If I put OPNsense in a VM,
what is the best practice for OPNsense placement in VMware ESXi related to other VMs being protected?
I have seen:
https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi
Assuming the above link is analogous to OPNsense,
Can I make
dSwitch A (port group: WAN) with uplink
dSwitch B (port group: LAN)
NO uplinkMake the OPNsense VM has 2 vNICs (LAN and WAN)
and let other VMs in dSwitch B (LAN),
Question:
- Is above topology doable and correct?
- If someone can answer: is there any VMware features affecting VM in dSwitch B? like vMotion perhaps
- If I have standard switch, with VMkernel Adapter inside, can I move that to dSwitch B (separate port group says: MgmtPG)?
Thank you very much,
I would recommend the following setup:
OPNsense VM with at least 3 interfaces: Management, LAN and WAN. DMZ-Interfaces as needed.
Management: Gives Access to the Webgui of OPNsense and ESXi and unfiltered Internet Access.
WAN: As you may think how this should be used ;)
LAN: The computers which should have filtered network access (no access to management interfaces)
Management can reach anything
LAN -> DMZ, Internet (Filtered by Port)
DMZ -> Internet (maybe limited to a list of IPs, Ports)
WAN -> DMZ (if allowed)
You seem reffering management to vcenter as one of it?
Thanks for the answer btw..
Management is a VLAN in which includes
* the Management interface of the ESXi (Web and/or API endpoint for the client)
* the Management interface of OPNsense (GUI, SSH)
* your management computer (laptop or pc), which is usually not connected to this VLAN