How to Simulate WAN in VMware? June 2, 2010 by vvirtual 1) Download the generic-pc iso (not serial, no use for it) of monowall. 2) Upload the iso to a datastore, unless you want to use Client Device feature of vsphere client. 3) create a new VM. Select 32bit Freebsd for the OS. remove unesscary hardware like the floppy and add as many NICs as you need (atleast 2, 1 for WAN, 1 for LAN, add extra NICS if you need separate LANs). I suggest 256MB for ram, don't think you should use less than 128MB ...50-100MB harddrive but you can make it 1 gig if you have the room to spare (Mine is set to 128MB for harddrive in my lab) 4) Hope you have a managed switch or multiple NICs in your ESXi. Don't use the vlan settings inside m0n0wall. After a very long time of endless researches on the internet with “0″ examples and explanations of WAN simulation in VMware we decided to write this “Bible” on how to implement WAN solution in your VMware environment. Hoping it will help you and save you a lot of testing time. Enjoy! WAN Configuration 1. WAN Prerequisite in vCenter On one of our ESX servers we created two additional virtual switches. Vswitch2 1. With one Virtual port group by the name : LAN 4 WAN 2. This virtual switch does not connect to any physical network adapter. 3. Promiscuous mode is enabled on both virtual switch and virtual port group. Vswitch3 1. With one Virtual port group by the name : WAN 2. This virtual switch connects to a physical network adapter: vmnicX 3. Promiscuous mode is enabled on both virtual switch and virtual port group. 1 2. Creating Monowall Virtual Machine 1. We created a virtual machine by the name: m0n0wall. 2. The SPEC that we used for the monowall server is as follow: 256MB RAM, two network adapters: LAN 4 WAN and WAN, Hard disk: 8GB 3. M0n0wall Installation 1. Make sure that the m0n0wall in on the proper ESX server and that the DRS Rules don’t apply to it. 2. Make sure that the m0n0wall server has two network adapters, the first must be connected to “LAN 4 WAN” virtual port group and the second must be connected to “WAN” virtual port group. As shown below: 3. Force the m0n0wall virtual machine to start from BIOS 4. Power on the virtual machine, go to startup and change the order of the startup (cdrom first, Removable devices second.) 5. Save the changes and exit. 6. Power off the virtual machine. 7. Connect the iso file into the machine’s virtual cdrom. 8. Power on the virtual machine. 9. During the first startup the following message will appear: 10. After the machine had powered on, connect the floppy file into your computer, and afterwards connect the virtual machine’s floppy to it. 11. Reboot the system (option 5) 12. After the server has started, define the intrefaces as LAN >> lnc0, WAN >> lnc1, and reboot the server and set the LAN IP to : 192.168.1.2 13. After the server has started, if you will see the following, it means that the operation has ended successfully. In addition, make sure that the message from paragraph 9 doesn’t appear during startup. 2 14. Choose to install the OS from hard drive. 15. After it successfully finished, disconnect the floppy drive from the virtual machine. 4. Configuring LAN Clients 1. Make sure that the LAN client is on the proper ESX server and that the DRS Rules don’t apply to it. 2. Make sure that the LAN Client has one network adapter, connected to “LAN 4 WAN” virtual port group. 3. Make sure that the IP of the LAN Client is within the range of: 192.168.1.X192.168.1.X (that you defined) 4. Make sure that you can ping to the m0nowall server (192.168.1.2) 5. Make sure that you can ping to your network subnets. 6. Repeat paragraph 1-5 for every LAN client in your system. 5. M0n0wall First Configuration M0n0wall First Configuration: 1. Connect to one of your LAN clients. 2. Open internet explorer and go to : http://192.168.1.2 3. Login with the following credentials : admin (mono) 4. Make sure that the m0n0wall interfaces are as follow: – LAN 3 - WAN 5. Go to m0n0wall firewall > Traffic Shaper pipe and create a new pipe. 6. Make sure that the m0n0wall firewall > Traffic Shaper rules are as follow: 6. Configuring WAN Clients 1. Make sure that the WAN client is on the proper ESX server and that the DRS Rules don’t apply to it. 2. Make sure that the WAN client has one network adapter, connected to “WAN” virtual port group. 3. Give the WAN client a static IP address. 