VMWare ESXi 5.0 : More than one virtual Interface per physical NIC = Crash

[ozricxx]

Hello,

our Untangle Server is running on an VMWare ESXi Host with 2 Gbit NICs (both are for WAN - connected to and fibrechannel router and an dsl router for backup) and one 10Gbit SFP+ NIC connected to our Core Switch.

In pfSense i had a lot of virtual networks in VMWare created and connected them as virtual NICs to pfSense. Like one for this subnet, one for that subnet, and so on. But physically all trough the SFP+ NIC.

When i create one Network as "internal" and one network as "wifi" (with and vlan id in vmware) and start untangle the whole vmware network crashes. I must reboot the vmware esxi host to get connected with vSphere client.

I want 4 or 5 Interfaces in Untangle:

2 WAN (both have an dedicated physical nic to the modems)
1 Wifi, 1 Internal and 1 DMZ, dedicated in vmware network management, but all trough the SFP+ Intel NIC like at pfSense.

Everytime i try it the whole networking crashes when untangle is booting and the green status bar is about 60 or 70 % loaded.

Anyone a idea to solve this problem?

Otherwise i am forces to setup 2 untangle vms, one for wifi, one for internal workstations....but this is expensive with all the features...

Best regards and sorry for the bad english.

[dmorris]

If you connect two bridged interfaces to the same switch (virtual or physical) then you'll create a packet storm and likely crash your network (virtual or physical).

[ozricxx]

Okay, sounds true.

How you recommend to realize my plan?

Ive only this 10Gbit Uplink to the switch...

I want to tunnel all traffic from our windows domain trought untangle using the ad script.
And give them Wifi users with untangle an ip address and force them to authenticate with captive portal. The guest wifi network runs on an extra vlan.

Best regards,
Yan

[sky-knight]

Use VMWare's vSwitch and vNIC configurations to make vLANs. Just don't cross the streams.

[ozricxx]

Thank you, but can you explain this a bit more detailed. Sorry, but i am not the ultimate network & vmware expert

For the log:

The VMWare Host has 3 NICs, 2 connected to our WAN Modems, and one connected to the physical core switch.

I have two vSwitches, one for every wan NIC.

How i must configure the 10Gbit NIC to the core switch to get one internal NIC for the windows workstations, one DMZ NIC for the the Servers and one for the Wifi.

SOrry, but i am a bit confused about that cause pfSense has virtual NIC integrated :X

I think my next try will be to work with pfSense and Untange together with an vSwitch between both ad routes with pfSense. But i will celebrate an untangle only solutions explaination

Bets regards,
the guy with the nasty english

[sky-knight]

Adding PFSense to the mix makes little sense. You're adding complexity when you're already behind the 8ball of complexity.

Now is about the time where I'd whip out screen shots of the various VMWare screens, unfortunately Intouch Technology migrated itself off of VMWare in January. So while I know roughly how to do it, I don't' remember the process clearly enough to give you a step by step.

You need to get your vSwitches using vLANs and get those vLANs understood by your physical switches. Only then will you get the layer 2 separation you need to avoid the broadcast storm of doom.

[ozricxx]

Okay, no problem.

So you mean i must separate the traffic in the fibrechannel-link between vSwitch and physical Switch?

But after that, when the traffic is "in the core switch" i can work without clan i think, right?

Thank you for the nice help

[sky-knight]

The "core switch" should already be operating a vLAN separation otherwise you don't have a "DMZ". If your "DMZ" isn't on your core switch then you're going to need to make the appropriate connections to get it there.

[ozricxx]

I am new in this company network.

At this time its like that:

There is a Windows Domain with 1 NAS and a few Servers and 2 DCs. All Servers are located in 10.0.2.0/255.255.0.0 .
The Windows Workstations get 10.0.4.0/255.255.0.0 addresses from the Windows DC DHCP and the DC is also the internal DNS Server.

All network things like (this time, i want to change it with untangle) pfSense and the Switches (All managed and with a fibrechannel backbone connected) are in 10.0.1.0/255.255.0.0

In 10.0.3.0/255.255.0.0 are a few network printers and scanners.

I know this is a bad solution, its not my work.

What is your recommendation for a secure and working solution to get the windows domain working, tunnel the windows workstation traffic and the wifi traffic trough untangle and bring the untangle dhcp only to the wificlients (VLAN 100)?

[sky-knight]

So you have a /16 with everything on it?

You don't have a DMZ, to make routed segments you're going to have to figure out how to separate layer 2, only when you've defined where your layer 2 barriers are can you connect layer 2 with appropriate layer 3 stuff (routers).

Also, you likely don't actually want Untangle sitting between your workstations and primary servers. Untangle is very expensive to operate at the speeds that smb (windows file and print sharing) needs to operate. So unless you're planning on dedicating a TON of resources to Untangle, you're better off with a competent layer 3 switch in place with ACL support.

As to how to migrate from the flat network to the segmented one? That isn't a question I can answer on a forum. That's a question I charge a considerable fee to answer, and it generally takes months, if not years to complete the work. Not to mention the answer is deeply rooted in the reality of what you have currently, what you want for the next decade, and how much budget you have to get from today to tomorrow.