Jump to content

Smoothwall & Server 2003 playing nice on ESXi with VPN


Recommended Posts

I have a system running ESXi 4 server. This system runs Server 2003 as an Active Directory, DNS, & RRAS (VPN). It also runs Smoothwall. The system has 2x physical NIC's (A & B ) & 2x virtual NIC's (C & D.)

Physical NIC:

NIC A is connected to the internal 192.168.1.x network in Server 2003

NIC B is connected to the DSL modem on a 192.168.1.x network & is the Red interface in Smoothwall

Virtual NIC:

NIC C is connected to a virtual switch on a 172.16.0.x on Server 2003 (w/ Static IP)

NIC D is connected to a virtual switch on a 172.16.0.x on Smoothwall's Green interface (w/ Static IP)

Basically, the outgoing packets travel A >> C >> D >> B. The Server 2003 VM is setup as a gateway pointing all internet traffic to the 172 virtual network on NIC C. Smoothwall listens to NIC D on the same virtual 172 network and picks up the traffic. It then pipes out non-firewalled traffic out through NIC B on a new 192 network.

Setting things up in this manner accomplishes a few things. For one, if ever there was an issue and I had to take the server offline I could simply plug the DSL modem into the switch temporarily to maintain internet connectivity (given it would be vulnerable during this time.) It also means that if the Smoothwall VM was compromised, the network of the virtual switch (172.16.0.x) would be exposed only then exposing the 2003 VM to attack. Plus, staggering the IP ranges at the very least would at best give most a headache attempting to navigate the various interfaces and mirrored, yet staggered, network ranges.

The only other thing I could think of would be to forgo using the virtual NIC & virtual switch and strictly use the physical NIC's A & B. If I were to do this I would then run into an issue with RRAS and the VPN server. Since in this alternative scenario NICs A & B are operating in parallel on both Smoothwall & the 2003 VMs. Basically, A would be the internal network on 2003, and the Green interface on Smoothwall. NIC B would be the Red interface on Smoothwall, but would allow unfiltered traffic into the 2003 VM. This alternative does not seem viable to me as it essentially negates the point of running the Smoothwall to begin with.

The first method does in fact work as it's running currently. However, I am hoping to get some feedback on if there is another more graceful method since this seems a bit kludgey to me, but I just don't see how I can make it all work securely without resorting to virtual NICs & virtual switches. However, it was the first thing I came up with that would allow Smoothwall to function as it should and protect all systems behind it.

Link to comment
Share on other sites

Oy... I'm an id10t... Somehow I entirely missed that Smoothwall has VPN built in. I was way overthinking things before.

I can simply give the 2003 server access to NIC A on the LAN.

Totally remove the vSwitch and virtual network cards on the 172 range.

Give Smoothwall access to both NIC A & B (A = Green, B = Red.)

Use the VPN from Smoothwall and remove RRAS on the 2003 system and viola.

So much simpler...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...