VMware Cloud Community
kaz911
Contributor
Contributor
‎09-26-2009 01:31 AM

Help newbee - ESXi network setup with Firewall Appliance

Hi experts Smiley Happy

I have 2-3 HP DL3x0 running in a hosting center (2 now 1-2 more on the way)

I rent out space to MS SBS2008 and my clients are happy so business is growing. But SBS2008 really likes to have its own protected IP range (192.x.x.x) so right now that is solved with multple VLANs and a Draytek firewall that supports Public IP to VLAN. On top of that - the hosting center (middle east) charges a bundle for each power connector - so I want to keep equipment numbers down.

So my thoughts are now to find a Firewall appliance for ESXi that can replace my draytek firewall.

So which Firewall appliance would you recomend? Can i work with just 1 firewall appliance for all the servers - or should I install one for each DL3x0?

any help greatly appriciated!

best

Kasper

Reply
0 Kudos
6 Replies
AndreTheGiant
Immortal
Immortal
‎09-26-2009 02:19 AM

pfsense is an interesing solution:

http://blog.pfsense.org/?p=293

http://www.vmware.com/appliances/directory/361

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
Reply
DSTAVERT
Immortal
Immortal
‎09-26-2009 08:32 AM

I have used pfsense for the same application. It is easy to contain a private lan using a pfsense appliance. I don't know how you are set up but you will probably need one for each host. You might have one for each sbs instance? pfsense doesn't need much RAM or disk space.

-- David -- VMware Communities Moderator
Reply
0 Kudos
kaz911
Contributor
Contributor
‎09-27-2009 12:59 AM

thanks - but as far as I can read - the pfsense does not like mulitple PPTP tunnels. Since im hosting SBS2008 - clients have PPTP access into the server. So not 100% if that is possible since PFsense documentation lists 1-1 PPTP unless you have on external IP pr. PPTP tunnel. (GRE session problem)

It is described as an from internal to external problem - but guess it would apply both ways.

best

Reply
0 Kudos
kaz911
Contributor
Contributor
‎09-27-2009 01:01 AM

thanks - but one pr host - would that not be a waste of external IPs.

Im also looking into Astaro Security Gateway - they have announced a free version. But they have not launced it yet so dont know what limits they have on the free version.

Reply
0 Kudos
DSTAVERT
Immortal
Immortal
‎09-27-2009 08:08 AM

If you have one organization to one SBS server how do you isolate each server. Isn't that a security concern?? IPs are cheap. Lawsuits are not.

-- David -- VMware Communities Moderator
Reply
0 Kudos
kaz911
Contributor
Contributor
‎09-27-2009 09:55 AM

See IF you read my post it says....... VLAN to each server.

so each virtual server has its own VLAN + isolated 192.168.x.x range and 1 dedicated public ip.

Smiley Happy and all clients submit their own license keys.

So each client has its own range, server, sharepoint etc. and you can run between 6 and 12 SBS2008 on one DL380 G5 2x Quad with ESXi 3.5/4.0 without huge problems. Biggest problem is finding affordable quality memory. CPUs usage is mostly below 2000. Clients are small businesses! :-). Each VLAN is then isolated from all other VLANs - currently in our HW firewall.

best

Kasper

Reply
0 Kudos