4. Set the WAN client’s default gateway as the IP of the WAN interface in the m0n0wall server 5. Make sure that you can ping to the m0nowall server (192.168.1.2) 6. Make sure that you can ping to your network subnets. 7. Repeat paragraph 1-6 for every WAN client in your system. 4 7. VMware WAN Simulation – Diagram http://vvirtual.wordpress.com/2010/06/02/how-to-simulate-wan-in-vmware-2/ 5 Outras Dicas 6 vmware-server and a monowall appliance So I've been playing around with monowall and decided to try it out in vmware, except I'm having some network issues. My host server has two nics: eth0 on a private LAN 10.0.0.5 no gateway specified eth1 is hooked up to a cable modem and has a public ip 216.X.X.116 with a gateway of 216.X.X.254 I've got eth0 bridged to vmnet0, and eth1 bridged to vmnet2. I can ping outside hosts on the host OS and everything works as normal, however no matter what I've tried I can't get monowall to ping anything but the local LAN. Monowall is setup with a static IP for the WAN side 216.X.X.118(i've got multiple public IP's), and it has an IP of 10.0.0.254 on the LAN side. From monowall I can ping IP's in 10.0.0.0/24 no problem, but anything else doesn't work. For awhile I was getting a "No route to host." which I found odd since I had setup the default gateway in monowall to be 216.X.X.254, but after rebooting it I no longer get "No route to host", I just get timeouts. Does this have anything to do with ip_forwarding? I shouldn't need any iptable rules to let the vmware monowall out to the internet since it's WAN interface is bridged to the NIC that connects to the outside world just fine... unless I am misunderstanding something. edit: here are the routes and ip settings from the monowall box, sorry about the whitespace... fusecrap is bad :( $ netstat –nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 216.X.X.254 UGSc 2 0 vxn1 10/24 link#1 UC 2 0 vxn0 127.0.0.1 127.0.0.1 UH 0 0 lo0 216.X.X link#2 UC 1 0 vxn1 216.X.X.254 00:01:X:X:53:42 UHLW 3 0 vxn1 1193 vxn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:0c:29:6e:32:0e vxn1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 216.X.X.118 netmask 0xffffff00 broadcast 216.X.X.255 ether 00:0c:X::32:18 7 vxn2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 ether 00:0c:29:6e:32:22 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 edit2: After some more debugging I can see the packets on my host OS through tcpdump and the ethernet frame is destined for the right location(the gateway @ 216.X.X.254) but there are no responses whatsoever. I'm really confused now :( 8 m0n0wall Virtual Appliance About m0n0wall The m0n0wall project has been around for more than three years, and in this time has become one of the most popular open source firewall distributions due to its reliability, speed, flexibility, minimal hardware requirements, and ease of management. This passage from the m0n0wall web site provides an excellent overview of the project and its primary focus: "m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent." Purpose of the Appliance This appliance is intended for use in testing or development environments, or in protecting production Virtual Infrastructure. It is capable of using NAT, routing, or transparent bridging in any virtual environment, and works on VMware Workstation, GSX, Server, and ESX. Personal Involvement I have been a committer with this project for nearly two years now. I work primarily in the areas of documentation and assisting users on the mailing list and in IRC, and have dedicated a very significant amount of volunteer time to this project. As of May 25, 2006, I have more than 2,000 posts to the m0n0wall mailing lists (99.9% of which were helping others), surpassing the total of any other contributor several times over. While, like most open source projects, the documentation is still lacking in some areas, the vast majority of it has been written by me. It has gone from almost nothing to being up to par with comparable projects due to my contributions over the last two years. Virtual Appliance History I have used VMware Workstation since right after 4.0 was released. While testing and documenting m0n0wall, I have always used Workstation extensively to simulate complete network environments. Questions routinely surfaced on the m0n0wall mailing list about using m0n0wall with VMware. The most common issue was people having trouble configuring it to work properly, for a wide variety