pfSense Support Subscription

Author Topic: Hardening ESxi  (Read 294 times)

0 Members and 1 Guest are viewing this topic.

Offline Georget27

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +4/-0
    • View Profile
Hardening ESxi
« on: November 09, 2017, 07:43:42 am »
Hello,

Just installed my first ESXi at home to run an internet-gateway and it is freaking me out. 🙂
I followed the manual and everything works fine but is there really nothing I should do to protect the WAN-interface on hypervisor-level ?

Thanks,

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14468
  • Karma: +1340/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Hardening ESxi
« Reply #1 on: November 09, 2017, 09:26:11 am »
Why would the wan connection be exposed to anything?  I take it you have pfsense running on your esxi host.

So connect the wan to pfsense.  esxi would not be listening on any thing on the wan... So what would it be exposed too..

I have it setup like this

internet - cablemodem - esxi host nic - vswitch - pfsense wan..

esxi does not listen for any traffic on this "wan" esxi does not have an IP on this interface, etc..  So what exactly do you feel is exposed other than the wan interface of your firewall.  Which out of the box blocks all unsolicited inbound traffic to wan IP.

Your esxi vmkern that you use to control esxi should be on the inside of your network, ie behind pfsense.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline mattrey

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Hardening ESxi
« Reply #2 on: November 09, 2017, 11:07:57 am »
You would have another virtual switch, that has the WAN NIC connected as Uplink.
And your virtual WAN NIC of the pfsense VM is connected to that switch and nothing else, right?

Then you're fine :-)

Offline AMizil

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: Hardening ESxi
« Reply #3 on: November 09, 2017, 03:56:06 pm »
You would have another virtual switch, that has the WAN NIC connected as Uplink.
And your virtual WAN NIC of the pfsense VM is connected to that switch and nothing else, right?

Then you're fine :-)

"NOTHING ELSE " is important!
don't bind VM kernel port to vSwitch where physical adapter for WAN is .

Offline messerchmidt

  • Sr. Member
  • ****
  • Posts: 306
  • Karma: +11/-4
    • View Profile
Re: Hardening ESxi
« Reply #4 on: November 19, 2017, 09:34:44 pm »
as per above. also hopefully your cpu has vt-d (or the amd equiv) so the VM can control, the hardware directly

Offline P3R

  • Full Member
  • ***
  • Posts: 240
  • Karma: +8/-3
    • View Profile
Re: Hardening ESxi
« Reply #5 on: November 20, 2017, 02:20:51 am »
You could use hardware passthrough for the WAN interface to the pfSense VM instance.

Slightly more complicated to configure but that way the interface isn't even visible in ESXI networking, so less risk for administrative mistakes.