VMware Cloud Community
HudsonLR
Contributor
Contributor
‎12-03-2012 05:58 AM

How to deploy a VM to act as Firewall/Gateway for a LAN ?

Hello everyone, Im envolved with a new virtualization project, that will have some servers, includind a firewall. Each ESXi host have 4 NICs, 2 for vmotion e 2 for VM traffic.

* The firewall will be a VM (with IPtables, Squid, etc)

For the firewall VM, I will need 3 vNICs:

1 - Internet Link 1 - 10.0.0.0

2 - Internet Link 2 - 192.168.1.0

3 - LAN Interface - 192.168.0.0

The ESXI host, the Routers and all other computers will be plugged in the same switch, and the traffic will be separated with VLANs.

How I make the host configuration to do this ? Its possible with only 2 phisical NICs ?

* vSphere 5.1

Tags (2)
0 Kudos
2 Replies
iw123
Commander
Commander
‎12-03-2012 06:43 AM

Hi

Yes, It can be possible with 2 nics. You will need to make sure trunking is in place on your physical switch ports connecting to your esxi server. The you can create a vswitch using those nics, and create portgroups for each vlan that your VMs will need to access.

Your firewall vm will need to have several virtual nics, which access the relevant port groups.

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
HudsonLR
Contributor
Contributor
‎12-10-2012 11:21 AM

Im still having some troubles about the configuration.

For this tests, Im using only 2 ports on switch:

Port 21 - Notebook/Router for test

Port 23 - ESXi Host

Switch HP v1910 with ports in 'hybrid' mode.

Test 1:

- Created a VLAN with ID 3, with port 21 and 23 as TAGGED (192.168.80.0/24). VLAN1 Already exists, and in this VLAN (192.168.60.0/24), ports 21 and 23 stay how UNTAGGED. This VLAN1 is used for management of ESXi.

- Add a vNIC to VM with VLAN ID 3;

- Plug a notebook on port 21 and configurates it on VLAN;

Results: Can ping notebook from VM and ping VM from notebook;

Test 2:

- Unplugg the notebook and plug a router in the same port;

Results: Cant ping router from VM;

Test 3:

- Change ports on VLAN1 to Tagged and ports on VLAN3 to UNTAGGED;

Results: Lost connection  to ESXi host.

Test 4:

- Change port 23 in VLAN1 to UNTAGGED and on VLAN3 to TAGGED.

Results: Cant connect to ESXi host again, but still cant ping router from VM.

PS: This is the configuration that I will use in my project. The traffic goes in trough a VLAN to VM, and goes out trough another vNIC from VM to LAN.

Where am I going wrong?

0 Kudos