VMware Cloud Community
bruma
Contributor
Contributor
‎01-17-2009 06:24 AM
Jump to solution

wlan, lan, dmz on esxi with 2 nics

Hi,

I'm esxi newbie. What I'm trying to achieve on my esxi server is simple firewall/gw between internet (vmnic1), LAN (vmnix0) and DMZ. I have only physical 2 nics in my server, therefore DMZ should be "Fully Collapsed DMZ". I planning to have 1 web (www,ftp) server in DMZ, 2 servers in LAN and smoothwall acting as firewall.

After reading some pdf's and some forum threads I came up with attached "Networking" design.

Could you experts please check the design and advise me how secure is it and where are potential pitfalls?

Preview file
85 KB
0 Kudos
1 Solution

Accepted Solutions
jungsberg
Enthusiast
Enthusiast
‎01-18-2009 02:51 PM
Jump to solution

You need COS to manage your esxi server.

The following wll work:

One Esx3i Server with two physical network interfaces (pNic)

pNic0 connected to the internet

pNic1 connected to your LAN

3 vSwitches configured, one for each pNics and one internal vSwitch (DMZ)

Guest "Smoothwall" configured with 3 Nics, one for Internet, one for Lan and one for DMZ.

Guests in the DMZ must be created with vNic in the DMZ vSwitch.

Smoothwall handles the firewall and forwards the correct port-number etc. to the ip-address in the DMZ-zone.

Kind Regards

Torben Jungsberg

Kind Regards Torben Jungsberg

View solution in original post

0 Kudos
9 Replies
Texiwill
Leadership
Leadership
‎01-17-2009 06:42 AM
Jump to solution

Hello,

Check out my new Topology Blogs that cover DMZ for information on this. With just 2 pNICs this is not recommended but possible.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
A_Mikkelsen
Expert
Expert
‎01-17-2009 07:05 AM
Jump to solution

Hi,

I have to agree with Texwil.

If I was you I would see if I couldn't find a 100/1000 Mbit network card somewere.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points.

Regards

A. Mikkelsen

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points. Regards A. Mikkelsen
bruma
Contributor
Contributor
‎01-17-2009 08:19 AM
Jump to solution

Ok, it is not a problem for me to add 3rd nic, I have some spare pci slots. But I am a little bit confused now.

1. So 3rd nic should be present just because of better security? My web server in DMZ is virtual machine, so I don't need any hw wires in DMZ, therefore I will not use wire on 3rd nic?

2. I notice that you are suggesting just one virtual switch

vSwitch0

? Is this advantage over multiple virtual switches like in my picture?

0 Kudos
A_Mikkelsen
Expert
Expert
‎01-17-2009 01:29 PM
Jump to solution

What Texwil means is, use

- pNIC0 for COS, storage (NFS / iSCSI) and VMotion

- pNIC1 for LAN

- pNIC2 for WLAN

Regards

A. Mikkelsen

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points. Regards A. Mikkelsen
0 Kudos
bruma
Contributor
Contributor
‎01-18-2009 03:25 AM
Jump to solution

But if I don't need COS, storage (NFS / iSCSI) and VMotion?

0 Kudos
jungsberg
Enthusiast
Enthusiast
‎01-18-2009 02:51 PM
Jump to solution

You need COS to manage your esxi server.

The following wll work:

One Esx3i Server with two physical network interfaces (pNic)

pNic0 connected to the internet

pNic1 connected to your LAN

3 vSwitches configured, one for each pNics and one internal vSwitch (DMZ)

Guest "Smoothwall" configured with 3 Nics, one for Internet, one for Lan and one for DMZ.

Guests in the DMZ must be created with vNic in the DMZ vSwitch.

Smoothwall handles the firewall and forwards the correct port-number etc. to the ip-address in the DMZ-zone.

Kind Regards

Torben Jungsberg

Kind Regards Torben Jungsberg
0 Kudos
bruma
Contributor
Contributor
‎01-18-2009 11:10 PM
Jump to solution

Thanks Torben, I was hoping for that kind of answer Smiley Happy

That is exactly what I have in my design (attached image), but I was not sure about security issues...

Best regards

Bruma

0 Kudos
Texiwill
Leadership
Leadership
‎01-19-2009 07:28 AM
Jump to solution

Hello,

You need a pNIC just for management. The Management appliance. This one CAN NOT be connected to the internet. The solution presented to you, is actually fairly insecure.... You have 3 distinct networks.

Management

VM

DMZ

If your DMZ does not extend outside the virtualization host then only 2 pNICs are needed.... and you are at the Topology Blog about a system with 2 pNICs. The DMZ would be a private vSwitch within the environment. So you may wish to do something like:

pNIC0 -- Internal for Management only, vSwitch0

pNIC1 -- External. vSwitch1

pNIC1 <-> vFW <-> DMZ vSwitch <-> DMZ VMs
              <-> Internal <-> Internal VMs

Never place your Internal Management network on the internet.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
bruma
Contributor
Contributor
‎01-19-2009 07:44 AM
Jump to solution

Ok thanks. My Management network on internal LAN, separete form DMZ and external with firewall (smoothwall).

0 Kudos