Smoothwall on a VM

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I'm exploring this idea further.

The machine has 2 NICs on board, and I would like to assign one as RED and one as GREEN. The RED NIC I would like to be isolated from the host OS (Windows) so that only the VM can see it and interact with it. The GREEN NIC I would like to be shared with the workstation, so that the workstation itself can get a DHCPed address from the Smoothwall. If this requires 3 NICs I can make that happen.

Is anyone familiar enough with VMWare's offerings to know how to make this happen? In an ideal world, I would just be using the player, but if VMWare Workstation is required, I can justify that as well.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
As I understand it, that's not a really good way to implement things because you're making a fundamental assumption of the security of the host OS that contains the physical network interfaces.

Why do you want to do that?
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
Could you use ESXi as the host and then run the Smoothwall and Windows as guest OSes? I think this configuration would be a lot better from a security standpoint.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I have a really nasty industrial location. Kills computers quarterly. I'd love to get the site down to two computers so there would be less to replace. Having the Smoothwall on a VM would also make it easier to backup and maintain. Topping that, the HCL for Smoothwalls is getting trickier to meet with robust and reliable hardware. This site is locked-down; no users have access to the web. I would consider it secure to the levels that we need to worry about.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Could you use ESXi as the host and then run the Smoothwall and Windows as guest OSes? I think this configuration would be a lot better from a security standpoint.

An interesting idea, but ESXi won't let you expose one of the VMs to the console. If they did that would be awesome. The machine running the VM also needs to be a workstation.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
Ew.

Back when I was a Honeywell employee, I got on a bunch of mailing lists for Industrial Computing hardware; something with an airtight corrosion-resistant chassis, fan-less systems and the like. They do make hardware that can survive that crap if that's what you need.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,931
Location
USA
An interesting idea, but ESXi won't let you expose one of the VMs to the console. If they did that would be awesome. The machine running the VM also needs to be a workstation.

You could run the vSphere client on one of the VMs to connect to the ESXi. Why would you want a VM to see the ESXi console?

I agree with timwhit, ESX/ESXi would be the best way to make a virtualized firewall like you've proposed. You're also simplifying the switching configuration because it would now be virtual and at 10Gb internally (when using VMXNET3 virtual NICs) for VM -> VM communication.

Also, could you not locate the ESXi machine somewhere less...industrial, and provide a VDI-like solution using (now VMWare view) using a thin client and just run a CAT6 cable to the thin client? That will keep the main machine in an area less hazardous and the thin client becomes the expendable component at a much-reduced cost when compared to a full server.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
Does having a thin client solve anything? Even assuming that it's a fanless SFF machine of some sort, it still has to be ruggedized for the environment.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Ew.

Back when I was a Honeywell employee, I got on a bunch of mailing lists for Industrial Computing hardware; something with an airtight corrosion-resistant chassis, fan-less systems and the like. They do make hardware that can survive that crap if that's what you need.

They do, but it is cheaper to replace everything every 6 months so long as I keep it simple and generic. The power out here is so bad that it has blown industrial motors and detonated light bulbs. Keeping it cheap and disposable is probably prudent.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
There really isn't any place out here that is less hazardous, and I want to maintain the standalone fail-over capability, so RDCing back to the main office is out.

I really need the VM to run on a windows machine that can still be used as a windows machine. From what I can tell this cuts down the list to VM Player, VM Server, and VM Workstation. I would obviously prefer the free option with the smaller footprint, but I'm not sure it allows the NIC mapping I would need to be really secure.

Thanks for all the advice so far. This is very much a crappy corner case and I'm just trying to make it work without a budget. This plant does not make enough money to justify any of the more advanced options.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Virtualbox will run on a workstation but I'll have to check if I can configure the NIC to be inaccessible to the host.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
This may seem overbearing, but if you can afford VMWare Workstation, you can afford a dedicated router appliance. Why can't you just stick one in a cupboard where dirt etc can't get to it? The DSL router I have here uses about 8W, so it's not much of a challenge to dissipate the heat.

