Physical firewall for VMWare networks
Sometimes you need to figure out some weird configurations. In this post I will try and justify the joy of VLANs in the following setup.
- A VMWare host with only one network interface (NIC), like a Intel NUC SWIFT CANYON NUC6I5SYH, which is an excellent lab computer. It also takes on VMWare out of the box like a charm, with no hassle.
- An APU2C4 with pfSense
- A perimeter (DMZ) network for internet facing systems
- A secure(r) network for application servers etc
I want to have a perimeter network with my proxy server, and my application servers on a secured network. I also want to use a physical firewall outside my VMWare environment, which is the odd bird in this cage.
Normally, I would be setting up a pfSense in a virtual machine, which is easy enough and would have saved me quite some headaches. But now I want to use my physical box, the APU2C4, as firewall, so I have to share the network card on my VM Host system.
This setup is classic and simple. No magic, but since we only have one network interface on the VMWare host, you will need to use some tricks to make this happen.
I created two networks, kmg-perimeter with VLAN id 90 and kmg-secure with VLAN id 91. These are both connected to the same network card (the one and only NIC on the VM host).
On the firewall, I set up two VLAN interfaces with the corresponding VLAN id tagging on the same interface. Physically, I connected the NIC on the firewall to the NIC on the Intel NUC.
From here on, you are good to go. You pretend that you have two networks, which are firewalled just as you would normally do it if you had multiple physical network cards on your VMWare server.
As an example, I add one more VLAN interface, which I will call DEMONETWORK.
- Interfaces->Assign->Interface Assignments->Add
Interfaces->OPT3 (your interface might have gotten a different name).
- Enable the interface and give it a proper name (i.e DEMONETWORK)
- Here you define the rules coming into this new interface