of reasons. After seeing this numerous times, and helping different people through the same issues over and over, I set out to write up a document on installing m0n0wall in VMware. As I started writing this document, I came to the realization that it would be a lot easier if I just made up a template virtual machine and distributed it. It became a big hit within 9 the m0n0wall community immediately upon its release on February 20, 2005. http://m0n0.ch/wall/list/showmsg.php?id=137/92 I believe this makes my m0n0wall images the first widely distributed community virtual appliance, several months before VMware announced their community virtual appliance program. As of May 25, 2006, the various versions of my virtual appliance have been downloaded nearly 32,000 times, and are in use in numerous installations around the world for a variety of purposes, from testing to development and protecting production Virtual Infrastructure. Licensing m0n0wall itself is released under the BSD license, as are most of the software components it is comprised of. Some of the included software is under the GPL, and similar open source licenses. The only proprietary application in the virtual appliance is VMware Tools, distribution of which is permitted by VMware in appliances. All the licenses of the included software allow for unlimited distribution of the virtual appliance. License for m0n0wall and all included software (excluding VMware Tools) http://m0n0.ch/wall/license.php Overview of Build Process m0n0wall is a stripped down version of FreeBSD 4.11, using some minor kernel patches for bug fixes specific to the m0n0wall environment, and some patches to the included applications. There is a detailed image building guide available for those interested in specific details. http://doc.m0n0.ch/dev/image-guide.html Since m0n0wall extracts its file system into RAM at boot time and runs from RAM, any changes made to the file system of a running m0n0wall installation are lost at reboot. To make changes that will persist across reboots, the image has to be mounted and modified, then repacked. There are a couple of scripts that automate this process on full FreeBSD installations. I use a script created by Jeb Campbell called workon.sh, which can be downloaded from my website. http://chrisbuechler.com/m0n0wall/downloads/workon.sh Because m0n0wall does not include many of the dependencies required to install VMware Tools, like Perl for example, I had to improvise to get VMware Tools running in this appliance. I took a full FreeBSD 4.11 virtual machine and installed VMware Tools the usual way. I then pulled the appropriate kernel modules, binaries, and libraries off of this installation, and put them into a modified m0n0wall image. I then modified the 10 system appropriately so vmxnet support is loaded and the appropriate VMware Tools binaries are started at boot time. Virtual Machine Configuration This virtual appliance comes configured with 64 MB RAM, a 16 MB hard drive and four network interfaces. Many installations should be able to run with less RAM, though I would not suggest anything lower than 48 MB. Because of m0n0wall's primary focus on embedded hardware running from Compact Flash storage, which can only sustain a limited number of writes in its lifetime, the file system is extracted to RAM upon boot and the system runs entirely from RAM. The only time the disk is accessed after boot is when making configuration changes. This means unless you are making configuration changes, there are no partitions mounted read/write, so it is safe to power off this virtual appliance at any time. Using the Appliance Instructions on getting started with the m0n0wall virtual appliance and documentation on commonly used configurations can be found on my website. http://chrisbuechler.com/m0n0wall/vmware/ The m0n0wall Handbook is also a good reference for general m0n0wall configuration information. http://doc.m0n0.ch/handbook/ Support General m0n0wall questions are best suited for the m0n0wall general mailing list, with a community of more than 1500 helpful subscribers. I personally answer most posts there, and in addition to my input, you'll likely receive feedback from others in the community who have worked through similar issues in the past. http://m0n0.ch/wall/mailinglist.php You are also welcome to email me personally about anything regarding this virtual appliance at cbuechler@gmail.com. 11