Hi,

I have an interesting question. Is the concept described below possible with the NSX (nativly or creatively)? The idea is to force all internet-bound traffic to pass a specific VM, not for routing, just layer 2 packet flow. In the example below, VM1 (192.168.1.50), which resides on host ESX1 wants to get to the internet using its gateway 192.168.1.254, a physical firewall. I would like it so that packets must flow Via VM2 as illustrated by the orange line in the (sloppy) diagram below. I assume that promiscuous and forged transmit would need to be allowed.  in the physical world, this would be equivalent to placing a man-in-the-middle device between the Lan and firewall, so that the flow looks like this: PC > Switch > Man-in-the-middle Device > Firewall.

Also, i have a question about promiscuous mode and forged transmit. When creating a Logical Switch, it automatically creates a dvPortGroup on the appropriate DSwitch (depending on the transport zone config). If i now wish to change the promiscuous/forged security settings for a  specific logical switch, do i change it on the PortGroup level? What if the logical switch was pushed to multiple DSwitches, would I need to manually adjust the settings on each PortGroup within each Dswitch?