VMware Cloud Community
sim0
Enthusiast
Enthusiast
‎08-26-2009 08:19 AM

Add Router VM to network - sanity check

We are running ESXi 3.5 U4 in production, one of our VM's is Windows Small Business Server 2008 which does AD, DNS, DHCP and Exchange amongst other things. We are moving away from pop3 email to self hosted Exchange. Before doing so I want to put in place a spam/virus filtering device. I am looking at Untangle for this . As we are a very small business and IT currently has no budget a VM implementation in our existing ESXi host would be ideal.

In a physical network I'd just drop the Untangle box in behind the firewall and wire all traffic through it, what I need to achieve here is for at least all email traffic to be routed through the Untangle VM.

In ESXi I plan to set up 3 vSwitches, vSwitch1 connected to the management network (no physical NIC), vSwitch2 connected to the Untangle VM and the 4 physical NICs and vSwitch3 (no physical NIC) connected to all the other VMs including SBS 2008. The plan is to set up the Untangle VM with 3 vNICs, one each for vSwitch0, vSwitch1 and vSwitch2. The ESXi host has 4 physical NICs.

The internet modem, firewall and external facing Untangle vNIC would be on 192.168.50.x.

The ESXi Management Network and one Untangle vNIC would be on 192.168.60.x

The other Untangle vNIC, the VMs and physical LAN would be on 192.168.10.x

Can I bring the firewall straight through one of the ESXi hosts pNICs and into the Untangle VM as shown here?

Or do I need to send it to the physical switch that holds the rest of the network first, as shown here?

Either way I think my mail aim of filtering email traffic will be met as all email traffic will have to go through Untangle to get to SBS 2008 on vSwitch2.

Are these designs valid? I think the idea is sound but am always open to suggestions and constructive criticism.

Thanks for reading.

Simon

0 Kudos
4 Replies
J1mbo
Virtuoso
Virtuoso
‎08-26-2009 08:44 AM

Hi, I'm not sure your design is correct. I think what you're trying to create is a DMZ in which case the Internet side shouldn't touch your production network directly. Similarly your production VMs should be directly connected.

If I've understood the requirement correctly, and assuming untangle functions logically like a router, then the approach would be:

The Internet modem/firewall and external facing Untangle vNIC would be on 192.168.50.x on vSwitch1 with 2x pNIC (for redundancy)

The ESXi Management Network, the trusted Untangle vNIC, the Production VMs and physical LAN would be on 192.168.10.x with 2x pNIC for redundancy/performance.

Default gateway for all internal VMs becomes the 192.168.10.x address of the untangle VM. Default gateway for the untangle VM becomes the 192.168.50.x address of the Internet firewall.

HTH

sim0
Enthusiast
Enthusiast
‎08-26-2009 07:09 PM

Thanks J1mbo, sometimes these things need to rattle around in my head for a while before I get a clear picture.

So what you are suggesting would look like this.

I thought best practice was to have the ESXi Management Network on it's own vSwitch, separate from everything else.

I had planned to put the Management Network on it's own subnet with all the other management interfaces like ILOM and SNMP to separate the management traffic from the production traffic. There is no reason why I cannot do that by adding another vSwitch and vNIC to the Untangle VM is there?

Thanks for helping me get this straight.

0 Kudos
J1mbo
Virtuoso
Virtuoso
‎08-27-2009 12:53 AM

Seperating management traffic etc is entirely up to you, it depends on the goal. If physical bandwidth to the ESX host is a concern then you can just add another pNIC to the uplink from the vSwitch. If security is a concern then you'd need a firewall between prod and management LANs to restrict the access accordingly. Bear in mind that in a switched network the management traffic flying around can't be easily sniffed anyway.

The diagram looks good. If you want to seperate the management etc, add vSwitch2 for management and move one pNIC from vSwitch0 to vSwitch2. You'll need another firewall/router to get to it, or a second NIC in your management station and a seperate VLAN on your switching infrastructure for it in order to make it an effective layer of control. Don't route through a VM as if the VM crashes or otherwise becomes unavailable there will be no access your your ESX host!!

HTH

sim0
Enthusiast
Enthusiast
‎08-27-2009 07:03 PM

Cheers J1mbo, you've been a great help.

You'll need another firewall/router to get to it, or a second NIC in your management station and a seperate VLAN on your switching infrastructure for it in order to make it an effective layer of control. Don't route through a VM as if the VM crashes or otherwise becomes unavailable there will be no access your your ESX host!!
Very good point! I tend to try to treat VM's as similarly to physical machines as possible, this is an example of when that could get you in trouble. It's not like you can just move some cables to get around around a dead VM router.
Now for some testing...
 

					
				
			
			
				
			
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
		
			
		
			
					
			
		
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	

		

			

	
		
			
					
				
		
			
		
			
					
		
		
	
				
		
			
					
				
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Kudos