I am currently creating a network inside a VMware ESXi host.
The network consists currently of two vSwitches and two port groups. Port Group A is associated with vSwitch0 and Port Group B with vSwitch1. I have a gateway (pfSense) which has a NIC two the Internet and one NIC in Port Group A.
I have a set of VMs each with one NIC in Port Group B.
My plan is to have a VM running Linux to have two NICs, one in each Port Group, and have them bridged so the clients from Port Group B can talk to the Internet and i can monitor the network traffic on the Linux VM.
I created a bridge on the Linux machine but can neither ping my gateway from there nor can a VM in Port Group B ping the bridge/gateway.
What am I doing wrong or is there a more simple solution?
Best Answer
Bridging the port groups to force all traffic through the pfSense VM is the right way.
However, if you use the pfSense to bridge between both port groups, each port group needs to have promiscuous mode allowed. A vSwitch doesn't need to learn a port group's (equiv. VLAN) MAC addresses, it knows.
Bridging requires being able to send and receive with the MACs from other VMs, so promiscuous mode is mandatory. The downside is that allowing promiscous mode works for the whole port group. As a workaround, you can use two port groups - one allowing promiscuous mode for the pfSense, one not for normal VMs - and connect them by assigning the same VLAN ID (the also need to be on the same vSwitch).
Note that there's no reason to use two vSwitches - a single vSwitch will nicely separate both port groups as well.
Additionally, a vSwitch works a bit differently than a physical switch. A physical switch would learn the bridged MACs on the pfSense's port. A vSwitch with promiscuous mode works more like a hub, so the pfSense receives all frames moved within the port group, not only those that need to be bridged.