ESXi Behind Virtual Machine

networking nat vmware-esxi router colocation

(Third re-write)

You can do pieces of this.

You can define two virtual switches on your ESXi system. Call one "internal" for the 10.x.x.x stuff and one "external" for the single 98.x.x.x address you have been assigned.

Connect one physical Ethernet port to the "external" vswitch.

Define a firewall VM with two ethernet devices. Attach one to the "external" vswitch, and assign the interface the 98.x.x.x IP you have been given. Attach the firewall VM's second ethernet device to the "internal" switch and give it an IP on the 10.x.x.x subnet. This will end up being the default router for all the other VMs on the box.

Each other VM you create should be added to the "internal" vswitch with a 10.x.x.x subnet, and use the firewall's 10.x.x.x IP as its default router.

Add the ESXi management interface to the "internal" vswitch with a 10.x.x.x subnet, and use the firewall's 10.x.x.x IP as its default router.

Configure the firewall to NAT traffic from internal to external. This will permit the internal VMs to talk to the internet.

Now at this point, the internet cannot talk back to them (ie if you had a web server on the 10.x.x.x subnet) because the internet doesn't know anything about your 10.x.x.x subnet and so packets never make it to your internal VMs. Besides, you probably have the firewall configured to drop said packets even if they did make it to your system. So you cannot "route" to your VMs over the internet.

So you probably want to do one or both of the following:

  • Set up one or more port forwards on the external interface of the firewall VM to pass inbound traffic back to a particular VM. So for example you'd port-forward port 80 on your firewall's external interface back to your webserver VM, and port-forward port 981 (maybe? might be something else, check your manual) back to the management interface on your ESXi server.

and/or

  • Set up a VPN from wherever you are back to the firewall VM, and route traffic across that directly to the "internal" network.

For setup purposes, if you have two physical interfaces, you can add the second physical interface to the "internal" vswitch. This will mean if you do have physical access to the system, you can plug a laptop (via a crossover cable, probably) directly into the "internal" network and configure things directly. This will also give you emergency access should the firewall VM die for some reason.

Related

Help on configuring a switch to make 802.3ad link aggregation work
How do I add a URL prefix (/wiki) to MoinMoin running on uWSGI and nginx?
Computer disappeared from Workgroup
Moving a Debian Setup
Can't create clusters in PostgreSQL 9.0
Apache2 forward logs to rsyslog AND locally
How to draw a labeled block diagram showing the relationshop between various router modes?
Easy Oracle Log-Shipping
How to generate keys for clients whilst keeping ca.key safe
Help to review ISA Server 2006 web publish settings
PolicyMaker for Windows Server 2003
How many maximum files per directory on CentOS 5 64bit or Linux RedHat 64bit?