Isolated VM's from main LAN

asus989

Hi everyone,

I'm struggling to set up some isolated virtual machines on my home network. I have a DSL router connected to a Windows box running VMware workstation in bridged mode providing a DHCP WAN connection.

I've then set up a LAN segment in VMware connecting the pfsense firewall and the VM hosts, with a network of 192.168.2.0 - .192.168.2.1 for the firewall and 192.168.2.2 on the pc.

The VM pc has access to the internet through the VM firewall which is great but can still ping the 192.168.1.0 network!
Is what i'm trying to set up doable with the kit that I have? I tried to set up a firewall blocking access to the 192.168.1.0 network but it clearly didn't work

If anyone could put me in the right direction I would be very grateful, these hosts are to have internet acess but no access to the main LAN (192.168.1.0)

Thank you

johnpoz

"I tried to set up a firewall blocking access to the 192.168.1.0 network but it clearly didn't work"

Well what rules did you try?  Post up the rules you create on this opt interface you connect to pfsense for this other vm segment.

dmz123

Ok scatch that I started again.

How would I go about giving this dmz internet access? My ip for internet access in the normal lan I don't want to give it access to it 192.168.1.254.

Thanks

No idea, why the first one cut off the info. WAN interface: 192.168.1.194 and up
clients 10.1.1.1
dmz 10.1.5.1

I would like to have vm's in the dmz with internet access but unable to access 192.168.1.0. The rule I applied previously basically was block any traffic going to 192.168.1.0 subnet.

johnpoz

And what rules did you put on the dmz interface in pfsense??

Example here is my dmz, also on virtual (esxi)

Lets go over them, keep in mind rules are from top down - first rule wins.

So first 1 allows ping my pfsense dmz interface ipv4
2nd rule same thing ipv6
I then allow dmz to use pfsense dmz interface for dns, tcp/udp 53
I then put in a reject rule that says you want to talk to any other IP On pfsense, be it other lan interfaces, be it wan, whatever reject!
I then say hey your going anywhere other than rfc1918 (alias I created) 192.168.x.x, 172.16-31.x.x, 10.x.x.x then sure go ahead.  This allows access to internet but nothing else on my network.  Not openvpn hosts, nothing has to be a public IP to be able to get there.  That is what the ! is, that is a NOT rule..

Last rule is same thing, only blocking my local ipv6 space

So lets see what rules you put in place on your dmz, and we can work out what your doing wrong.  Keep in mind once a state is created, you would have to reset your states, delete that specific state or yes that traffic would be allowed no matter if you put in a block rule or not.  Since states would match before the rules listed.  Only the creation of new states follow the rules.

dmz123

The rules I were trying to applying yesterday were merely trying to stop the pfsense 'lan' from talking with the actual lan. Now i've got a dmz setup opt1 and I'm trying to follow your helpful advice.
I added the first line of your rules just to allow pings but i can't ping from the 10.1.1.20 to 10.1.1.1

Any ideas why it's not letting me ping? pfSense has the same lan segment for dmz as the client, in the same ip range and i've applied that firewall rule but it still won't ping across

Thanks

Edit: I edited the rule to be specifically ICMP request. The thing that's weird though is that the firewall and vm pc both share the dmz segment  but in windows there appears to be a problem with the connection. I can also ping the dmz interface from the firewall itself and the management pc.

johnpoz

"vm pc both share the dmz segment"

Huh??  How exactly do you have your vm networking setup?  You don't share networks.. I would assume your pc is on LAN, so it should not also be on the DMZ.

That rule is not icmp you have any any… If you have a any any rule and you can not ping than you have something else wrong..

dmz123

Hi,

I have a wan interface bridged, I have a management pc on 10.1.1.0 VM segment (as opposed to nat or bridged etc) and I have another VM segment for dmz shared between firewall and a host i'm trying to put in dmz. The dmz interface is 10.1.5.1 and the dmz host is 10.5.1.10 but it still cannot ping it for some strange reason.

http://imgur.com/fEjboxY

Does that make sense as to what I mean? The test pc and the firewall both are on a dmz lan segment. This is all virtualised and my actual lan is 192.168.1.0

johnpoz

So if you have psfsense vnic in a lan segment for dmz, and another vm in same lan segment and they can not ping each other then you have a problem with your vm setup.. Or you did not put any firewall rules on the opt interface of pfsense you put in that lan segment.

This seems very much like how esxi works, but they call them vswitches and port groups vs lan segment.

So as you can see attached… See how the 2 machines are connected to the same vswitch (lan segment) dmz in my case.  Make you notice the mac address of that interface for pfsense..

See in my esxi setup they are connected to the same vswitch (dmz) and both are on.

From my xp vm, I see its IP is in my dmz network setup on pfsense, and I can ping pfsense 192.168.3.253 - and notice when I look at the vm arp table it shows the correct mac for my vnic in my pfsense vm connected to that network.

If you can not ping pfsense with vms connected to the same lan segment then you have something basic wrong in the setup, or have not created the rules correctly in pfsense - you have yet to post your firewall rules for your dmz..