Securing VMWare ESXi on a Dedicated/Root Server with a Single IP Address, Single NIC

Before I start, I’ll say that the title above is misleading. It is not, to the best of my knowledge possible to run ESXi along with routing for your VMs on a single IP address but when I was researching the possibilities I found it extremely difficult to find information on this so this may help other users in a similar situation to find this post.

This post assumes that you have your dedicated server up and running with a version of VMWare ESXi, I chose version 5.5 but it should apply to other versions as well.

Start by creating a VM suitable for a firewall or router operating system, I highly recommend pfSense as it has a huge feature set, it’s free and easy to use. For my VM, I created this with 2GM RAM (overkill for my use but this server has a ton of RAM in it so…), 2  NICs, a 64GB virtual hard drive and 2 CPU cores which again is overkill for my use but why not…

I found the best way to install it is to upload the ISO to your ESXi datastore before installing it as I had issues when mounting it through vSphere client. Run through the installation as you normally would, the options are pretty self explanatory. Once you’ve done that and rebooted the VM you’re ready to start setting it up.

From vSphere, start by heading to the Configuration section for your server, then the Networking section. You will want to create a new vKernel with a private IP range, e.g. 192.168.100.1, enable this for management access as well and leave the current gateway IP address as it is for now, and within that a new vSwitch for your VMs to connect to. Assign one of your pfSense NICs to the original vSwitch, and the other to your newly created private vSwitch. Then, head over to your pfSense VM console and use the menu to assign the interfaces appropriately, for the WAN NIC you should assign the second public IP that your host has provided. (If you haven’t already, and if it applies to you, make sure your pfSense VM has the correct MAC address configured for the IP address that you were provided with). Then if necessary, you can also change the LAN IP range from this same menu if the vKernel you made is different to the default for pfSense.

Next, you’ll need another VM running to make life easier with the rest of it. I chose to setup a basic Windows 7 install (again, uploading the ISO to the datastore first will save a ton of headaches) and attach the NIC of this VM to your private vSwitch. If all has gone to plan you should immediately be able to access the internet from this VM and more importantly, the pfSense Web Interface. So go ahead and login to that, the default username is ‘admin’ and password is ‘pfsense’. It’s a good idea to setup a remote access software of some kind so if you lock yourself out of vSphere, you can still access this VM to correct any issues, TeamViewer is a good option here.

Then, you will want to achieve something like this eventually:

Once you have got vSphere management and remote access to your Windows VM, you’re now ready to change your gateway settings on ESXi to remove it’s public IP address. Go into the properties for your second vKernel and find the IP address settings, click Edit next to the gateway address and change it to the internal IP address of your pfSense firewall. If all goes to plan you will temporarily lose access to vSphere. Then, login to your remote access and load up vSphere there, go into the properties of the original vSwitch and remove the management network options from it. That should then release the IP address and block external access to your ESXi host so for the moment you are limited to managing the host through the Windows VM.

If you require external management for the system, you can login again to pfSense and configure port forwarding rules and IP restrictions to allow management over your second public IP. I chose to setup a OpenVPN bridge to my home network so all VMs were accessible from my home network as well which is perfect for my use.

The only downside to all of this is that if for some reason your pfSense VM ever fails to boot, you’ve then got very little way of managing the ESXi host to correct the problem. My host, Hetzner, offers an IP-KVM service to give me BIOS-level access to the server which I hope will be adequate to fix any future issues should they arise.

Disclaimer: This solution may not be best practice or reliable, and I’m not an IT security expert but I believe the solution I have detailed here is secure enough to protect your server. However I cannot be held responsible if you do suffer a security breach as a result of following these instructions.

Do hit me up in the comments if you require assistance or would like to ask any further questions.

2 thoughts on “Securing VMWare ESXi on a Dedicated/Root Server with a Single IP Address, Single NIC

Leave a Comment

Your email address will not be published. Required fields are marked *

2 × four =