How to route public static IP to a virtual machine on a VMware ESXi host?


I am setting up a demo system on a leased dedicated server. System consists of :

  • ESXI host with 1 NIC assigned (so 1 Static IP)
  • 64 bit Ubuntu guest as server

I installed and configured the system and the current network topology has :

  • physical adapter
  • A management network where I see the public IP assigned that is given to me by dedicated server provider
  • Virtual Machine Port Group where my guest is running
  • Finally a vSwitch between physical adapter and networks mentioned above

I can access to ESXI host, from the vSphere client I can access my Ubuntu guest as well. Guest has access to web (verified by pinging).

My question :What kind of basic setup would allow external users to access services running on the Ubuntu guest ?

Before asking this question I browsed a bit and scanned through VMWare documentations. I have seen:

port forwarding via router however I do not have control over the router.

using pfSense well this one is looking like a solution but a bit more complicated then I expected.

Are there any simpler ways to accomplish my goal ?

Note : I am a software developer with a bit familiarity of computer networks, virtualization and linux. Therefore I would really appreciate simple solutions (if possible), explanations/directions on the topic.



It is doable, but the bad news is vSwitches till today still don’t support NAT. So some kind of setup like pfSense VM as a routing front end is needed.

pfSense Alternative

On the other hand, pfSense is not the only choice, you can use a plain linux(eg, Ubuntu server) VM with iptables to do the job.

Additional IP – Simplest Way

Another choice is get additional IP and setup VM to use bridge mode, which is the easiest. But may (very likely) come with additional cost.


Recommended way to setup a secure ESXi environment with a publicly accessible range and 2 NICs


I am fairly new to ESXi but have decided to dive into this, but have found out that things are not as easy as I had expected them to be (no doubt this is primarily caused by my lack of knowledge on the matter at this time).

What I have:

  • A dedicated server with 1 NIC running ESXi
  • A single (public) IP address for the host
  • A set of (public) IP addresses intended for any use I see them fit. To keep things simple, let’s imagine a single webserver for now.

What I want to achieve:

  • Secure ESXi management; I really feel that a publicly accessible management host is wrong.
    • I don’t have any physical routers at my disposal so I cannot hide the host behind a physical VPN.
  • Public access to some of my guest systems
  • Additional guests need to sit on a private network.
  • Public and private guests should optionally be able to communicate via the private network.

Currently, I’m a bit lost on how I should tackle this. I’d probably be able to get something running, but I don’t want to start on the wrong basis or make choices that end up to be insecure.

Any help is appreciated.

UPDATE: what I have achieved so far (and network screenshot):

  • ESXi is up and running, still on the public interface
  • I have configured a pfSense guest
  • I have configured a DSL desktop to reach the pfSense guest through the private network.

I still feel that hiding ESXi behind a virtual VPN is quite risky, since I do not have console access. If I am overlooking something, or any alternatives are possible, I’d really like to know.


  1. Create (at least) two vSwitches, one “public”, connected to one of the server NICs and one “private”, which is not attached to any physical NIC.
  2. Pick an RFC1918 subnet to use on the private vSwitch, say
  3. Install pfSense in a VM, assign its WAN interface to the public vSwitch and its LAN interface to the private vSwitch. Additionally, assign the VMware vKernel management port to the private vSwitch.
  4. Set up a VPN in pfSense along with appropriate routing to get to the private network. OpenVPN is quite easy to set up, but IPsec would be fine as well.
  5. For any server VMs you have, assign their interface to the private network.
  6. Create Virtual IPs in pfSense for the rest of your public IP addresses, then set up port forwards for any services you need people to be able to access from outside the host.

At this point, the pfSense VM will be the only way traffic can get from the outside to the rest of your servers and management interfaces. As such, you can specify very specific rules about which traffic is allowed and which is blocked. You will be able to use the vSphere Client after connecting to the VPN you configured in step 4.

About thangletoan

Hallo Aloha

Posted on 30/08/2013, in Ảo hoá, NAT in ESXi, virtual machine, VMware, VMware ESXi host and tagged , . Bookmark the permalink. Bạn nghĩ gì về bài viết này?.

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất / Thay đổi )

Connecting to %s

%d bloggers like this: