Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Hardening ESxi

    Virtualization
    6
    6
    672
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Koent last edited by

      Hello,

      Just installed my first ESXi at home to run an internet-gateway and it is freaking me out. 🙂
      I followed the manual and everything works fine but is there really nothing I should do to protect the WAN-interface on hypervisor-level ?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Why would the wan connection be exposed to anything?  I take it you have pfsense running on your esxi host.

        So connect the wan to pfsense.  esxi would not be listening on any thing on the wan… So what would it be exposed too..

        I have it setup like this

        internet - cablemodem - esxi host nic - vswitch - pfsense wan..

        esxi does not listen for any traffic on this "wan" esxi does not have an IP on this interface, etc..  So what exactly do you feel is exposed other than the wan interface of your firewall.  Which out of the box blocks all unsolicited inbound traffic to wan IP.

        Your esxi vmkern that you use to control esxi should be on the inside of your network, ie behind pfsense.

        1 Reply Last reply Reply Quote 0
        • M
          mattrey last edited by

          You would have another virtual switch, that has the WAN NIC connected as Uplink.
          And your virtual WAN NIC of the pfsense VM is connected to that switch and nothing else, right?

          Then you're fine :-)

          1 Reply Last reply Reply Quote 0
          • A
            AMizil last edited by

            @mattrey:

            You would have another virtual switch, that has the WAN NIC connected as Uplink.
            And your virtual WAN NIC of the pfsense VM is connected to that switch and nothing else, right?

            Then you're fine :-)

            "NOTHING ELSE " is important!
            don't bind VM kernel port to vSwitch where physical adapter for WAN is .

            1 Reply Last reply Reply Quote 0
            • M
              messerchmidt last edited by

              as per above. also hopefully your cpu has vt-d (or the amd equiv) so the VM can control, the hardware directly

              1 Reply Last reply Reply Quote 0
              • P
                P3R last edited by

                You could use hardware passthrough for the WAN interface to the pfSense VM instance.

                Slightly more complicated to configure but that way the interface isn't even visible in ESXI networking, so less risk for administrative mistakes.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy