Hardening ESxi



  • Hello,

    Just installed my first ESXi at home to run an internet-gateway and it is freaking me out. 🙂
    I followed the manual and everything works fine but is there really nothing I should do to protect the WAN-interface on hypervisor-level ?

    Thanks,


  • LAYER 8 Global Moderator

    Why would the wan connection be exposed to anything?  I take it you have pfsense running on your esxi host.

    So connect the wan to pfsense.  esxi would not be listening on any thing on the wan… So what would it be exposed too..

    I have it setup like this

    internet - cablemodem - esxi host nic - vswitch - pfsense wan..

    esxi does not listen for any traffic on this "wan" esxi does not have an IP on this interface, etc..  So what exactly do you feel is exposed other than the wan interface of your firewall.  Which out of the box blocks all unsolicited inbound traffic to wan IP.

    Your esxi vmkern that you use to control esxi should be on the inside of your network, ie behind pfsense.



  • You would have another virtual switch, that has the WAN NIC connected as Uplink.
    And your virtual WAN NIC of the pfsense VM is connected to that switch and nothing else, right?

    Then you're fine :-)



  • @mattrey:

    You would have another virtual switch, that has the WAN NIC connected as Uplink.
    And your virtual WAN NIC of the pfsense VM is connected to that switch and nothing else, right?

    Then you're fine :-)

    "NOTHING ELSE " is important!
    don't bind VM kernel port to vSwitch where physical adapter for WAN is .



  • as per above. also hopefully your cpu has vt-d (or the amd equiv) so the VM can control, the hardware directly



  • You could use hardware passthrough for the WAN interface to the pfSense VM instance.

    Slightly more complicated to configure but that way the interface isn't even visible in ESXI networking, so less risk for administrative mistakes.


Log in to reply