Building a VMware vSphere Virtual Lab with VMware Fusion - Part 8: Creating a Public Facing Web VM and Securing it with pfSense
This is the last part in a series of tutorials on how to build a VMware vSphere Virtual Lab on a Mac with VMware Fusion. In this tutorial, we'll create a virtual web server and use pfSense to forward traffic to it.
Steps involved in this tutorial:
- Create a Ubuntu 18.04 VM and install NGINX on it.
- Assign the VM to the DMZ network and give it an IP of
- Add an external IP to the pfSense firewall of
- Create a NAT rule to forward traffic from
- Create a firewall rule to allow DMZ traffic out.
- Create a firewall rule to block DMZ traffic to the LAN.
- Create firewall rules to allow HTTP and HTTPS to the DMZ.
Ideally you should have read the previous tutorials in the series before following the steps in this tutorial.
- Part 1: Installing ESXi
- Part 2: Deploy and Configure a pfSense VM
- Part 3: Deploying vCenter Server Appliance
- Part 4: Adding ESXi Hosts to a Cluster in vCenter
Parts 5, 6 and 7 are not required to follow this tutorial. The VM can be deployed to local storage and the standard vSwitch DMZ port group can be used.
After completing the steps in the previous tutorials, you will be at a point where you have:
- Three ESXi 6.7 VMs running on VMware Fusion*.
- The first ESXi VM contains a pfSense firewall VM with built in DNS Resolver.
- The first ESXi VM also contains the vCenter Server Appliance.
- A cluster with one or more ESXi 6.7 hosts added to it.
For this tutorial we need to download the Ubuntu Server 18.04 ISO image. Here is a direct link to the ISO which is located on this download page.
After downloading the ISO, we’ll begin by creating the virtual machine.
Step 1: Create the Ubuntu Web VM
The first thing we need to do is create the web virtual machine. I’ve already written a tutorial on how to create a Ubuntu 18.04 VM using the vSphere Client (HTML5).
Open the link above in a new tab and follow the procedure to create a new Ubuntu VM called
web01 with the following specification.
Name: web01 CPU: 1 RAM: 512 MB HDD: 4 GB Network: DMZ IP: 10.1.2.11 Gateway: 10.1.2.1 Nameserver: 10.1.2.1
Once the machine has been created, you’ll notice after logging into the console, we can’t access the internet.
This is because the pfSense firewall VM has no rules for the DMZ network.
Step 2: Configure pfSense Firewall
In this step, we’ll configure the pfSense firewall so that the web VM can access the internet, and so that the VM can be accessed using the external IP (
198.18.0.11) via SSH, HTTP and HTTPS.
Login to fw01 by typing the IP (
10.1.1.251) in a web browser and providing your login credentials.
First, we’ll create some aliases to make adding the firewall rules easier. We’ll create an IP alias with the address of the web01 VM, and a ports alias containing the three ports that will be allowed inbound access to the VM.
Click Firewall then Aliases.
Give alias a name of
web01 and IP of
10.1.2.11 then click Save.
Give the alias a name of
22 for the first port with a name of
SSH. Click Add Port two times and assign port
Enable Internet Access
The first rule we will create allows DMZ traffic to access the internet. Before we add the first rule, we need to disable the option to block bogon networks because we’re not using a real public IP address.
Click Interfaces then WAN.
Scroll to the bottom, uncheck Block bogon networks then click Save.
Click Firewall then Rules.
Click DMZ (might be named OPT1) then click Add.
Assign the following details then click Save.
Action: Pass Interface: DMZ Address Family: IPv4+IPv6 Protocol: Any Source: DMZ net Destination: any
After saving the rule, click Apply Changes and you should see one rule in the DMZ section that looks the same as the image below.
Now when you try to ping an external website from the web01 VM, you should get a reply.
Block DMZ from accessing the LAN
Since the rule above specified Any as the destination, we are able to ping the LAN from the DMZ and that’s something you may not want.
Click Add again to create a new rule that will block access to the LAN. Assign the following details then click Save.
Action: Block Interface: DMZ Address Family: IPv4+IPv6 Protocol: Any Source: DMZ net Destination: LAN net
Click Apply Changes and then the new rule should be at the top of the DMZ section like in the image below.
Now when you ping a machine on the LAN, for example esxi01, it should be blocked.
Block DMZ from accessing firewall web UI
As it stands, the DMZ is also able to access the firewall via SSH, HTTP and HTTPS. This is not ideal because if a web server gets hacked into, a hacker can target the firewall. Let’s block the DMZ from access the firewall control panel and SSH.
Click Add then assign the following details.
Action: Block Interface: DMZ Address Family: IPv4+IPv6 Protocol: TCP Source: DMZ net Destination: This firewall (self) Dest Port: (other) web
That’s all the rules we should need for the DMZ network.
Create Virtual IP
The next thing we need to do is create a virtual IP (
198.18.0.11) so that we can NAT it with the internal IP of the web server. This will allow us to connect to the web server via SSH or HTTP from the Mac using the external IP address.
Click Firewall then Virtual IPs.
198.18.0.11 into the Address(es) text box, give it a description of
web01 then click Save.
Click Apply Changes.
We’ll use this virtual IP alias when creating the inbound firewall rules in the last step.
Create NAT Rule
In the following steps we’ll create a 1:1 NAT rule so that the public IP of
198.18.0.11 is mapped to the private IP of
10.1.2.11. This will allow us to communicate with the web server via SSH or HTTP by connecting to
198.18.0.11 from the Mac.
Click Firewall then NAT.
198.18.0.11 in the external subnet IP text box and
10.1.2.11 in the internal IP box, then click Save.
The NAT rule should now be added and look like the following.
Create WAN Rule
You’ll notice that in previous steps we were doing ping tests from the console of the VM via the web client and not using SSH. This is because we currently have no way of connecting to the VM from the Mac via SSH because its on a different network.
In the following steps we’ll create a WAN rule to allow SSH, HTTP and HTTPS traffic to pass to
web01 from the Mac.
Click Firewall, Rules, click WAN and then Add.
Assign the following details then click Save and Apply Changes.
Action: Pass Interface: WAN Address Family: IPv4+IPv6 Protocol: TCP Source: any Destination: Single host or alias web01 Dest Port: (other) web
Click Apply Changes and the rule should look like the following.
We should now be able to connect to the
web01 from the Mac using SSH with the following command.
Step 3: Install NGINX
Now that we’re able to access the internet from the web01 machine, we can install NGINX by running the following command at the console.
sudo apt install nginx -y
Test Connection from Mac
With NGINX installed we should now be able to access the default virtual host by typing the external IP in a browser on the Mac.
In this tutorial, we showed how to configure pfSense to allow traffic into the DMZ from the internet and how to secure traffic between the LAN and DMZ. This is the end of the series on building a VMware vSphere virtual lab with VMware Fusion.
Things to try next?
- You could look into running multiple pfSense VMs on different ESXi hosts in either active/passive or active/active configuration to provide high availability.
- Add a database VM to the LAN and allow only DB traffic from the DMZ to the LAN. Or even better, create a new port group for databases.
As I’m sure you’re aware, there’s only so much information that can go into a blog post, which is why you might want to check out the book titled Mastering VMware vSphere 6.7* Mastering VMware vSphere 6.7* (Marshall, Brown, Fritz, Johnson) to get a more in depth understanding of vSphere.