1

I'm a sysadmin in a small company, and have what I would describe as a moderate understanding of networking. I'm trying to create a situation in which a number of internal hosts are accessible over RDP from the Internet, but cannot communicate with the office network, nor each other. All will share a single public IP, so users connecting from the Internet will append a port number in the Remote Desktop Connection client in order to reach a particular one of these hosts. The hosts will be virtual machines on ESXi.

Having done some initial Googling, I spent a day playing with Vyatta, and am really impressed with it (in particular I find its documentation excellent). However, I realise that my problem is not understanding specific concepts or following instructions; it's that I don't properly know what network technologies and topology I should be using. I imagine there are multiple possibilities. I've heard VLANs mentioned a lot.

I should add that we have a mid-range small business firewall and that, if necessary, we can designate one of its ports to be its own interface that passes traffic exclusively between the WAN and a spare physical NIC on the ESXi host.

So my question is, what technologies and topology would you consider most suited to creating the situation I have described? To recap, I want multiple internal VMs that are isolated both from each other and from the rest of our office network, but can be connected to from the Internet via RDP (on a single public IP but unique port numbers).

Many thanks in advance.

Martin
  • 65
  • 1
  • 4

1 Answers1

1

You could use VLANs and set each host up in its own private (RFC 1918) /30 network, I assume the Vyatta can handle multiple NAT networks behind it. Then each machine will have to go through the router (probably the Vyatta) to talk with the outside world, and with any other machine. You will be able to easily set up firewall rules, and by itself, the machines will be isolated, and unable to connect directly to anything but the router.

NickW
  • 10,183
  • 1
  • 18
  • 26
  • Thanks, that sounds like a good plan. I guess, though, that this will depend on the users of the machines being prevented from changing the network interface settings, e.g. through Group Policy. Otherwise a user could change the IP of a machine to become part of a different VLAN? Or have I misunderstood how VLANs work? – Martin May 10 '13 at 13:58
  • Since they are virtual interfaces, you will need to lock them down at the OS level, as a lot of the VLAN isolation is based upon the physical port separation (at least in situations where each machine can have a port, and is not under your control). A /30 network will help a lot also, as that allows only 2 hosts in that IP range, and you could very possibly set up firewall rules to allow only the one assigned to the machine. This does require a managed switch, but if you need this level of control, it's an invaluable piece of the puzzle. – NickW May 10 '13 at 14:07