VMware Communities > VMTN > VMware Server > Discussions
Up to Discussions in VMware Server
Actions

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
1 Replies Last post: Nov 24, 2007 4:36 PM by IanHobson
Reply

Linux host containing VM for Smoothwall firewall and second VM for DMZ

Nov 4, 2007 2:55 PM

Click to view xadium's profile Lurker xadium 1 posts since
Nov 4, 2007
Hi

I've got an Ubuntu machine containing two NICs and I want to host a virtual firewall in one VM and potentially a web-server in another VM acting as if it's in a DMZ.

I can't even get the first part of the plan to work. NIC1 is connected to the net via cable modem and bridged on vmnet0 as the red interface. NIC2 is on the LAN and is bridged into VM1 on vmnet2 and should be the green interface. My problem is this: do I have to give NIC1 and NIC2 IP addresses in the host so they can be bought up for VMware to hook into? Can I get VMware to talk straight to the hardware? I specifically don't want the host to have internet access.

Thanks
Ali
Tags: bridged_networking, network, ubuntu, firewall, bridge, ethernet_adapter, vmware_server, vmnet, smoothwall, dmz, interface, nic
Reply Re: Linux host containing VM for Smoothwall firewall and second VM for DMZ Nov 24, 2007 4:38 PM
Click to view IanHobson's profile Novice IanHobson 6 posts since
Nov 14, 2007
Hi Ali,

I've done something similar under Windows. The VMs could serve port forwarded traffic from the internet and local requests - it was not a DMZ setup. I wanted a VM firewall to protect the host, all other VMs and the LAN.


The set up was this.


VMNet0 bridged to the NIC that faces the LAN. This is auto-connected to all VMs (connet to physical network) - which is why I chose it for the green/LAN side.


VMNet2 bridged to the NIC that faces the Internet/Cable modem. This is connected to the Firewalling VM only. (I use m0n0wall as the firewall).


The firewall does DHCP for all the LAN, except the host and VMs that boot on startup, which each need fixed internal IPs.


On the host, I removed all drivers and protocols from the network connected to the Internet side, except for the VMNet Driver. This means the host is invisible to the internet. (Do this before going on-line:)) How, or even if, you need to do something similar on a Linux host, I can't say.


Finally, I had to tell Zone Alarm on the host, that the Internet IP that the firewall VM picked up from my ISP, was in the trusted zone, or ZA blocked all attempts to get out! (Although the host does not need a firewall to stop intruders, I prefer to use one that warns me if something unexpected wants to get out).


I am about to move my setup to a linux host (I am fed up with Win2K crashing taking all VMs with it).So I will know more in a few days.


A problem you might be having is that most cable modems will only talk to the first MAC address they see after power on. If you have swapped cabling from another card or another operating system it could be that the Cable modem won't talk to you. Cycle the power to the modem.


Hope this info helps.


Regards


Ian

Up to Discussions in VMware Server