On 22/02/2014 01:13, Ryan Coleman wrote:
I'm moving away from single server design on my ESXi box to dedicated
guests for each service but I cannot seem to get those dedicated
services through the firewall.
>
>I have a 29bit subnet (IPs 1 through 5). Everything is internal to
the ESXi (5.1) server.
>
>.1 = pfSense Firewall
>.2 = OPT1 interface on pfSense
>.3 = Customer VM (will port over to OPT2 after this works)
>.4 = All-in-one hosted VM
>.5 = Same All-in-one hosted VM
>
>I am going to eliminate .4 and .5 as I pull specific services out and
into VMs (I've already moved the basic part of the FTP, the entire SQL
server and LDAP to internal systems).
It's not clear to me how the all-in-one hosted VMs are connected, and
how this /29 subnet is connected. Is this /29 subnet the "LAN" side of
your pfSense firewall? In that case, do you have a different IP address
on the "WAN" interface? Is this /29 subnet public IPs, or private and
you are using NAT?
Once that's clear, we can decide how to separate out the services onto
different VMs.
There are a few straightforward observations to make though:
1. If you want dedicated guests for each service, then each guest needs
its own IP address.
2. If you don't have enough IP addresses in your existing network, then
you need more addresses, or NAT with private addresses
3. If you want these dedicated guests to be *behind* the firewall then
they need to be on a different subnet, so that traffic is routed through
the firewall.
So, let me pencil out one of the possibilities for what you're trying to
do. It might look like this:
---+---------- 192.0.2.0/29# external public IPs
|.1
|WAN
pfSense
|LAN
|.1
|
---+-+++------ 192.168.0.0/24
|||
VMs
.2 .3 .4 etc
For NAT, you could configure 1:1 NAT between (say) 192.0.2.4 on the WAN
side and 192.168.0.4 on the LAN side. Or, if you need to share the
192.0.2.4 address so that various different services hit different VMs
on the LAN side, then you'd use port forwarding instead.
But I cannot see why this should require any re-architecting of your
network or your firewall, over and above what you already have. In
particular it should not require any OPT1 or OPT2 interface to be
created, unless you want to put the VMs on different subnets behind the
firewall; and you'd only want to do that if you want to block VM-to-VM
traffic, which might be the case if the VMs belong to different customers.
So if you *do* want to do that, then you'll need separate subnets for
OPT1 and OPT2, say 192.168.1.0/24 and 192.168.2.0/24. The pfSense
firewall will have an IP address on each of them.
And has been pointed out already, you definitely don't want your OPT1 IP
address to be in the same range as either the LAN or WAN subnets. Each
interface must be in a separate subnet. This is just how IP routing works.
Regards,
Brian.
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