I know you have no budget now, but would something like a Seasonic X400 fanless PSU help with both rogue power and dust intrusion? I'd expect a really robust PSU to be able to withstand far more than a motor or a bulb.
 

BingBangBop

Storage is cool
Joined
Nov 15, 2009
Messages
667
I'd expect a really robust PSU to be able to withstand far more than a motor or a bulb.

I disagree. While a good quality robust PSU has some good voltage tolerance built in there are limits. If the power is bad enough the only real solution is a top quality uninterruptable power supply that can deal with everything from a total loss of power to a full blown lightning strike. It can also help a lot to have a dedicated circuit for the computer systems for it will minimize the effect of the power issues caused by equipment on other circuits.

It seems to me that going internally totally fanless and water cooled with multiple redundant fans being external to the case is the way to go. If the external radiator is big enough with a large enough water reservoir you may even be able to run it with no fans at all for quite a while.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
BBB: two points.

Firstly, a UPS will not protect you from a direct lightning strike. Nothing you can plug into a wall socket will do that.

Secondly, a UPS exists primarily to cover brownouts and blackouts; 'surge' protection is just a bonus feature and not really any different from a $20 power strip. Really good power supplies have the same protection already built in.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
All the other sites use Smoothwall. I like it, those who need to use it are familiar with it, and it's VPN connections aren't directly compatible with other appliances.

VMWare workstation is a software license, and as such would not be destroyed on site. Simply restore from image and continue. Anything at this site is disposable; I've seen scorch marks on UPSs.

Back to my original question? Any idea how to make the NIC only appear to the VM?
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,359
Location
Gold Coast Hinterland, Australia
Back to my original question? Any idea how to make the NIC only appear to the VM?

If using Windows as the Host OS, and have it usable as a workstation environment, I do not believe this is possible.

The only way to hide physical hardware is to run the workstation environment as a guest OS on top of another virtualisation product. Be it VMWare, VirtualBox or HyperV.
 

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
Would a USB NIC help with isolating the NIC from the host OS?

Or you could look at an Atom or VIA mini ITX system, maybe with some creative case modding and a heat pipe or water cooling setup to make it air tight without overheating.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I'll look into that USB NIC idea...that might work.

I've been using a fanless VIA miniITX system out there in an air-tight finned aluminum enclosure with a CF card for storage. Very low power draw, very low heat output, very solid. Still dies. I don't want anything out there to be fancy anymore, it just makes replacing it more difficult.
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
The guests are reliant on the host for underlying hardware access, so you probably can't disable the NIC in the host OS.

However, you could leave it out of the host os's routing table (no IP and no routes) and bridge it to the guest.

For a windows host, I would start by disabling all protocols on the NIC. Without IP access, it's pretty hard for Windows to do much on that NIC.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Firstly, a UPS will not protect you from a direct lightning strike. Nothing you can plug into a wall socket will do that.

A few years ago the transformer in my apartment complex blew up with a really loud noise. I had a cheap power strip connected to the wall, with the TV, DVD player etc. running off of it. Things inside the strip melted, but my electronics were saved. Neighbors had their electronics completely burned out (not worth repairing). True, a lightning strike would put out magnitudes more voltage and current.

There are over-voltage and lightning arrestors that will do a better job. They are placed between the load and supply, and sacrifice themselves and disconnect the load from the supply. Last I checked, Tripp Lite makes several models.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Lightning bolts travel several hundred of meters in air (insulator) before touching the clouds. I don't think it will matter if a fuse breaks and add another 2 or 3mm to the bolt's trip.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Lightning does not travel inside a house through its wiring; voltage surges caused by it do. And these can be stopped with a properly designed device. The gap is sufficiently large to prevent the current from jumping it.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I'm pulling the plug on my research on this subject. ESXi server works great, and if you have a server sitting there already, it makes perfect sense. But if you were trying to run it on a workstation, I haven't found a way to expose the NICs to the VM and not to the underlying OS.

