Thursday, March 19, 2009

Virtualisation: firewall and webserver on ESXi

In this article I'll explain howto put a firewall (IPCOP), a webserver (apache) and if you like a small PDC (Primary Domain Controller) on one Server. We will use VMware ESXi for the virtualisation. It's free, but you will need to register.

Before you start downloading, you'll have to be sure, your hardware is recognized by ESXi. Or you could just download it and test the iso image, as I did.

I used an HP Proliant DL120 G5. It is not mentioned in the hardware list as being compatable with ESXi. But I tried any way and succeeded. But There are some things you need to know.

- For any ESXi installation you'll need more than 1 GB ram(less just wont do, I found out the hard way), go for 4GB
- on the HP Proliant you can't use SATA raid (it actually is a software raid and ESXi has no drivers for RAID setup), so you'll have to disable it in the BIOS
- also you'll have to put SATA in native mode
- For this setup you'll need at last 2 nic's

Once you installed ESXi, witch is not more than downloading the iso, burning it on a cd an than booting your server with the CD. You will be able to do a minor config on the console.

You'll need the set a root password, the name, domainname, IP address (pick out the right nic. if you only connect 1 nic with a cable, you can see witch one you'll have to pick), subnetmask, gateway and DNS. When your done, you should be able to browse to the servers ip address. http://ip-address-server You might get something about wrong certificat, just add it. The site you'll see shows you a link for downloading the VMware Infrastructure Client. Go download and install this.

Once your done, you can run the cliënt and login in to your ESXi host. So, now you Host has been set up and ready to be configured. First thing you should do, is configure the netwerkcards, because we will have some real nic's and some virtual ones.

Before we continue I should explain a bit about IPCOP, the firewall we will use.

IPCop Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The IPCop interface is very user-friendly and task-based. IPCop offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software. This is what you'll find on IPCOP:

Luckly it doesn't much of computer to run: a 386 processor, 32Mb of RAM, and 300Mb hard disk. Very nice. If we want to put up a firewall we will need at last a network interface for the connection with the internet and one for the connection with our own network. Running a webserver, will give you the need to have a third. and here is the beauty of ESXi, we will use a virtual nic.

So in short this is our setup( follow this link for more info on IPCOP's nic setup):

GREEN + ORANGE + RED (ipcop interface setup)


I'll explain a bit more about the virtual nic's and virtual switches you'll have to setup. In you your cliënt console, go to configuration > Networking. You'll see allready a virtual switch is pressent and it's connected to a nic. Click on properties of this virtual switch and add a virtual nic and call it GREEN. Next we'll have to add a new virtual switch and connect it to the other free real nic. Call this one RED.

For our webserver we will use a virtual nic and a virtual switch , that will be connected to a virtual nic (ORANGE) on our firewall, so we wont need a real nic. When you're finished adding your nic's and switches, you can now start adding virtual machines. Setting up a custom machine, other 32-bit linux system with 256 Mb ram, 1 cpu and about 500 MB disk space will do fine. Add 3 virtual nic's (GREEN + ORANGE + RED) and your ready to install ipcop. Download the ipcop iso image, you don't have to burn a cd, you can connect an iso with your cliënt as a CD. reboot you virtual machine (CTRL+ALT+Insert) when your in console mode and follow the IPCOP's installation guide

Now you can add a new virtual machine and install a webserver on it. You only have add a new virtual nic on the same switch of your IPCOP's ORANGE virtual nic. And if you want, you can even add another Virtual machine as an PDC. Just add a new virtual nic on the same switch of your IPCOP's GREEN virtual nic.


No comments: