Building a VMware vSphere Virtual Lab with VMware Fusion - Part 8: Creating a Public Facing Web VM and Securing it with pfSense

This is the last part in a series of tutorials on how to build a VMware vSphere Virtual Lab on a Mac with VMware Fusion. In this tutorial, we'll create a virtual web server and use pfSense to forward traffic to it.

Overview

Steps involved in this tutorial:

  • Create a Ubuntu 18.04 VM and install NGINX on it.
  • Assign the VM to the DMZ network and give it an IP of 10.1.2.11
  • Add an external IP to the pfSense firewall of 198.18.0.11
  • Create a NAT rule to forward traffic from 198.18.0.11 to 10.1.2.11
  • Create a firewall rule to allow DMZ traffic out.
  • Create a firewall rule to block DMZ traffic to the LAN.
  • Create firewall rules to allow HTTP and HTTPS to the DMZ.

Prerequisites

Ideally you should have read the previous tutorials in the series before following the steps in this tutorial.

Parts 5, 6 and 7 are not required to follow this tutorial. The VM can be deployed to local storage and the standard vSwitch DMZ port group can be used.

After completing the steps in the previous tutorials, you will be at a point where you have:

  • Three ESXi 6.7 VMs running on VMware Fusion*.
  • The first ESXi VM contains a pfSense firewall VM with built in DNS Resolver.
  • The first ESXi VM also contains the vCenter Server Appliance.
  • A cluster with one or more ESXi 6.7 hosts added to it.

For this tutorial we need to download the Ubuntu Server 18.04 ISO image. Here is a direct link to the ISO which is located on this download page.

After downloading the ISO, we’ll begin by creating the virtual machine.

Step 1: Create the Ubuntu Web VM

The first thing we need to do is create the web virtual machine. I’ve already written a tutorial on how to create a Ubuntu 18.04 VM using the vSphere Client (HTML5).

Open the link above in a new tab and follow the procedure to create a new Ubuntu VM called web01 with the following specification.

Name:       web01
CPU:        1
RAM:        512 MB
HDD:        4 GB
Network:    DMZ
IP:         10.1.2.11
Gateway:    10.1.2.1
Nameserver: 10.1.2.1

Once the machine has been created, you’ll notice after logging into the console, we can’t access the internet.

Build vSphere Lab Part 8 - No internet

This is because the pfSense firewall VM has no rules for the DMZ network.

Step 2: Configure pfSense Firewall

In this step, we’ll configure the pfSense firewall so that the web VM can access the internet, and so that the VM can be accessed using the external IP (198.18.0.11) via SSH, HTTP and HTTPS.

Login to fw01 by typing the IP (10.1.1.251) in a web browser and providing your login credentials.

pfSense Login

Create Aliases

First, we’ll create some aliases to make adding the firewall rules easier. We’ll create an IP alias with the address of the web01 VM, and a ports alias containing the three ports that will be allowed inbound access to the VM.

Click Firewall then Aliases.

screenshot

Click Add.

screenshot

Give alias a name of web01 and IP of 10.1.2.11 then click Save.

screenshot

Click Ports.

screenshot

Click Add.

screenshot

Give the alias a name of web, enter 22 for the first port with a name of SSH. Click Add Port two times and assign port 80 and 443.

Click Save.

screenshot

Enable Internet Access

The first rule we will create allows DMZ traffic to access the internet. Before we add the first rule, we need to disable the option to block bogon networks because we’re not using a real public IP address.

Click Interfaces then WAN.

screenshot

Scroll to the bottom, uncheck Block bogon networks then click Save.

screenshot

Click Firewall then Rules.

screenshot

Click DMZ (might be named OPT1) then click Add.

screenshot

Assign the following details then click Save.

Action:         Pass
Interface:      DMZ
Address Family: IPv4+IPv6
Protocol:       Any
Source:         DMZ net
Destination:    any

screenshot

After saving the rule, click Apply Changes and you should see one rule in the DMZ section that looks the same as the image below.

screenshot

Now when you try to ping an external website from the web01 VM, you should get a reply.

screenshot

Block DMZ from accessing the LAN

Since the rule above specified Any as the destination, we are able to ping the LAN from the DMZ and that’s something you may not want.

screenshot

Click Add again to create a new rule that will block access to the LAN. Assign the following details then click Save.

