Network design on host in datacenter

GregecSLO · ‎03-15-2012

Hi all!

I have a rather complicated question regarding network stuff on ESX in datacenter...

We have ESX 4 in datacenter and I can manage only ESX, I cannot manage switch or other

equipment... Provider gave us 5 public IP addresses...

So I used one for management network, I have 2 PHY NICs teamed in one vSwitch.

I also have one network created via vsphere client that is for virtual machines + management network..

So my question is, can I install pfSense (or any other capable) firewall on ESX and assign 2 virtual NICs

from that network I created and assign one for WAN and one for LAN on pfsense?

So my virtual machines would use internal class C network addresses and I could still use 4 (3) public

IP addresses...

Problem is that I have no option of second machine in datacenter to act as a firewall...

What do you think guys? Is it safe? I kind of tested it already and it works, but I don`t know how safe

this config is...

Thanks!

GregecSLO · ‎03-15-2012

Umm I must correct myself...

I have 2 vSwitches...

1 for those 2 teamed NICs (uplink to my ISP)

other vSwitch is for virtual machines for LAN but with no NICs...

So that they are separated...

a_p_ · ‎03-15-2012

With the 2 vSwitches you can connect the green interface of pfSense to the internal vSwitch and the red interface to the external vSwitch. This way you can make pfSense act as a firewall and router. The only unprotected port group in this case is the ESXi host's Management Network itself.

André

GregecSLO · ‎03-15-2012

Thanks André!

Is this some sort of best practice?

I know ideally would be that we add another physical machine and install pfsense on it

and then protect whole ESX enviroment, but sadly this is not an option...

Is there some sort of other solution for ESX`es in such remote datacenters?

Thanks!

All

Network design on host in datacenter