VMware Cloud Community
BDMcGrewVM
Contributor
Contributor
‎10-28-2015 06:15 AM

vDS For A Fireall with Multiple Interfaces and DMZ's

Good morning,

I'm sure this question has been asked before but I can't seem to find it anywhere so I apologize in advance if it's a duplicate and I'm very familiar with vCenter and ESXi but I'm a storage guy, not necessarily a network guy; so any help is greatly appreciated.  On with the question...

I’m trying to virtualize a firewall into my ESXi HA Cluster.  This is a Linux based firewall (ClearOS v6) with four Ethernet interfaces.  The interfaces are as follows: eth0 is static to my LAN, eth1 is DHCP to a modem, eth2 is static to another modem and eth3 is static to a DMZ for wifi.  The two modems are form different providers so they’re on different networks as are the remaining two interfaces; so in total the firewall talks to four networks with one of them being DHCP.

I have this ESXi HA Cluster that runs beautifully.  Currently at 4x nodes, 8x Xeon processors, 32 cores and 384gb of RAM. Each node has a total of 6 ethernet interfaces, 2x on-board Intel cards and a single i340-T4 card.  All interfaces are connected to the vDS as well as the physical switch.

The whole cluster is all plugged into a Dell 6248 Layer 3 managed switch but I’m not currently doing any VLAN routing; just some basic LACP for my storage server but I’m not doing any LACP (yet) on my vDS.  I have a single port group for the vkernel adapters (one per node) and a single port group for the virtual machines.  Nothing fancy.  I’ve been told I should create additional vmkernel adapters for each type of traffic but haven’t done this yet (should I?).

I’m trying to wrap my head around configuring the vDS and/or physical switch.  I need to isolate the networks for the modems so that DHCP works to the single interface on the firewall without trying to be a DHCP server on the entire network and also isolate the modem’s networks so that nobody could bypass the firewall and go directly to a modem. 

I’ve virtualized many firewalls into a single ESXi host before and it’s worked great just assigning NIC’s 1-to-1 to the firewall and everything was fine.  But this time I’m trying to virtualize it into the HA cluster so that everything just rolls to another host in case of failure.

Any help from those with a much more gooder understand of networking than I is greatly appreciated.  Like I said, I know what I’m doing but I’m a storage guy, not a networking guy!

Thanks in advance,

-brian

Reply
0 Kudos
0 Replies