Firewalling a VM
-
Very new to pfSense - waiting on server hardware to arrive to install it as the house router. Planning on running it in a VM under ESXi 5.5, and wondering if there's a way to implement my use case.
The plan is to have several VLANs (yes, I have VLAN-aware smart switches) around the house, and I think I have a handle on that. But I'd like to create a VM (on the same hardware as pfSense) with specific requirements. It's a VM that I am particularily afraid of being attacked, so I want to keep it far away from everything, but I need it to be accessible, in a limited way, from my main LAN segment.
Basically, I want the VM to have full access to the WAN side of the world, but only a few, specified, ports to be visible and usable on the LAN side. This restriction needs to come from outside the VM itself, for safety's sake, but those ports needs to be on my main VLAN, as the device accessing the port is an appliance over whose networking settings I have minimal control.
To make things less abstract - this VM will be dedicated to acting as a BitTorrent client, and as such is super vulnerable to malware or virii. It will run a service called pyTivo which trasncodes the video and sends it to my Tivo devices. That requires pyTivo to broadcast to the lan segment the Tivos are on over one bi-directional UDP port, and accept HTTP reqests on anoter (nonstandard) TCP port.
I suppose I could put all the Tivos on a separate VLAN, but that has other disadvantages so I'd prefer to avoid that.
Is this doable? How can I implement it?
Any help appreciated.
-
"ESXi 5.5"
Why?? 6 has been out for quite some time, its just as FREE as 5.5..
Yes thre are many many people running pfsense virtual, yes you can have multiple networks and vlans. I have been running such a setup for years with multiple versions of pfsense and multiple versions of esxi..
-
"ESXi 5.5"
Why?? 6 has been out for quite some time, its just as FREE as 5.5..
Because everything I've seen written was about 5.5. If there's no reason not to, 6 is fine.
Yes thre are many many people running pfsense virtual, yes you can have multiple networks and vlans. I have been running such a setup for years with multiple versions of pfsense and multiple versions of esxi..
Details? How, specifically, do I use pfSense to firewall another vm to only allow those ports on the lan but full access to the wan?
-
So I have multiple networks behind pfsense, lan, wlan with some vlans that run tagged on top of that interface both physical and via wifi ssid. I then also have a dmz network behind pfsense that is not actually tied to the physical world.
This dmz network seems like what your actually wanting with your vm. So attached you will the rules I have setup on that dmz interface in pfsense. Which is just tied to a vswitch that has no physical nic in esxi host.
So while I allow these dmz machines to talk to the internet, and allow them to use pfsense for dns and ping pfsense interface in the dmz. I block them from talking to any of my other networks both ipv4 and ipv6.
You will notice the wlan vswitch has 4095 set for vlan tags, this allows it to pass all tags. And then the vlan are setup on pfsense on that vnic connected to that vswitch. What your wanting to do is very common and very simple to setup actually. If you have any questions just ask.. But running such setup for quite some time. One thing I do like about running pfsense as vm, is you can take snapshots before any upgrade so no real issue if the upgrade has any issues. Can just roll back to the snap. Also allows you to bring up any other router/firewall distros you want to play with very easy. And if you give them the same mac as your pfsense wan vnic you don't even have to reboot your cable modem. And you keep the same public IP. You just need to shut down the pfsense vm before firing up that new play distro, etc.
Many many advantages to running your firewall and lots of your network on esxi host. The same host also serves as my nas/file server and also runs plex on that same vm (storage) etc. etc.