ESXi 5.5 - My Experience (and some questions)

[Haggis Veteran]

will this fit in the N54L?

 

thinking the physical size

 

http://www.amazon.co.uk/1000-Dual-Server-Adapter-PCI-X/dp/B00RGYQ15G/ref=sr_1_1?s=computers&ie=UTF8&qid=1421581247&sr=1-1&keywords=intel+dual+gigabit

[+BudMan MVC]

Well it says low profile -- but that is a 64 bit 3.3/5 volt card you can tell by the number and position of slots

 

I am not sure  a full 64 bit card will fit??

[Haggis Veteran]

i found another one that the guy bought one for an N40 so assuming it will fit

 

i got a HP NC360T PCI Express Dual Port Gigabit Adaptor

[+BudMan MVC]

The nc360T is the dual I have.. Just make sure it comes with the low profile bracket or you have to mod the full sized bracket or buy a low profile bracket.

[Haggis Veteran]

yup it has low profile on it

[+BudMan MVC]

dude you will be rockin   Man I want to get that quad for mine so I can lagg couple interfaces - but my current pc doesn't have the slots to put in a dual nic so I could take advantage -- gig is starting to become a bottleneck.. 10ge is just too expensive for the home currently.  So lagging a couple together to get 2 seems like most cost effective way..

 

Hmmm  I don't really need that AC wireless card - maybe I should sell that and get new card for my PC... Maybe I should get a new PC... hehehe

 

All this playing around gets me wanting to play.. Would really like to hit 200MBps transfer between my server and PC   Not going to do that with only a gig between them..

[Haggis Veteran]

lol i will be happy just getting this to work

 

My sister bought this card for me for my birthday (which is not until 15th feb) so have a bit of a wait

[Haggis Veteran]

ok here is a question for you guys

 

just now i have default firewalls on my laptop

 

and no firewalls on the plex VM and arch VM within ESXi

 

There is a firewall on my router though so have never seen the point in software firewalls

 

 

Now when i start to use pfsense it will become my firewall so again i see no point in having software firewalls on the VM's

 

 

 

 

1. would you guys agree with this?

[+Fahim S. MVC]

There is a chance you get something nasty on one of your machines (virtual or otherwise), firewalls on your machines help stemming the spread of those nasties to your other machines.

 

If you aren't worried about this, you should only need protection at the edge of your LAN (where it connects to the Internet).

 

I would be more cautious though - they take up very little additional resource that they are worth keeping on, IMHO.

[Haggis Veteran]

yeah see my laptop has the default one which blocks evetrything unless i allowed it

 

the VM does not have any at all as i installed a basic install with nothing else but ssh and then added it from there

 

I need to check them when i get home

 

 

 

it has a firewall on the router just now which then connects to the modem for my fibre

[+BudMan MVC]

"help stemming the spread of those nasties to your other machines."

 

Yeah not so much if you ask me..  What services are these nasties going to be using to spread, Why would these services be running if your not using them.. So you have services running that your firewall is blocking?  Or is it allowing it because its from the same local lan?

 

While I agree if you were in a hostile network, the use of a software firewall would be required.  So you could let machine Y talk to service on machine X.  In such a setup then sure that firewall wold prevent machine Z from infecting your machine using service that machine Y is using.

 

But if machine Y gets infected, it could use that service to spread and sorry your firewall not going to do a damn thing to stop the infection.  So normally in a trusted network - machines x and y and z and a, b and C all use services 1 2 and 3 to talk to each other.  And you allow this, you set this up..  Why would you be running service 4 if not using service 4.  Why would you run service 4 and have firewall block it if nobody is using it?

 

Lets do another example..  You forward service X to your machine on your edge firewall to machine A..  I have to assume if you want anything outside to use this service that machine A firewall has to allow this traffic.  So what good is that machine A firewall doing?

 

Here is where I see use of software firewalls on host machines.  If they are in a network and you set it up that only machine A and B can talk to your service not C or D or Z, etc..  If you setup your firewall to allow your whole network to talk to said service then is pointless because new machine with infection joined said network and can exploit your service that you allowed.

