VMWare server/virtual firewall

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View



Ok, first, this isn't for a production environment - just for experimenting.

Would it be possible to take a single box with two physical network
cards (eth0 and eth4), and -

The box has some flavor of Linux as it's primary OS, is running VMWare
Server, which has been used to configure two virtual network cards (eth1
and eth2), and also a virtual instance of OpenBSD (with PF and Snort
configured).

What I'd like is something like this

Internet - router - (eth0 (physical) - virtualization of OpenBSD - eth1
(virtual) - virtual switch - eth2 (virtual) - Linux OS - eth4
(physical)) - second firewall (this one is setup already, no
virtualization or anything) - physical switch - LAN

I hope that's making sense - everything in (), between the router and
the second (physical) firewall, is running on the VMware box.

Any thoughts?  I guess what I'm trying to do is set up a virtual
firewall, and doing it this way will let me play around with PF, Snort,
OpenBSD, VMware Server, and virtualization in general - the idea,
eventually, is to use the VMware box to virtualize a couple server
instances and create a DMZ where those are located.

Instead of putting a separate second firewall after the router and
before the VM box, I'm hoping to go cheap and just virtualize it, but
I'm not sure the configuration will work (the main thing is that I want
the first thing the packets from the physical eth0 card to hit to be the
OpenBSD instance, without having any interaction with the other
virtualized instances or the primary linux OS until after they've passed
through the virtual firewall).

Am I going to run into problems with the first physical NIC being
assigned to the virtual OpenBSD instance and not enabled for the primary
Linux OS?

Hope this all makes sense - yes, I'm a noob.

Any thoughts/opinions about this would be appreciated - thanks in advance.


Re: VMWare server/virtual firewall


On 11/4/2009 12:37 PM, undefined operator wrote:
Quoted text here. Click to load it

You can do this and it will work.

The think you will have to be careful of is making sure that the host OS
does not bind any thing to eth0.  (Bind your management IP to another
interface that is connected elsewhere in the network (eth4?).)

Do be aware that your throughput will suffer compared to physical boxen.
  I did something similar to this years ago (and still do for some
things) and a friend of mine said "the sides of the case are going to
start bending with all the packets bouncing around in memory.".



Grant. . . .

Re: VMWare server/virtual firewall


On Thu, 05 Nov 2009 00:11:31 -0600, Grant Taylor wrote:

Quoted text here. Click to load it

yeah virtualisation is great untill you do a lot of IO in the
vm's, eg: if you want performance out of a fileserver:
don't virtualise it !

Site Timeline