Jan 31, 2013

VMware vCenter and NAT

Thought I'd write up a quick post for any of you who might struggle with a similar issue with VMware vCenter in a NAT configuration. But first, some backstory.

I recently installed pfSense on my ESXi box to route all of my virtual machines through (please please, don't send me Twitter hate messages of me virtualizing a router... I know, I know, if you're 100% serious, you should go dedicated. But I don't get that much traffic. :P). This setup is of course using a NAT 1:1 option, with NAT reflection on, so that when visiting any of the public IPs I have, it will route to the correct internal LAN IP. Thing is, I also have my Windows box housing vCenter on the same ESXi box, which was going through the router as well.

The issue was, vCenter would disconnect after about a minute or so after connecting to the ESXi host. This is because by default, the ESXi host will send an UDP "beacon" to the vCenter box to make sure it can access it. And when your vCenter box is assigned a private IP, vCenter will pass that private IP over to your ESXi box, and it would fail when accessing it, as most likely your ESXi box is not in the same LAN as your VMs. In my case, as I only have one NIC on this particular box, I kept the management interface on a public IP (not routing through pfSense), and everything else through the router.

Problem with this is there's no way to get ESXi 5 to use another IP when accessing the vCenter box. I tried to change some settings in the vpxa config file on the ESXi host itself, but it was just overwritten after connecting to the host again. I refused to put the management interface through pfSense, because if the router crashes for whatever reason, I need access to ESXi. I guess if you had two NICS, you could probably figure out a way to make the management interface failover to another NIC, but I'm not that advanced with ESXi.

So my solution to getting vCenter working on a NAT config? Don't do it. VMware even states on their knowledgebase that vCenter on a NAT configuration is not supported.

Using NAT between the vCenter Server system and ESX/ESXi hosts is an unsupported configuration.

So literally days after trying to get this fixed, I just kept vCenter off the LAN and assigned it a public IP through my main datacenter's router. It works, but I was really hoping I could get vCenter to just pass over to ESXI the FQDN of itself and let ESXi resolve its IP (which I understand, that might not work in all environments, but it should be an option or something). Why vCenter forces the IP of the current NIC to be passed over to ESXi is beyond me...

Stalk me on social media! Any other way would just be creepy…