Pfsense as a firewall for all vms



  • Hi,
    Just found this great free firewall by dear Google :D

    I am hosting VMs (mostly windows) on my vmware esxi 5.1 , but some of clients using port 25 or 110 for spamming! I need to use this firewall to block all outgoing 25 and 110 port communication, is there any tutorial or tested guidance for such purpose?

    Thanks in advance :)


  • LAYER 8 Global Moderator

    So you need a tutorial on how to create a block rule?

    Or how to setup pfsense on esxi?  Or both?

    What is in front of your esxi box now?  I run pfsense on my esxi 5.1 box and it acts as my gateway/firewall for both vms on esxi, physical machines on my network as well.



  • @johnpoz:

    So you need a tutorial on how to create a block rule?
    Or how to setup pfsense on esxi?  Or both?
    What is in front of your esxi box now?  I run pfsense on my esxi 5.1 box and it acts as my gateway/firewall for both vms on esxi, physical machines on my network as well.

    Hmm, for both, I am not pro in VMware esxi 5.1 . I think I have to install it as a VM and then all other vms' traffic goes through it?



  • I'm sure there's some tutorials for putting pfSense (or any other Virtual Machine acting as some kind of network filter) in front of your virtual machines.  (This answer may have been more complete if I wasn't sitting at McDonalds while my son plays in the PlayLand)

    You have a couple decisions to make:

    Transparent Bridge Firewall or regular routing Firewall with 1:1 NAT.  As a regular routing Firewall with 1:1 NAT you'll re-IP your servers with private addresses and your Firewall will translate them, this way is easy on the Firewall side.  As a transparent it'll just be a "filter" in the path, harder to set up the firewall, but you won't have to do any work on the servers.  The regular router with 1:1 NAT is the classic way to do this, it's much more supported as the road much more traveled.

    Things you'll need to know:

    The long one, setting up pfSense in a VM in ESXi http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5
    (Spoilers: if it's a standard depolyment, it's easy if you already know ESXi)

    1 to 1 NAT http://doc.pfsense.org/index.php/1:1_NAT
    Or:
    Transparent Bridge Firewall: http://forum.pfsense.org/index.php?topic=50711.0

    This should be the main parts to know.  The other thing to consider is if you put the VMs behind a vSwitch with no external connections, you wouldn't be able to vMotion them to another host; if you do need that, then you'll need to bridge those vSwitches with some kind of physical connections (like another physical port and switch or VLANs on your main interface.)

    This is a very common use case, plan it half way well and it'll be great.



  • Thank you so much for such great guide for noobs such me :)

    I think I will go for 1:1 NAT, then how clients can connect to their VMs? I mean how about external IPs? if it doesn't work, I have to go for Transparent one?
    –-------------------

    edit: Just read the 1:1 nat, its good, but hard to manage ips this way :)



  • A 1:1 NAT translates the external public IP to their internal private IP.  If it's set up right, they'll connect the same way they do already, however they connect now (whatever ports they use) would be opened (or not blocked) through the firewall.  The external side of the 1:1 NAT will be their public IP and it'll translate that to the internal IP you set on their server.

    You goal seems to be to block port 25 and/or 110, so at minimum you'd leave allow all all except to block 25 and/or 110, so all else would operate as normal.


  • LAYER 8 Global Moderator

    Some basic of your of how your network gets internet now, and how your esxi host is connected to your network and how other machines connect would be good start.

    So in my esxi I have 2 vswitches, 1 connect to host nic1, other connected to host nic 2.

    Cable modem is connected to nic1 which is connected vswitch 1 which is wan of pfsense VM is connected to.

    Lan of pfsense is connected to vswitch2 which is connected to real nic2 of host.  Which is connected to real world switch.

    All other vms have interface in lan vswitch2, all real machines connected to real world switch(es).

    edit:  So you want to go 1:1 nat, how many public IPs do you have?

    Some basic understanding of your current setup will help us get you to where you want to go.



  • I just attached the snapshot of my vmware esxi network configuration, there is one vmnic0 that all vms connected to.






  • Woah, I was writing out a decently long post and just realized something.  Your VMkernel port is "live" on the internet?  I mean, VMWare is pretty good about being secure, but that's not a great idea.  If anyone gets past that they "own" everything on that host.  They could download full vmdk files and you may not even notice it.  Basically, after you secure your VMs you should look in to securing your VMkernel.

    It's also occured to me that it's quite possible this is some kind of hosted dedicated server, such as a co-located or rented server in a datacenter somewhere.  As such, you may have limited (if any) physical access to this server.  As such, some of my ideas may not be possible.

    Anyway, here's the rest of the post I was writing.

    All of this may not be exactly the information that directly answers your question, but it helps to understand why things work the way they do in the various virtualization hosts.

    This clarification may help you get in to the right mindset with the virtualization of networks in ESXi:

    You have 1 port group on one vSwitch that your physical vmNIC is connected to.

    Port groups are like a a segmented switch, to parallel a real world simile, they act as untagged VLAN ports to your VMs.  They can have a VLAN asigned to them which acts as a tagged port to an uplinked switch.  If you have multiple Port Groups to get out to the outside world, each with its own VLAN assignment they would behave as a trunked connection with all of the VLANs on that vSwitch.

    What all of this means is that you could simply create a whole new vSwitch that doesn't have a vmNIC, as such all the traffic on that vSwitch is internal to your ESXi box only.  This would create the private network to isolate these VMs behind your new pfSense firewall.  You would simply put your new pfSense firewall VM with its WAN interface on your current vSwitch and a LAN interface on the new vSwitch.  You would have some down time while the VMs are re-IP'd and your 1:1 NAT assignments are configured.  To do this, move each of the VMs to the new network (port group), re-IP them with static IPs in your new private IP space, create the 1:1 NATs, create your blocking rules, and hopefully have a beer.

    If you need this new private network to be accessible outside of your ESXi host, you have a couple options depending on the hardware you have available.  If your host has multiple network cards, assuming one is otherwise unused, the easy way is to assign one to that new vSwitch.  Or, if your host has a single NIC, but is connected to a physical switch that supports VLANs (and you have management access to said switch) you could make port groups on your existing vSwitch and assign VLAN IDs to those Port Groups.

    Back to securing your VMkernel Port, I'm not sure of a good way to handle that if it's a situation where you may not have physical access to the host.  I mean, you could put that VMkernel port on the new private network and use one of your hosted VMs (maybe you have some kind of management Windows machine or something) as a window in to that network to admin it.  But you add another point of failure in that you're depending on your pfSense install in order to manage your ESXi box, a bit of a cart before the horse issue if something happens to your pfSense VM.  I guess you just kind of leave it in the wild, but, eek.  Maybe your host can provide some kind of firewalling, but if that was the case (aside from price) you'd probably use that for your 25/110 blocking anyway.


  • LAYER 8 Global Moderator

    Im with matguy on this – VMKernel on public IP?  As stated not a great idea.

    So is this as assumed a hosted box?  Do you have physical access, is it say a locker or room/suite at a colo?

    That being said the esxi does have built in firewall that you could use to lock down the access to the VMK, do you have console outofband access to the box if needed?


Log in to reply