 

The other great use for it is devices that move networks..  So you home and happy all the machines on your network you trust to use services you have running..  File sharing, etc..  You control these machines - they are secure.  You trust them, etc.  But now you take your laptop to your buddies house, or school/work network, etc..Starbucks..  Do you trust these computers to use your service (that they could exploit to infect you) - hell no, so firewall should block all those connections even though you have those services running be cause you use them in your home network.

 

Unless you are going to take the time to fully manage and configure your software firewalls on all your hosts in your network to protect against hostile boxes coming on your network - do hostile boxes even join your network?  This is a great reason to isolate your wifi network that guest use   Then software firewalls on a trusted, secure network are most likely than not just overhead that you manage without much benefit, or suck up resources and hit performance again for little benefit.

 

Do you run your software firewall in such a manner that it blocks all outbound traffic by all processes unless you have allowed it??  That really must be a pain in the ass to manage.. Why are you running untrusted software in the first place??  Much easier control just not run software you don't trust.  So you don't have to configure your firewall every time some application needs to call home to check a license, etc.

 

Lets say you are blocking all unauthed outbound, so nasty can not call home..  Do you really think that said nastie that is running on your box you executed can not disable or turn or even just create a rule in your "software firewall" ?? Come on..

[Haggis Veteran]

"help stemming the spread of those nasties to your other machines."

 

Yeah not so much if you ask me..  What services are these nasties going to be using to spread, Why would these services be running if your not using them.. So you have services running that your firewall is blocking?  Or is it allowing it because its from the same local lan?

 

While I agree if you were in a hostile network, the use of a software firewall would be required.  So you could let machine Y talk to service on machine X.  In such a setup then sure that firewall wold prevent machine Z from infecting your machine using service that machine Y is using.

 

But if machine Y gets infected, it could use that service to spread and sorry your firewall not going to do a damn thing to stop the infection.  So normally in a trusted network - machines x and y and z and a, b and C all use services 1 2 and 3 to talk to each other.  And you allow this, you set this up..  Why would you be running service 4 if not using service 4.  Why would you run service 4 and have firewall block it if nobody is using it?

 

Lets do another example..  You forward service X to your machine on your edge firewall to machine A..  I have to assume if you want anything outside to use this service that machine A firewall has to allow this traffic.  So what good is that machine A firewall doing?

 

Here is where I see use of software firewalls on host machines.  If they are in a network and you set it up that only machine A and B can talk to your service not C or D or Z, etc..  If you setup your firewall to allow your whole network to talk to said service then is pointless because new machine with infection joined said network and can exploit your service that you allowed.

 

The other great use for it is devices that move networks..  So you home and happy all the machines on your network you trust to use services you have running..  File sharing, etc..  You control these machines - they are secure.  You trust them, etc.  But now you take your laptop to your buddies house, or school/work network, etc..Starbucks..  Do you trust these computers to use your service (that they could exploit to infect you) - hell no, so firewall should block all those connections even though you have those services running be cause you use them in your home network.

 

Unless you are going to take the time to fully manage and configure your software firewalls on all your hosts in your network to protect against hostile boxes coming on your network - do hostile boxes even join your network?  This is a great reason to isolate your wifi network that guest use   Then software firewalls on a trusted, secure network are most likely than not just overhead that you manage without much benefit, or suck up resources and hit performance again for little benefit.

 

Do you run your software firewall in such a manner that it blocks all outbound traffic by all processes unless you have allowed it??  That really must be a pain in the ass to manage.. Why are you running untrusted software in the first place??  Much easier control just not run software you don't trust.  So you don't have to configure your firewall every time some application needs to call home to check a license, etc.

 

Lets say you are blocking all unauthed outbound, so nasty can not call home..  Do you really think that said nastie that is running on your box you executed can not disable or turn or even just create a rule in your "software firewall" ?? Come on..