I'll be getting some of these and testing them for this purpose.
 

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
If you open 'Properties' for your network connection and uncheck 'Client for Microsoft Networks' that should prevent the host OS from using the NIC.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
If you open 'Properties' for your network connection and uncheck 'Client for Microsoft Networks' that should prevent the host OS from using the NIC.

Removing it from one NIC removes it from all of them. Now I get to figure out how to add it back (nothing in the "add...service..." list).

I suppose I could just statically assign garbage IPs without gateways...but that is a little too insecure for my liking.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Removing it from one NIC removes it from all of them. Now I get to figure out how to add it back (nothing in the "add...service..." list).

After removal but before restart it still considers it installed to it isn't on the list. After reboot you can add it.

I'm now just "unchecking" everything and I'll see how that goes.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Working great thanks to everyone's help here.

Install the NICs, uncheck everything except "VMWare Bridge Protocol".
In VMWare workstation, go into the "Virtual Network Editor" and map the two NICs to dedicated VMNet networks in "bridged" mode.
Create a VM with two NICs, each mapped to one of the VMNet networks.
Install firewall software as usual.

I've seen a dramatic increase in speed and stability under load compared to the Linksys I was running before, as well as having better QoS and traffic management.

Now to look for the cheapest VMWare product to support the "Virtual Network Editor".
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
If you open 'Properties' for your network connection and uncheck 'Client for Microsoft Networks' that should prevent the host OS from using the NIC.

Client for Microsoft Networks is the discovery and login protcol suite that runs on top of IP. Disabling it may break SMB connectivity between windows workstations, but it doesn't prevent Windows from using the NIC for IP (Internet or LAN) connectivity.


Removing it from one NIC removes it from all of them. Now I get to figure out how to add it back (nothing in the "add...service..." list).

WinNT 4.0 (and win9x) probably had a better layout if you knew the hierarchy. As you found out, uninstalling the protocol actually... uninstalls the protocol... go figure. Not sure why MS lets you uninstall system level network protocols from underneath a NIC property screen, but they do.

Another neat area that seems almost lost is the Advanced Menu that appears under network connections. Advanced -> Advanced settings will show you each NIC, it's protocol bindings, and the binding order. You can disable protocols from this screen, change the order in which protocols are used when accessing network resources, and change the order in which NICs are used to do the same. Very reminiscent of NT4, and was probably a lot more relevant when networks were a mix of NetBEUI, IPX, and IP.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Working great thanks to everyone's help here.

Install the NICs, uncheck everything except "VMWare Bridge Protocol".
In VMWare workstation, go into the "Virtual Network Editor" and map the two NICs to dedicated VMNet networks in "bridged" mode.
Create a VM with two NICs, each mapped to one of the VMNet networks.
Install firewall software as usual.
I'm trying to do the same under Windows 7 Pro with the XP Mode VM and it doesn't work. There must be a way without having to use a third party VM software like VMWare. If not, MS is trully missing the boat.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I never did fully automate the startup process, so internet doesn't work until you log in, start VMWare Workstation, and start the VM. I also never bothered with anything besides Workstation.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
There has to be another way of doing this than buying a 200$ VMWare Workstation lica<ence. Otherwise, I am so fucked.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Meh, found a way. I assigned a wrong fixed IP address in the Windows 7 host network setup for the secondary network card. The XP Mode has the card configured in DHCP and works fine.

Why none of you told me it was so simple. You would have saved me a lot of high blood pressure.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
I've never used the XP Mode VM ;)

You're not missing anything. They're a terrible pain in the ass, especially with the inconsistent handling of app opens and closes.

Win7 can display a single Virtual PC emulated app as if it were a native Window, but what the user sees is a weirdly long pause during initial app startup because the VM has to start before the app will display.

If something the user expects to be exposed and configurable isn't, then you have to start up the full VM to manage that setting. Which can generate errors because it might already be running. And that causes even more support calls.

It's a total headache in my opinion.
 
Top