Esxi WAN/LAN setup on a single nic.

[-fedexer-]

Hey guys,

Wondering if anyone has any experience in setting up esxi5 to use one single port nic to act as a front end WAN (with a pfsense vm on this network) and then have a LAN network internally where the other vms will reside, including the management host?

I can technically set up 2 vswitches, and had the network card connected to the WAN network, however in pfsense I didn't seem to have an option of adding the lan interface, maybe I never did make it right? Also moving the management host to the lan just cuts my connection to the server (i had to experience this first hand...).

Any ideas how it's done, or if you know of a specific tutorial link, I could only find brief info on doing this setup on a single port nic, or is it the case that I actually require a dual port nic or another nic?

Thanks for any help you can throw my way!

 

[Shad]

Are you using a managed switch that you can configure VLANs on? How have you got it setup at the moment? I did briefly cover how I've done this in another thread (albeit using a dual-port NIC configured as a port channel) but didn't go into much detail.

My terminology is probably off since I'm not really a networks guy, but as far as I see it, if you want to put two different types of traffic down a single port then you need to use VLANs - in this case one for the WAN connection (for your modem) and one for normal traffic. The VLANs need to be configured on your switch such that the port your ESXi server is connected to is a tagged member of your WAN VLAN. Then your vSwitches need to be configured with the appropriate VLAN tags on them (normally just a tag needed on the WAN vSwitch) and your pfSense VM needs an interface on each vSwitch.

It should work on a single port for you, but I'm not sure how management/VMkernel gets affected. Really you should use a separate NIC for management. I can post the specifics of my config in a bit if you like, including some screenshots.

 

[Django x2]

I wouldn't want to be routing production traffic through pfsense. It's just not robust enough.

 

[-fedexer-]

Say I opt not to use pfsense as a front end security, how would I secure my network host from being accessed from the "outside" world, a second nic with only the network host on it, and just directly plug that into say my desktop to be managed from here?

I think my problem is I do not have a managed switch to create the vlans.

 

[Django x2]

You could do that.

I have an production ESXi host with two VMs on. The VMs are on the same subnet as the host (and IP Address range). One of the VMs is a DC, the other is Exchange. The Exchange box sits in the DMZ. Therefore, I rely on pure strong password to prevent RDP / attacks.

 

[BoomAM]

I wouldn't want to be routing production traffic through pfsense. It's just not robust enough.

Rubbish.
The BSD Platform is one of the most stable platforms around and Pfsenses interpretation is no different.
Its flexibility, stability and footprint put 99% of other solutions to shame.

 

[DRZ]

Rubbish.
The BSD Platform is one of the most stable platforms around and Pfsenses interpretation is no different.
Its flexibility, stability and footprint put 99% of other solutions to shame.

Not when you get to enterprise-grade kit it doesn't. Not by a long way and not by any metric other than price, which is an advantage soon lost when you inevitably hit issues or need to put in something proper to get the feature set demanded by proper performing businesses.

To address the OP, this is a bad idea for a number of reasons. Firstly, the traffic needs to enter your VMWare host before it gets to the firewall. That's a lot of risk and a lot of trust in VMWare's networking and kernel security etc. Secondly, you'll have to have your vmkernel port on the LAN side of the PFSense VM, meaning that it isn't accessible unless the PFSense VM is up and forwarding traffic. That's not a particularly stable configuration, meaning you'd want to open up SSH to the WAN - and thus exposing another attack vector.

By *far* the easiest solution to this is to buy a 2nd (dual-port) NIC for your VMWare server (check the HCL!), have one for management and another for LAN-side stuff. That doesn't do anything for your security but will make your life easier in the long run.

If that isn't possible, get a cheapy Layer 2 managed switch and create two VLANs, one for WAN and the other for LAN and have your vSwitch configured to Q-tag packets onto the correct VLAN for each VM guest interface.

Finally, the best option is to run PFSense (or a proper firewall appliance) in front of your VMWare server.

 

[BoomAM]

Not when you get to enterprise-grade kit it doesn't. Not by a long way and not by any metric other than price, which is an advantage soon lost when you inevitably hit issues or need to put in something proper to get the feature set demanded by proper performing businesses.

Well everyone's entitled to their own opinion of course, but I've yet to see anything, enterprise grade or not that can exceed what pfsense can do.
Its biggest flaw is its complexity compared to enterprise grade solutions, which have nicer GUIs.

To address the OP...snip...

Only problem with using a switch to VLAN off and separate traffic is your then putting the same faith in the switch that would be lacking in the vmkernal...

I'd personally suggest a variation on your first idea, separate NICs for separate networks (internal NIC, external NIC) with clearly separated vSwitches on each one. Then your separating the traffic at hardware level and software.

 

[DRZ]

Well everyone's entitled to their own opinion of course, but I've yet to see anything, enterprise grade or not that can exceed what pfsense can do.
Its biggest flaw is its complexity compared to enterprise grade solutions, which have nicer GUIs.


Only problem with using a switch to VLAN off and separate traffic is your then putting the same faith in the switch that would be lacking in the vmkernal...

I'd personally suggest a variation on your first idea, separate NICs for separate networks (internal NIC, external NIC) with clearly separated vSwitches on each one. Then your separating the traffic at hardware level and software.

Have you ever used anything like Checkpoint, Juniper, Cisco ASA? Complexity++ but secure firewalls with features that far exceed that of PFSense.

Anyway, back on topic: If you disable the default VLAN or make your interfaces trunk ports with a native VLAN other than the default then the possibility of Q-in-Q attacks (the only realistic attack that isn't a DoS-type attack) is almost completely removed. That's removing an attack vector that's relatively easy to exploit but of course you are still exposed from the VMWare POV, just limiting it to compromising the hypervisor processes.

As I said in my previous post, the most secure way is to have the firewall in front of the ESX box as a completely separate device.

 

[BoomAM]

Have you ever used anything like Checkpoint, Juniper, Cisco ASA? Complexity++ but secure firewalls with features that far exceed that of PFSense.

I have yes. Still dont agree. Lets just agree to disagree so we can get back on topic.

Anyway, back on topic: If you disable the default VLAN or make your interfaces trunk ports with a native VLAN other than the default then the possibility of Q-in-Q attacks (the only realistic attack that isn't a DoS-type attack) is almost completely removed. That's removing an attack vector that's relatively easy to exploit but of course you are still exposed from the VMWare POV, just limiting it to compromising the hypervisor processes.

As I said in my previous post, the most secure way is to have the firewall in front of the ESX box as a completely separate device.

A good, although basic, overview of VM usage on the network edge by HP here:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02044591/c02044591.pdf

& dependent on the version of VMWare being used, some good hypervisor extensions designed for these very purposes:
http://www.vmware.com/uk/products/datacenter-virtualization/vcloud-network-security/features.html