 

 

My laptop is the only device i take outside the house

 

It has a firewall, all inbound is blocked unless i specifically allow it, outbound not blocked at all

 

None of my network is open to the outside

 

 

The only systems that have no firewall is my two VM's currently

 

one is an arch vm which i just had to play about with

the other is plex

[Haggis Veteran]

looks like there is a default firewall lol

Nmap scan report for 192.168.0.16
Host is up (0.0053s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
111/tcp   open  rpcbind
2049/tcp  open  nfs
9091/tcp  open  xmltec-xmlmail
10000/tcp open  snet-sensor-mgmt

[n_K]

Hmmm  I don't really need that AC wireless card - maybe I should sell that and get new card for my PC... Maybe I should get a new PC... hehehe

 

All this playing around gets me wanting to play.. Would really like to hit 200MBps transfer between my server and PC   Not going to do that with only a gig between them..

Haha I agree, making me want to play around too!

[+BudMan MVC]

Yes esxi has a firewall to the vmkern.. What exactly are you scanning?  Just because there are limited ports that answer does not mean there is a firewall??  What services are listening??

[Haggis Veteran]

not sure will do another scan later

 

what command should i run on nmap?

[+BudMan MVC]

What do you mean what command?

 

So your linux box is only listening on specific ports, be there a firewall or not.. Just because 995 ports come back closed out of the 1k you scanned does not mean there is a firewall

 

So here is a clean vm, this is my template for when I need new unbuntu vm.. There is no firewall running..  Only thing listening is ssh.  If I scan it with nmap..  what do think comes back??

 

 

So here is my nmap scan

 

Starting Nmap 6.46 ( http://nmap.org ) at 2015-01-23 06:35 Central Standard Time
Nmap scan report for cleanlinux.local.lan (192.168.1.214)
Host is up (0.00019s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

MAC Address: 00:0C:29:55:E5:5D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

 

Going back to my previous examples - what exactly is the point of a firewall on this box.. The only thing it listens on is ssh..  I need ssh OPEN for me to use it.. So unless I am going to use a firewall to restrict who can access this service the software firewall is pointless.  If did run a firewall on it and locked it down to 192.168.1.0/24 -- how would I access it remotely.  I have no idea where I might hit that box remotely from if was my ssh server to the world.  I don't know what IP I might use from 192.168.1.0/24 to ssh to it.  So if there was a hostile box on my 192.168.1.0/24 network it would be able to try and ssh to it anyway.  Be it I was running a firewall or not..  So why run a firewall to suck up resources.  It is not open to the public net, and my 192.168.1.0/24 is trusted..

 

 

[Haggis Veteran]

ok so put the new nic in

 

 

plugged cabels back in

 

cant reach the box

 

will the card have taken over the onboard nic?

[Haggis Veteran]

ok ignore that

the card took over the network for esxi lol

so the card works fine

so might have a play about with pfsense tomorrow

ok a question

I have a hot swap bay on my server

how do i add the bay to a vm guest in esxi so that i can plug and unplug different drives?

[binaryzero]

^ hot swap isn't support inside a VM.

[Haggis Veteran]

Ok thanks

Do I need to add two nice to the pfsense fm and go from there?

[+Fahim S. MVC]

Ok thanks

Do I need to add two nice to the pfsense fm and go from there?

Yes but they need to connect to two different port groups

[Haggis Veteran]

this is going to be a steep learning curve lol

[+Fahim S. MVC]

It's pretty obvious when you get your head around it.  Rather than 2 port groups on the same vSwitch, which I understand is possible, I used two vSwitches (I moved my installation to XenServer, rather than vSphere).

 

The vSwitches are mapped to a physical NIC each.  The WAN facing vSwitch has the WAN facing pfSense NIC on it and nothing else, physically the network port mapped to the same vSwitch connects to your OpenReach modem, and the connection in pfSense is configured as PPPoE (at least it is for my BT connection).  The LAN facing vSwitch has the LAN facing pfSense NIC on it, as well as any other VMs and physically connects to your switch, where your physical devices are connected (including whatever you are using as an access point, if you have/want WiFi).

 

Try watching this:

[Haggis Veteran]

ok i think i can manage that lol

 

i will attempt tonight