VMware ESXi – Configuring Behind a Virtual Machine

colocationnat;networkingroutervmware-esxi

Just as a follow-up to my previous question: I have an ESXi server that I'm moving into a colocation facility that supplies me a single IP address. I think I'm going to go the route of setting up a VM that will act as my router for the guest VMs, and I think all of that's gravy. My concern now is accessing the VMWare Client to configure new virtual machines. This doesn't make sense in my head, but:

Can my ESXi Host be behind that VM router, as well?

Or will my setup require 2 IP addresses from my colocation facility? That is, one IP address to use to configure my VMs ( the ESXi host directly ) and another to hit the guest VMs?

Just to see where I'm coming from, in case my question isn't clear: my current office setup has the ESXi host at an IP address of something like 10.0.0.102. The VMs start at 10.0.0.103 and go up. And both are behind a physical router with an internal address of 10.0.0.1, and an external one of something like 98.x.x.x. Is it possible to make my a VM Guest that is dual-homed on the 98.x.x.x and the 10.0.0.x networks to route traffic for me AND access my VM Host at 10.0.0.102?

Best Answer

(Third re-write)

You can do pieces of this.

You can define two virtual switches on your ESXi system. Call one "internal" for the 10.x.x.x stuff and one "external" for the single 98.x.x.x address you have been assigned.

Connect one physical Ethernet port to the "external" vswitch.

Define a firewall VM with two ethernet devices. Attach one to the "external" vswitch, and assign the interface the 98.x.x.x IP you have been given. Attach the firewall VM's second ethernet device to the "internal" switch and give it an IP on the 10.x.x.x subnet. This will end up being the default router for all the other VMs on the box.

Each other VM you create should be added to the "internal" vswitch with a 10.x.x.x subnet, and use the firewall's 10.x.x.x IP as its default router.

Add the ESXi management interface to the "internal" vswitch with a 10.x.x.x subnet, and use the firewall's 10.x.x.x IP as its default router.

Configure the firewall to NAT traffic from internal to external. This will permit the internal VMs to talk to the internet.

Now at this point, the internet cannot talk back to them (ie if you had a web server on the 10.x.x.x subnet) because the internet doesn't know anything about your 10.x.x.x subnet and so packets never make it to your internal VMs. Besides, you probably have the firewall configured to drop said packets even if they did make it to your system. So you cannot "route" to your VMs over the internet.

So you probably want to do one or both of the following:

Set up one or more port forwards on the external interface of the firewall VM to pass inbound traffic back to a particular VM. So for example you'd port-forward port 80 on your firewall's external interface back to your webserver VM, and port-forward port 981 (maybe? might be something else, check your manual) back to the management interface on your ESXi server.

and/or

Set up a VPN from wherever you are back to the firewall VM, and route traffic across that directly to the "internal" network.

For setup purposes, if you have two physical interfaces, you can add the second physical interface to the "internal" vswitch. This will mean if you do have physical access to the system, you can plug a laptop (via a crossover cable, probably) directly into the "internal" network and configure things directly. This will also give you emergency access should the firewall VM die for some reason.

Best Answer

Related Solutions

Linux – Which NTP source should I use in ESXi virtual machines

ESXi Hypervisor – Cannot get multiple VMs to connect to Internet

Related Topic