VLAN vs Subnetting for VM hosting.

brianwebb01

I have a network of VMs each having a LAN IP address and a public IP address.  They each have a 1:1 NAT map for public access via the public IP for HTTP, SSH etc.  I'm trying to figure out a way to restrict the LAN IPs from talking to each other, but there are some cases where a group of LAN IPs will need to communicate.  Currently I can't set a LAN firewall rule because I suspect the traffic is being routed through the switch so PFsense never sees it.

I'm on a 192.168.0.X configuration with subnetmask 255.255.255.0

From what I've researched it looks like I could use VLANs or IP Subnets w/ static routes to restrict the access.  I'm thinking that I don't want to go the VLAN route since there are 100+ VMs at the moment that don't need to talk to any other IPs, so I'd be looking at 100+ VLANs and growing.  So my thinking is that I need to subnet each VM so that it can't talk to other IPs that aren't in the same subnet, then add static routes so the subnet can talk to PFsense. Does this sound right?

If I'm on the right track, does anyone have recommendations on how to setup the subnets?

Thanks!

brianwebb01

Update:  So i'm on the subnetting plan.  I've got things setup on different subnets so they can't talk to eachother but I need each subnet to connect back to the main router as a gateway.  Is there a way to take an IP from the subnet and point it at the pfsense box?  Surely ISPs that subnet everything like this don't have a router per subnet.

kc8apf

Just add virtual IPs on the pfsense box.  One per subnet.  You'll need to add appropriate firewall and NAT rules to allow traffic from the various subnets.

brianwebb01

Thanks for the response, I added the Virtual IP, alias and FW rule but still no dice.  I'm not sure what I should add into NAT though.  Here's the setup:

Virtual Machine:
address: 192.168.1.2
netmask 255.255.255.252
gateway 192.168.1.1

pfSense:
  Virtual IP:
   Type: Proxy ARP
   Interface: LAN
   IP Address: 192.168.1.1

Alias:
    Name: mySubnet
    Type: Network
    Network(s): 192.168.1.0/30

FW Rule:
    Action: Pass
    Interface: LAN
    Protocol: any
    Source: mySubnet
    Destination: 192.168.0.1

Thanks!

kc8apf

Can you ping pfsense from the vm?  Did you add firewall and nat rules to allow traffic from 192.168.1.x via 192.168.1.1?

brianwebb01

I can't ping pfsense on the virtual IP (192.168.1.1) or the real LAN IP (192.169.0.1).

I added a firewall rule that allows any traffic from 192.168.1.0/30 to talk to 192.168.0.1.

Is that Firewall rule wrong? What should I be setting up in NAT, my 1:1 only has the WAN interface.

Thanks

kc8apf

You need to allow 192.168.1.0/30 to talk to 192.168.1.1.  Crossing subnets would require routing which can't happen until you allow traffic in the interface.