Pfsense as LAN-LAN firewall
-
Hello,
Is it possible to configure pfsense under vmware to prevent traffic between virtual machines on the same subnet and on other subnets within the vcenter? (instead of nsx/vshield zones)
we want it to secure east-west traffic, so it should filter before the vswitch (standard, not distributed).Thanks,
Igal -
"between virtual machines on the same subnet"
No devices on the same network/switch/vswitch have no need to send the traffic through a router.. What is routing your traffic now between subnets.. You should be able to filter traffic there. Devices on vswitch 1 and vswitch 2 don't just magically talk to each other even if on the same network..
But yes pfsense as a vm can be used to route/firewall traffic between vswitches and even physical network.. Why don't you draw up your network and we can take a look see at what your wanting to do and the best way to do it.
-
Hi,
Thanks for the answer.
I attached a draw of the network. I wish to prevent traffic between the guest vm. by regular, the two VMs can 'talk' to each other because they don't route to the Firewall or to the physical switch.
e.g. first VM ip is: 60.70.80.10 , and second VM ip is: 60.70.80.11 - they can ping each other, even if the ICMP is closed by the physical Firewall, and this is what i wish to prevent using pfsense.
Not north-south traffic, but east-west traffic - LAN-LAN.Is it possible?
Thanks!
Igal
-
As already noted above - the traffic on the same subnet just has absolutely NO reason to go across the router.
-
Right. but this is exactly what i want to prevent -
There are several solutions for this, for example:
1. vShield zones
2. VLAN for each IP
3. SDN solution
and others…Does pfsense can behave as an in-line firewall to prevent traffic within the same subnet, just as vshiled zones can do (as described here: https://goo.gl/do59xD ) ?
-
if you don't want devices on the same vlan talking to each other the most common solution is private vlans..
How exactly is a firewall/router that is used to get off that network going to block devices from talking directly to each other??? They can see each other via layer 2, so the firewall and routing that happens at layer 3 never comes in to it.
Only way firewall could block such traffic would be if the devices were on different sides of a bridge..
