Recommended way to setup a secure ESXi environment with a publicly accessible range and 2 NICs

In a nutshell:

  1. Create (at least) two vSwitches, one "public", connected to one of the server NICs and one "private", which is not attached to any physical NIC.
  2. Pick an RFC1918 subnet to use on the private vSwitch, say 10.0.0.0/24.
  3. Install pfSense in a VM, assign its WAN interface to the public vSwitch and its LAN interface to the private vSwitch. Additionally, assign the VMware vKernel management port to the private vSwitch.
  4. Set up a VPN in pfSense along with appropriate routing to get to the private network. OpenVPN is quite easy to set up, but IPsec would be fine as well.
  5. For any server VMs you have, assign their interface to the private network.
  6. Create Virtual IPs in pfSense for the rest of your public IP addresses, then set up port forwards for any services you need people to be able to access from outside the host.

At this point, the pfSense VM will be the only way traffic can get from the outside to the rest of your servers and management interfaces. As such, you can specify very specific rules about which traffic is allowed and which is blocked. You will be able to use the vSphere Client after connecting to the VPN you configured in step 4.


It seems like you are kind of out of options if all proposed scenarios - adding another device (be it a router or a different machine within the same network), buying a VPN service from your hosting provider or creating a virtual machine on your ESXi host handling the VPN traffic are not a good fit.

The best thing you would get from ESXi is a stateless packet filter (available in ESXi5). What I would suggest to do here:

  • filter everything but HTTPS (tcp/443) and VMRC (tcp/903) (and maybe SSH (tcp/22) if you are working with tech support mode) - either using the ESXi firewall or by asking your hosting provider to set filters
  • load a verifiable certificate (you would need to get one from a public CA if your management stations tend to change or if you have many of them)
  • set complex passwords for all users
  • expose the management interface publicly.