VMware ESXi for the lab
- Marius Ciepluch
ESXi
I used to run an ESXi server to host multiple virtual machines. It’s a very solid hypervisor host with kernel-based network segregation between the hosts (called vSwitch).
Download VMware vSphere Hypervisor for Free
Today, I’d recommend looking at oVirt on Rocky Linux, if you are interested in a viable alternative. That being said, ESXi is fine, as long as you have standard use-cases like I do.
Installation
VMware ESXi is a special operating system. Its kernel doesn’t support all kinds of hardware. You may need to research whether your server hardware is compatible.
I don’t recommend using nested virtualization for the ESXi install due to the negative performance impact.
The system below are either Intel Xenon E3 or i7-7700, x86-64 based. I did not register a huge performance difference.
vSwitch topology
In the following, you can see that I attached the dedicated virtual interface of the pfSense guest to the dedicated network port. pfSense is a FreeBSD-based Pf network gateway, which is good enough for simple NATing. Of course, you can resort to using Pf for NAT directly on the command line.
The key to understanding vSwitch is, that the MAC addresses of the virtual machine network would directly exit the WAN_PG (Port Group) here. It’s really just a Switch (OSI Layer 2). That’s the reason why LAN and WAN Port Groups have to be separate in numerous instances. For example, if you are hosting your lab at Hetzner.
The physical NIC is attached to the pfSense guest. The pfSense guest routes the IP packets for the WAN, but vSwitch will pass the internal traffic between guests on Layer 2 directly .
Please note: this is for a lab.
The network of the pfSense guest features the two interfaces because it acts as a gateway.
Performance
Memory page sharing
I set the advanced attribute Mem.ShareForceSalting to 0 for the lab. If you’re concerned about multi-tenancy and segregation, this would be unwise, given the security defect of the Intel chips.
Use the ESXi firewall with esxcli
Assuming you have SSH enabled on the ESXi host, you can setup firewall rules to block certain (often vulnerable) services, which aren’t needed on a standalone lab server.
Assuming $IP is the management interface of the ESXi server:
nmap -PN -sV -O2 $IP
PORT STATE SERVICE VERSION
427/tcp open svrloc?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
5988/tcp closed wbem-http
5989/tcp closed wbem-https
8000/tcp open http-alt?
8300/tcp open tmi?By default these services are open on a standalone ESXi because you can manage it via vSphere (which is relevant for data-center operations).
CIMSLP | Inbound | TCP | Dst | 427 | 427 |
NFC | Inbound | TCP | Dst | 902 | 902 |
CIMHttpServer | Inbound | TCP | Dst | 5988 | 5988 |
CIMHttpsServer | Inbound | TCP | Dst | 5989 | 5989 |
vMotion | Inbound | TCP | Dst | 8000 | 8000 |
faultTolerance | Inbound | TCP | Dst | 8300 | 8300 |
Take care of NFC and the other entries:
esxcli network firewall ruleset set --allowed-all false -r NFC
esxcli network firewall ruleset allowedip add --ruleset-id NFC --ip-address 10.0.0.0/8Verify the desired network firewall config:
[root@static:~] esxcli network firewall ruleset rule list
Ruleset Direction Protocol Port Type Port Begin Port End
------------------------ --------- -------- --------- ---------- --------
sshServer Inbound TCP Dst 22 22
sshClient Outbound TCP Dst 22 22
nfsClient Outbound TCP Dst 0 65535Test it with Nmap (example CIMSLP):
Depending on your lab, you may have to use a different firewall to block access to the management web interface on port 443. ESXi has a security feature (login rate limiting), which can lock out the root user.