Action:         Block
Interface:      DMZ
Address Family: IPv4+IPv6
Protocol:       Any
Source:         DMZ net
Destination:    LAN net

screenshot

Click Apply Changes and then the new rule should be at the top of the DMZ section like in the image below.

screenshot

Now when you ping a machine on the LAN, for example esxi01, it should be blocked.

screenshot

Block DMZ from accessing firewall web UI

As it stands, the DMZ is also able to access the firewall via SSH, HTTP and HTTPS. This is not ideal because if a web server gets hacked into, a hacker can target the firewall. Let’s block the DMZ from access the firewall control panel and SSH.

Click Add then assign the following details.

Action:         Block
Interface:      DMZ
Address Family: IPv4+IPv6
Protocol:       TCP
Source:         DMZ net
Destination:    This firewall (self)
Dest Port:      (other) web

screenshot

That’s all the rules we should need for the DMZ network.

screenshot

Create Virtual IP

The next thing we need to do is create a virtual IP (198.18.0.11) so that we can NAT it with the internal IP of the web server. This will allow us to connect to the web server via SSH or HTTP from the Mac using the external IP address.

Click Firewall then Virtual IPs.

screenshot

Click Add.

screenshot

Type 198.18.0.11 into the Address(es) text box, give it a description of web01 then click Save.

screenshot

Click Apply Changes.

screenshot

We’ll use this virtual IP alias when creating the inbound firewall rules in the last step.

Create NAT Rule

In the following steps we’ll create a 1:1 NAT rule so that the public IP of 198.18.0.11 is mapped to the private IP of 10.1.2.11. This will allow us to communicate with the web server via SSH or HTTP by connecting to 198.18.0.11 from the Mac.

Click Firewall then NAT.

screenshot

Click 1:1.

screenshot

Click Add.

screenshot

Type 198.18.0.11 in the external subnet IP text box and 10.1.2.11 in the internal IP box, then click Save.

screenshot

The NAT rule should now be added and look like the following.

screenshot

Create WAN Rule

You’ll notice that in previous steps we were doing ping tests from the console of the VM via the web client and not using SSH. This is because we currently have no way of connecting to the VM from the Mac via SSH because its on a different network.

In the following steps we’ll create a WAN rule to allow SSH, HTTP and HTTPS traffic to pass to web01 from the Mac.

Click Firewall, Rules, click WAN and then Add.

screenshot

Assign the following details then click Save and Apply Changes.

Action:         Pass
Interface:      WAN
Address Family: IPv4+IPv6
Protocol:       TCP
Source:         any
Destination:    Single host or alias web01
Dest Port:      (other) web

screenshot

Click Apply Changes and the rule should look like the following.

screenshot

We should now be able to connect to the web01 from the Mac using SSH with the following command.

ssh ubuntu@198.18.0.11

screenshot

Step 3: Install NGINX

Now that we’re able to access the internet from the web01 machine, we can install NGINX by running the following command at the console.

sudo apt install nginx -y

Test Connection from Mac

With NGINX installed we should now be able to access the default virtual host by typing the external IP in a browser on the Mac.

screenshot

Conclusion

In this tutorial, we showed how to configure pfSense to allow traffic into the DMZ from the internet and how to secure traffic between the LAN and DMZ. This is the end of the series on building a VMware vSphere virtual lab with VMware Fusion.

Things to try next?

  • You could look into running multiple pfSense VMs on different ESXi hosts in either active/passive or active/active configuration to provide high availability.
  • Add a database VM to the LAN and allow only DB traffic from the DMZ to the LAN. Or even better, create a new port group for databases.

Further reading

As I’m sure you’re aware, there’s only so much information that can go into a blog post, which is why you might want to check out the book titled Mastering VMware vSphere 6.7* (Marshall, Brown, Fritz, Johnson) to get a more in depth understanding of vSphere.

Written by Tony

I'm a blogger, software developer and sysadmin, with a degree in applied computing and 16+ years experience managing IT systems. Get in touch: tony@graspingtech.com

Tags: ESXi Fusion pfSense