thomasso
Enthusiast
Enthusiast

Do I need a vSwitch for every network with only one physical network adapter?

Hi.

Plain and basic question. Do I need to setup a vSwitch for every virtual network I want to run on my esxi?
I'm planning to setup pfSense firewall with LAN, WAN and DMZ networks and I have previously run a similar setup with only the standard vSwitch esxi setup for me. But I'm curious to whether it would be better practice and more secure to setup and utilize a vSwitch for every virtual network.

In other words, I know it's not required to make it run, but will it be more secure and better practice to setup the additional two vSwitches and make it run this way, or do one vSwitch only represent ONE physical adapter? And is it therefore obsolete to create more than the standard one?

0 Kudos
11 Replies
scott28tt
VMware Employee
VMware Employee

@thomasso 

Think about what VMs will need to connect to which virtual networks (possibly with VLANs) and the physical connectivity required to make it all work the way you want.

Keeping all VM portgroups on a single vSwitch with physical uplinks means that every VM potentially has physical connectivity.

Having some VMs using a VM portgroup on a separate vSwitch with no physical uplinks gives you a network which cannot reach the outside world, unless you were to multi-home a VM.


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
0 Kudos
thomasso
Enthusiast
Enthusiast

So basically I don't need to add more vSwitches? I can use the one created by ESXI for my single physical adapter and run it all virtual?

Sorry for asking lame questions. Just wanna get it straight and do it the best possible way 🙂

0 Kudos
scott28tt
VMware Employee
VMware Employee

@thomasso 

It depends what connectivity you need your various VMs to have to one another, to the physical world, and whether you have multiple hosts.

To increase your chances of anyone giving you a definitive answer, draw a diagram and upload it.


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
thomasso
Enthusiast
Enthusiast

Hi Scott.

I have attached an old diagram from my previous setup. I'm not sure it will be the exact same setup, but the idea is to make 3-4 network segments.

I'm planning to experiment with PKI and NAC in my new setup, but the idea is that the network are divided into several areas and the whole thing is going to run from a single physical computer with one physical NIC.

As mentioned the attached setup has been working fine and my opening question is only in regards to whether it will be better practice to utilize ESXI and use more than one virtual switch on the host, or whether the former setup is actually just fine.

What would one do in the "real world"?

0 Kudos
a_p_
Leadership
Leadership

From a technical point of view, you can do all this with a single vSwitch, and multiple port groups for the different subnets. In this case I'd suggest the use of VLANs to ensure that the traffic remains separated.

Using multiple vSwitches, one for each subnet is an alternative, that likely better represents how you'd do this if that was a physical network setup.

André

0 Kudos
thomasso
Enthusiast
Enthusiast

@AP thank you for your reply.

I have now setup three different port groups (the default one just renamed to LAN) and two additional port groups using the one and only vSwitch on my ESXI install.

I have installed pfSense and gave it three network adapters - one from each port group.

Everything seemed to work flawlesly but there seems to be no connectivity between the networks.
Do I have to setup additional to make this work?

If I go into the settings for the VM running pfSense and shange the two network adapters to LAN-PortGroup, then everything flows fine and I can access things beyond my own network.

0 Kudos
a_p_
Leadership
Leadership

This looks like a configuration issue in the pfSense firewall.
Note that you even need to allow ICMP (ping) traffic in pfSense.

André

0 Kudos
thomasso
Enthusiast
Enthusiast

Ok, so just to make sure I understand the thing with port groups. I don't need to setup additional in terms of routing or anything else to make it work?

This leads me back to my origional question: Do I have to setup these additional things to harden my setup and make it more secure, or does it nothing except making things more logical?

Sorry for asking the same question but I don't think anybody have been able to answer this 🙂
I'm going for a basic setup (home lap), bnut of course I would like to use the best possible approach. But if this does'nt add anything, I will just go for the simple setup with one vSwitch and one port group because this is the solution that works out of the box.

0 Kudos
a_p_
Leadership
Leadership

>>> I don't need to setup additional in terms of routing or anything else to make it work?
No, routing is done by the pfSense in this case. ESXi does not provide routing natively.

>>> Do I have to setup these additional things to harden my setup and make it more secure, ...
What you may do for security reasons, is to create another Host-Only vSwitch (one with no uplinks/vmnice) with the port groups that require routing through the pfSense. This way, VMs on this vSwitch do not have direct access to the physical network in case of misconfiguration (e.g. a valid LAN IP address). Each of these port groups should be configured with a different VLAN-ID to logically separate traffic.

André

0 Kudos
hamidja
Enthusiast
Enthusiast

Hi

VMware said using separate vswitches as a suggestion. But it's no matter if you use one vswitch with multi Port group. I use separate port group because it make it easy to manage them or put policy on them like mirroring ,netflow ... . for Pfsense first set route to your net and create a firewall rule to pass ICMP packet between your networks then ping them to check connectivity, if it did not pass go to 

Status > System LogsFirewall  and check which firewall rule reject it. and use easy rule to add it. this link helps

https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html

I hope it help you

0 Kudos
thomasso
Enthusiast
Enthusiast

Hi Hamidja.

From your reply I understand that if I choose to use a unique port group for my any of my virtual network adapters on my pfSense, I'll have to create rules in the firewall to allow the trafic through the firewall and between the virtual networks.

If I choose to run with the same port group on all my adapters, I don't seem to have to anything and trafic flows fine between the networks.

So, if I understand you correct, it HAS an impact on the system whether one choose to go with one port group (the default ESXi virtual switch), or one create port groups for all adapters?

I just want to go with the most simply setup in terms of networking, but of couse I would like my setup to be as secure as possible.

Is the conclusion to this that one can just use the most basic setup in terms of port groups and vSwitches (just one for all adapters) and still maintain a secure setup where the pfSense firewall filters allowed traffic and blocks the rest?

I'm still a little puzzled about this...

0 Kudos