OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: tdalej on June 17, 2018, 06:44:32 pm

Title: ESXI OPNSense installations
Post by: tdalej on June 17, 2018, 06:44:32 pm
I'm setting up OPNSense firewall on ESXi 6.5 and I'm looking for best practices on configuring the virtual networks in the ESXI server for management, WAN, LAN, DMZ and and interface to connect to a dedicated connection to a wireless access point. 

This really isn't an OPNSense issue, but a VMWare issue, but I'm hoping someone has already done this and has some pointers on the ESXI side of the setup.
   
Title: Re: ESXI OPNSense installations
Post by: pongafence on June 19, 2018, 11:57:43 am
Hi there,

I've done exactly that.  I guess the biggest thing is how you manage and how you plan on managing your Virtual Networks.

For us, what we've done is simply created a Virtual Network on our Distributed Switch for each network, and then added them as interfaces to our OPNsense appliance.

We thought about going down the route of creating a VLAN Trunk port, however, that simply opened up another can of worms regarding other Admins sneaking their VM's onto networks etc.
Title: Re: ESXI OPNSense installations
Post by: tdalej on June 20, 2018, 06:12:37 pm
I'm moving from a dedicated bit of hardware with pfsense and one static IP address to an OPNSense VM with 5 static IP addresses. 

In the past since I have had only one IP address I used port forwarding to expose a web server -- with the additional IP addresses I plan to venture into DMZ setup with a dedicated Web server VM, mail server VM, etc.

In the new  setup the ESXI host has multiple vSwitches, assigning a physical to NIC each -- VM management,  WAN, LAN, DMZ and Wireless (for a physical cable to a pass through access point).


My first concern is that the access to the ESXI management functions don't become visible over the WAN.  I can't find much about how to limit the ESXI management to a specific physical interface.  I have been hoping to find some good discussion or docs on best practices on how to setup to avoid issues with connecting a physical NIC to the internet but short of ESXi hardening I haven't found a whole lot.


Title: Re: ESXI OPNSense installations
Post by: Evil_Sense on June 24, 2018, 11:47:13 am
There's a possibility to set the interface for management access on ESXi, either you use a dedicated Interface or you make sure it's on the LAN side of your OPNsense VM