VMware Cloud Community
and_h
Contributor
Contributor
‎03-09-2019 04:24 AM

Newbie: VMWare Hypervisor to host transparent firewall

Hi everyone,

Sorry if this is a trivial question, but I am new to VMWare and still trying to get to know it a bit better.

I have a server with VMWare ESXi 6.5U2 (free Hypervisor) installed, which is connected to my internet router. Since this is a free license, I do not have vCenter available. Now, I would like to host a linux server as a virtual machine (web server etc.) that is protected by a transparent firewall setup (OPNsense or similar) placed as a virtual machine "before" the virtual host. Incomfing traffice would be routed to the ESXi host (port forwarding), through the transparent firewall and to the linux server.

However, I am at loss on how I can possibly configure the vSwitches in the ESXi Web Interface to allow for such a scenario. Can anyone point me in the right direction? Any help is appreciated!

Best,

Andreas

0 Kudos
3 Replies
a_p_
Leadership
Leadership
‎03-09-2019 05:26 AM

Welcome to the Community,

you don't want to forward ingress traffic to the ESXi host, but to your virtual firewall in such a case.

One option to achieve your goal would be to use two vSwitches on the ESXi host. One of them as an internal-only vSwitch (no vmnics/uplinks connected).

Connect the Web-Server to the internal-only vSwitch, and the firewall VM (which needs two virtual network adapters) to both of them, the vSwitch with network access (WAN interface), and the internal-only vSwitch (DMZ/LAN interface).


André

0 Kudos
and_h
Contributor
Contributor
‎03-09-2019 10:34 PM

Thanks, that was really helpful!

Do I need to set the switches to promiscuous mode? If the firewall is really transparent, the traffic should be forwarded to the IP of the Linux server, right?

Also, I would like to have a third NIC in the firewall VM for management access. If I connect this third NIC to a separate switch, I cannot select an uplink (I only have on physical NIC). How do I connect this NIC to the network?

Thank you so much!

0 Kudos
a_p_
Leadership
Leadership
‎03-10-2019 04:01 AM

Do I need to set the switches to promiscuous mode?

I don't think so, although I'm not familiar with the firewall you are using.

If you need want/need to have a separate management network, then you'll either need another network adapter, or use VLANs (in case your router/switch supports it).

However, you mentioned an Internet router. Since you are using NAT anyway (please correct me if I'm wrong), wouldn't it be an option to double NAT the traffic, i.e. something like:

Traffic to <Internet router>:443 -> NAT -> <firewall ip>:<portXY> -> NAT -> <Web Server>:443

André

0 Kudos