario example)
• Configure required virtual networks
  • Create a routed network
  • Create an isolated network
• Deploy the NVA
• Configure the Edge Gateway
• Configure the pfSense appliance
• Configure virtual machines behind the NVA
• Create NAT rules on the pfSense appliance
• Configure a virtual private network (VPN) with the NVA

Introduction

This guide describes how to setup a NVA (Network Virtual Appliance) in Performance Cloud VMware instead of using the default Edge Gateway firewall. You may want to deploy your own NVA instead of the included Edge Gateway for standardization purposes or if specific features are required. Once the NVA is properly configured behind your Edge Gateway, the configuration for NAT, firewall, VPN will be controlled through your NVA.

In this guide, a pfSense firewall appliance is deployed behind the Edge Gateway, but the same steps would be required to deploy another network virtual appliance (or NVA).

Important Notes

- Some steps assume that you have a foundation for creating virtual machines, virtual networks, and network virtual appliances. Please refer to main articles in the Getting Started Guide if needed.

- Please note that Sherweb' support for a NVA (Network Virtual Appliance) is very limited.

- The default security is blocking DHCP servers (other than the DHCP service from the Edge Gateway or the virtual network). If you plan to use the DHCP service with the NVA (Network Virtual Appliance), please contact us so we can allow the use of that service on your networks.

Schema of the setup (Scenario example)

• The routed WAN network 10.0.0.0/24 was chosen as example but could be different per your requirements.
• The isolated LAN network 192.168.0.0/24 was chosen as example but could be different per your requirements.
• The gateway IP 192.168.0.1 of the pfSense was chosen as example but could be different.

Configure required virtual networks

Create a routed network

Use this article to create a routed network. (10.0.0.0/24 named WAN in this example)

 

Create an isolated network

Use this article to create an isolated network. (192.168.0.0/24 named LAN in this example)

(Same steps but choosing Isolated instead of Routed)

Notes: In this example, the edge gateway IP address is configured to 192.168.0.254/24 to keep 192.168.0.1 available to use as an the internal gateway on the virtual firewall's LAN interface. However, we could have used 192.168.0.1 in the edge gateway and configured the LAN on the pfSense firewall with a different IP address, which would be used by virtual machines behind the pfSense firewall.

Deploy the NVA

Here you have few options to deploy your network virtual appliance.

• Import the appliance from OVF Template (see existing guide)
• Import the appliance into a Catalog and deploy it from catalog (see existing guide)
• Import ISO in a Catalog and create a new VM. Map the uploaded .ISO file to the VM and proceed with the setup (see existing guide)

In this example, we created a catalog, uploaded an .ISO file and created a blank VM to map the .ISO file and install pfSense on it.

1. Create a catalog and upload the pfSense .ISO file
   
   
   
   
   
2. Create a blank VM and enter all required information.
   
   
   
   
   
   
   Notes:
   
   In this example, the E1000E network adapter type is used since the default install of pfSense does not support VMXNET3 network adapter until we install open-vm-tools package in the network appliance. Once tools are deployed inside the pfSense appliance, the E1000E adapters can be deleted and created again using the VMXNET3 adapter type and the pfSense interfaces can be configured again using new network adapters.
   
   In the case of a pfSense network device, problems accessing the configuration page could occur with both NIC configured during the setup. We suggest starting the installation with only the WAN adapter.
    
3. Once the VM is created, power on the virtual machine, boot with the ISO file and follow the provider instructions to deploy the operating system. (The bus type of the virtual disk may need to be changed to be compatible)
   
   
   
   
   
   
   
4. Configure the WAN interface.
   When asked, configure the upstream gateway of the WAN interface with the Edge Gateway IP address (10.0.0.1 in this case)
   
   

Configure the Edge Gateway

1. Go to the Networking section, then Edges
   Click on your Edge Gateway
   
   
   
   
   

2. Go to the Firewall section and click on EDIT RULES.
   
   
   
   
   
3. Create a new rule to allow all traffic (since the firewall rules will be managed by the network virtual appliance). You could still restrict some traffic at the edge gateway level if you desire instead of opening “Any-Any”.
   
   
   
    
4. Go to NAT and click on NEW.
   
    
   
   
   
5. Create the following NAT rules:
   
   

• New DNAT Rule (to redirect traffic to the WAN interface of the NVA)
  
  
  
  
  
• New SNAT Rule – LAN network
  
  
  
  
  
• New SNAT Rule - WAN network
  
  
  
  
  NAT rules should now look like this:
  
  
  
  
  

6. Go to Routing, then Static Routes.
   Click on NEW
   
       
   
    
7. Enter the route information.
   
    

   
   

    
   
   
   
8. At this point, you should now be able to access your firewall appliance by using the external IP address.
   
    

Configure the pfSense appliance

Notes:

- According to the chosen network virtual appliance, you can also configure the NVA directly from the console or from a virtual machine connected to the LAN and access it with its internal IP. See the section below to Configure virtual machines behind the NVA.

- For a pfSense network device, you may have to run the following command using the console to get access to the Web configurator using the external IP address: pfSsh.php playback disablereferercheck
 

1. Now that you have access to the pfSense appliance, you can install the open-vm-tools package
   
   
   
   
   
2. Once installed, you can delete the E1000E NIC while the pfSense VM is running, it will take 10 seconds to un-configure the NIC inside the server.
     
3. Once you waited 10 seconds to let old NIC to be unconfigured in the pfSense, you can now shutdown the virtual machine.
   
   
4. Remove the E1000E NIC and a VMXNET3 NIC. Then, start your network virtual appliance.
   
   
    
5. Now you can reconfigure your WAN interface from the console again as done during the initial setup.
   
   
   
   
6. Disable the “Outbound NAT” in pfSense to prevent “Double NAT” (Edge Gateway + pfSense).
   
   Note: It could also work with default NAT settings, but you would not require the static route in the Edge Gateway and the SNAT rule for 192.168.0.0/24 for double NAT.
   
   
   
   
   
7. Shutdown the pfSense appliance and add the LAN NIC. Then, power up the pfSense appliance.
   
   
   
   
8. Back in the Web configurator, you can now assign and configure the LAN interface.
   
   

Configure virtual machines behind the NVA

1. Configure the network adapter of your virtual machines on the LAN network
   
   
   
   
   
2. Configure the network adapter of your virtual machines
   
   
   
   
   
3. You should be able to access internet from virtual machines behind the NVA.
   
    

Create NAT rules on the pfSense appliance

Here is an example for a port forward rule.

1. In this example, we open the RDP port to a Windows virtual machine.
   
   
   
   
   The new rule should look like this.
   
   
   
   
2. Allow the port in the firewall rules
   
   Notes: Whenever it is possible, we do not recommend allowing “Any” for the Source IP address(es) for security and performance reasons.
   
   
   
   
   
3. Test the remote access using the external IP address
   
   
   

Configure a virtual private network (VPN) with the NVA

For a virtual private network or "VPN" configuration, be sure to configure the external IP address of the edge gateway as the identifier, because if you configure to use the WAN IP address of the NVA as the identifier, the 10.0.0.2 IP address will be used instead of the public IP address and the VPN will not connect.