custom firewall on virtual switch and VM IP allocation rules

View Only

Back to discussions

Expand all | Collapse all

custom firewall on virtual switch and VM IP allocation rules

1. custom firewall on virtual switch and VM IP allocation rules

Recommend
blackmamba1
Posted Jan 13, 2015 12:20 AM

Reply Reply Privately
Dear experts,
On a vmware esxi 5.5 with 2 public IP address I have 2 virtual switches and 1 NIC, as follows:
1. One vSwitch0, which is attached to the physical adapter vmnic0 and has 2 port groups, respectively Management Network and VM Network.
2. Another vSwitch1, which is not attached to any physical adapter, only for internal communications between virtual machines.
I have one virtual machine called 'router', which has 2 virtual network interfaces: one to vSwitch0/VM Network and one to vSwitch1/internal
First interface is connected to the internet and has the public IP address.
Second interface is for internal vLAN traffic only, and has IP address 10.0.6.1

The rest of virtual machines have just one virtual network interface, connected to vSwitch1/internal (they don't need internet).
What I want to do is:
a) Implement some kind of firewall rules at Vmware ESXI level, in order for all the virtual machines to be able to talk to the router (and obviously the router to be able to talk to each other virtual machine) but not to each other.
Simple:
Allowed: From 10.0.6.1 - to - all
Allowed: From all - to - 10.0.6.1
Not allowed: from all(except 10.0.6.1) to all
b) Enforce somehow the IP address for each virtual machine (either via static MAC when virtual machines are created, or I don't know how it's best) in order for a virtual machine not to be able to hijack the IP address of another. Like virtual machine 5 changes without authorization its IP address from 10.0.6.6 to 10.0.6.10 and will still work because it's in the same subnet. Want to avoid this.
Suggestions? Any help is really appreciated, I would prefer simple instructions, possible step by step or links to documentation about how to do it since I am just getting started to play with advanced features of ESXI.Thank you in advance.
2. RE: custom firewall on virtual switch and VM IP allocation rules

Recommend
JarryG
Posted Jan 13, 2015 07:52 AM

Reply Reply Privately
Implement some kind of firewall rules at Vmware ESXI level, in order for all the virtual machines to be able to talk to the router (and obviously the router to be able to talk to each other virtual machine) but not to each other.

Simply said, you can not do this on ESXi-level. ESXi-firewall can not filter traffic to/from VMs. But filtering-rules can be set up by your router-VM (if it has some filtering/firewalling capabilities)...

b) Enforce somehow the IP address for each virtual machine

Set up IP-addresses using DHCP-server, and use IP/MAC pairs filtering on router/firewall.
Edit: you can use even switch-ports in filtering rules (because both IP and MAC can be spoofed), but again, this depends on which router/firewall you use)...
3. RE: custom firewall on virtual switch and VM IP allocation rules

Recommend
blackmamba1
Posted Jan 15, 2015 12:13 AM

Reply Reply Privately
For the first part, it's true it's better to implement this at DHCP level (router-gateway virtual machine). Since indeed MAC address as well as IP address can be spoofed, I would like to use switch ports, but how?
Secondly there is nothing which I can do at the router-gateway virtual machine level in order to ensure the virtual machines do not talk to each other but can talk with the router. since they are all in the same subnet, the packets are not sent via the router so i cannot drop them there. 10.0.8.5 -> 10.0.8.6 connection won't go through the router 10.0.8.1. I need to create vlans here in vmware vSwitch and somehow enforce rules for which hosts can communicate directly. is this possible in vmware?
4. RE: custom firewall on virtual switch and VM IP allocation rules

Recommend
JarryG
Posted Jan 15, 2015 02:05 PM

Reply Reply Privately
Secondly there is nothing which I can do at the router-gateway virtual machine level in order to ensure the virtual machines do not talk to each other but can talk with the router. since they are all in the same subnet

Oh come on man, just a little creativity is needed! For every VM create its own vSwitch and its own ip-subnet (there is 256 subnets each with 256 hosts in 192.168.x, if it is not enough, you can use smaller segments). And your router will be connected to all those vswitches. Unless you activate nat/masquarading/routing on your router, VMs sure will not be able to talk to each other, but will be able to talk to router...
5. RE: custom firewall on virtual switch and VM IP allocation rules

Recommend
HawkieMan
Posted Jan 15, 2015 07:29 PM

Reply Reply Privately
Use private VLAN and only let the firewall VM have the promiscious setting. This separates the other VMs from talking outside the firewall
6. RE: custom firewall on virtual switch and VM IP allocation rules

Recommend
SureshKumarMuth
Posted Jan 15, 2015 07:52 AM

Reply Reply Privately
Do you have vcenter server? What is the version.
7. RE: custom firewall on virtual switch and VM IP allocation rules

Recommend
blackmamba1
Posted Jan 15, 2015 11:46 AM

Reply Reply Privately
No, do not have vcenter server. just vmware esxi 5.5

VMware vSphere

custom firewall on virtual switch and VM IP allocation rules

blackmamba1Jan 13, 2015 12:20 AM

JarryGJan 13, 2015 07:52 AM

blackmamba1Jan 15, 2015 12:13 AM

JarryGJan 15, 2015 02:05 PM

HawkieManJan 15, 2015 07:29 PM

SureshKumarMuthJan 15, 2015 07:52 AM

blackmamba1Jan 15, 2015 11:46 AM

1. custom firewall on virtual switch and VM IP allocation rules

2. RE: custom firewall on virtual switch and VM IP allocation rules

3. RE: custom firewall on virtual switch and VM IP allocation rules

4. RE: custom firewall on virtual switch and VM IP allocation rules

5. RE: custom firewall on virtual switch and VM IP allocation rules

6. RE: custom firewall on virtual switch and VM IP allocation rules

7. RE: custom firewall on virtual switch and VM IP allocation rules