Homelab: network segregation

2019-01-11 21:06:00

So far I've built a few VMs in my homelab, to house my AD DS and AD CS services (the Directory Services and PKI respectively). There's also a few CentOS 7 boxen spinning up to house Graylog and ElasticSearch. 

Up until this point, all these VMs were getting their IP addresses from our home's internal network infrastructure. Of course it's always a bad idea to mix production and dev/test environments, so I've set up segregation between the two. The easiest way to achieve this will also help me achieve one of my goals for 2019: get acquainted with the pfSense platform.

pfSense is a BSD-based, open source platform for routers/firewalls that can be run both as a VM or on minimalistic ARM-hardware. In my case, I've done a setup comparable to Garrett Mills' example on Medium.com. In short:

1. I have defined a new virtual switch in VMWare, tied to one of the unused NICs of the Dell R410.
2. This new virtual switch ("LabLAN") is then tied to a newly created port group, also called "LabLAN".
3. The pfSense VM is assigned two NICs: one tied to the default "VM Network" port group, which leads to the used NIC on the R410, and the other tied into the "LabLAN" port group.
4. After installing pfSense, the "VM Network" NIC is indicated as the WAN-interface, with the "LabLAN" NIC being the LAN-interface.
5. After running through the basic pfSense configuration, it mostly works out of the box!
6. I've migrated all the VMs I'd made so far into the "LabLAN" port group, adjusting their IP configurations accordingly. 

BAM! The dev/test VMs are now tucked away into their pocket universe, invisible to our home network. 

EDIT:

The pfSense folks also provide nice documentation on setting up their product inside VMWare ESX.

kilala.nl tags: work, sysadmin,

View or add comments (curr. 0)