ESXi config, possible?



  • Hi guys,

    I have a single ESXi server with one public IP address, it will be hosted off-site so I will need to manage via public IP Address as well. No local network access - although I guess I could setup a VPN if that is the recommend configuration.

    The ESXi box will host two vms, the first is a Web server running a few publicly accessible services on various ports, the second needs to sit securely behind it. One needs to access two via a single port for communication. As mentioned I will need management access to both of the public IP.

    Look forward to hearing your thoughts on if/how this can be acheived using a pfSense VM.

    regards,
    Phil



  • … ESXi server with one public IP address ...

    .

    … need management access to both of the public IP.

    So do you have one or two public IPs?

    OpenVPN access to pfSense would probably be the easiest.



  • So do you have one or two public IPs?

    OpenVPN access to pfSense would probably be the easiest.

    Hi Biggsy

    I can have more than one public IP if I wish.

    Cheers
    Phil



  • Just to check that I've understood, admin access aside, you only really need the Web server to be accessible from the Internet and the other VM should only be accessible to the Web server.  Is that correct?

    Cheers,
    Yet Another Phil



  • @biggsy:

    Just to check that I've understood, admin access aside, you only really need the Web server to be accessible from the Internet and the other VM should only be accessible to the Web server.  Is that correct?

    Cheers,
    Yet Another Phil

    Yep that's spot on.

    Web Server will be accessed over Internet (various ports)
    Other VM accesses Web Server (one port)

    Need management access to all systems.

    My current thinking is that the WS sits in a DMZ and the other VM on private only network?

    cheers
    Phil



  • Phil,

    Sorry to take so long replying. I've been experimenting with ways to do this but haven't had a lot of time in the last few days.

    I've been assuming you'll have only one physical interface on the ESXi host and, in addition to public access, you need to do all your management of the host and the VMs through that.

    There was a post recently about a that sort of config: http://forum.pfsense.org/index.php/topic,64955.msg352510.html#msg352510  Unfortunately, the OP didn't describe how he got it working.

    Still working on this but it would be good to hear from others.  Especially in terms of moving the vmKernel behind pfSense without breaking things.  Is the machine to be pre-configured and shipped to the hosting location or something else?



  • Its too bad you don't want this via an UBUNTU computer with a couple VM's hosted in WMware inside that.  It would be easy cheesy to do that.  Abit of extra overhead and not as efficient, but remote access would be a breeze.

    You can build your servers in ESXi and build 1 weak low ram / low memory desktop equipped VM that has access to the management interface of ESXI.  You could then use team viewer to manage it all easy from that does-nothing-else desktop.

    Or, you could build in a tiny vm server along side your other servers, like a VPNas that is free, easily configured, has a simple web interface and 2 free vpn accounts.

    or you could go massively not so amazing secure and use page 117 of this manual:

    http://www.vmware.com/pdf/vi3_35/esx_3i_i/r35u2/vi3_35_25_u2_3i_i_setup.pdf



  • I actually run a openvpnas server in a centos VM that also holds asterisks and chat server so it would be possible to put the vpnserver inside one of your other servers just as an additional service, but its so much easier to just give it a single vCore and a little ram to a separate VM for that.  Not sure how strapped your resources are.

    But if you intend to have a single machine with ESXi installed in it, with virtual pfsense as a firewall/router handing out IPs to a couple of virtual servers, just install openvpn in pfsense and export a client to your laptop and manage things from that.

    Why is this hard?  Maybe I'm missing something.



  • With one NIC in the ESXi host, that's got to be your ESXi management interface and needs to be your pfSense LAN interface - just so you can configure pfSense.

    Trouble is you really want that one physical interface to be pfSense's WAN and then use OpenVPN to access and manage pfSense, ESXi and your other VMs through the tunnel.

    With two NICs it wouldn't be a problem but with one I can't see how you can make the necessary changes without locking yourself out.



  • Wouldn't VLANs solve that?



  • @biggsy:

    With one NIC in the ESXi host, that's got to be your ESXi management interface and needs to be your pfSense LAN interface - just so you can configure pfSense.

    Trouble is you really want that one physical interface to be pfSense's WAN and then use OpenVPN to access and manage pfSense, ESXi and your other VMs through the tunnel.

    With two NICs it wouldn't be a problem but with one I can't see how you can make the necessary changes without locking yourself out.

    Hi guys,

    Sorry been away for a few days.

    OK I actually have four physical NICs in this server! Currently only using two, NIC1: LAN, NIC2: What will be WAN. It has not been shipped to the DC yet and is sitting in my office at home.

    When it goes to the DC I do have the option of multiple IP addresses.

    This is how I have it setup so far: see Attached.

    Does this look correct? I need the VM on the DMZ to be accessible to the WAN on certain ports and I also need to map a port between the local VM and the DMZ VM for traffic.

    Thanks  :)




  • It looks like you're on the right track.  I assume that the two blacked out VMs are you web server on DMZ and back-end on LAN.

    In your original post you said that you would have to "manage via public IP Address as well". 
    Were you saying that you will only be able to connect one NIC - the WAN - once it's in the DC?



  • @biggsy:

    It looks like you're on the right track.  I assume that the two blacked out VMs are you web server on DMZ and back-end on LAN.

    In your original post you said that you would have to "manage via public IP Address as well".  
    Were you saying that you will only be able to connect one NIC - the WAN - once it's in the DC?

    Yep that's right. One NIC for WAN once in the DC…
    &
    Yes the two blacked out VMs are the web server on DMZ and the back-end LAN box.



  • OK.  I would set it up pretty much as you do already but I'd create a second DMZ and put the back-end server on that, rather than on the LAN.

    ![2013-08-17 16-26-38.png](/public/imported_attachments/1/2013-08-17 16-26-38.png)
    ![2013-08-17 16-26-38.png_thumb](/public/imported_attachments/1/2013-08-17 16-26-38.png_thumb)



  • good idea, thanks, biggsy!



  • Right all set up and working :) biggsy's guide is spot on!

    Biggsy, what do you recommend for management? I know you mentioned openvpn? Is that the best / easiest option?

    Cheers
    Phil



  • Phil,

    OpenVPN would be my choice.  You'll just need to be sure you have set up the firewall rules to allow the client to access all the networks.


Log in to reply