Hello
I'm looking for a solution to use a bridge firewall before some virtual machines to protect them.
I've tested some firewalls and I have problems with the solutions.
The protected virtual machine is one running on a single ESXi host. For this we don't use vMotion or HA.
The bridge must connect to two physical switches for failover.
I've tried to connect the virtual machine over the bridge to the physical network.
Virtual machine --> VSS (without Uplink) --> Bridge VM --> VSS (Two Uplinks) --> Physical network
Both VSS accept the security properties "Promiscuous Mode" , "MAC address changes" and "Forget transmits".
The tests fail.
When I test with a simple ICMP Ping from the virtual machine to physical network, the ARP request where transmitted over the bridge to the physical network, the ARP replay come back to the first interface of the bridge but where not transmit to the second interface of the bridge.
At first I thought it was a problem in the bridge and I changed the bridge to different vendors.
I test
Virtual machine --> VSS (without Uplink) --> Bridge VM --> VSS (One Uplinks) --> Physical network
Everything works fine.
So I'm looking to the teaming and failover properties and I found no solutions.
I've allways the problem, when the second interface is only add to the failover order.
It does not matter if the interface is an active, standby or an unused adapter.
Has anybody a configuration to run some virtual machine behind a bridge?
At the moment I'm looking if SR-IOV can be a solution.
Thanks Matthias