Setting up Bare Metal esxi server
DISCLAIMER
I am an experienced software engineer and have worked in devops however I have not received any official training in security. I take no responsibility of enabled security breaches by following this guide. Use your own judgement and expertise as well (do your research)
Video coming soon!
What we will be covering
- Using our service provider we will install esxi
- We will do initial security esxi by allowing only some ips (pretty important, story included)
- Creating a plan of our network
- Implementing our network
- Pfsense and ip setup
- Installing windows and making sure we get internet
- Setting up pfsense to allow access to RDP
Install ESXI
Installing ESXI is pretty straight forward. You can either use what your provider gives you (which usually tends to be an outdated version) or you can do it manually (will not be covered). I will be using OVH however I have followed nearly the exact same process for SpinServers, Hetzner, my own physical machine, and in vmware workstation.
OVH offered ESXI version 6.7 which I proceeded to install using their online system. I believe it is fairly self explanatory. After installation I was given a username and password that OVH has generated for me. Immediately change this to something else!
Initial ESXI securing
A little while a go I setup an ESXI server and did not care for securing it while I was setting it up. Within 10 min I was locked out of ESXI due to their password retry limit and had to remote into the viewer to restart the system and get in before more attacks were carried out. It really goes that fast!
Fist step here is to go to Networking on the left sidebar at the bottom, then Firewall rules tab on the top (last one). Then scroll down until you see vSphere Web Client and edit. By default it allows all connections. My suggestion here is to get a $5 vpn from digital ocean and always connect to that vpn to get access to your esxi. Add that IP to the whitelist. This ensures you can only connect to the ESXI server from that IP. This will block access from all those Chinese servers trying to get into your ESXI.
The next step is to update your ESXI server to the latest version. Since we are using the free version this requires a bit of effort. I will redirect you to this guide: https://tinkertry.com/easy-update-to-latest-esxi.
Planning our network
Maybe you want to host Kubernetes clusters, or host VPSes for all your client websites, or Windows desktops to be accessed remotely whatever the case you need to plan a network to make sure everything works securely and isolated. You don’t want your RDP port available to the world wide web. Really you don’t.
Here we need to design a network. Hold on tight it will get rocky! Think of networks as rooms and some people are in those rooms. Anyone in that room can communicate to anyone else in that room. There is also a little magic. The people in the room can be in more than one room at once but are called by different names. Ex:
There is a room A and a room B. John and Bob are in room A, Casey and Susan are in room B but John is also in room B but under the name Johanas. So Casey, Susan, and Johanas can all talk together but they have no idea that John and Bob also exist in room A. Same goes for John and Bob, they can talk but have no idea that there is Casey, Susan, and Johanas in room B. In terms of networks you can have 2 servers in one network and 2 servers in another network and neither of them will know the others exist.
In this example we will just have two networks. If you look at Networking in the left sidebar at the bottom and at Port Groups you will see a default group named VM Network and Management Network. These both have a vSwitch named vSwitch0. vSwitch0 connects to your physical network card (sometimes a provider will give you two for load balancing, but we will just focus on one). Below is an image of what the network would/could look like. We will only add one pfsense.
In the end VM Network connects to the internet. What we need is a network that doesn’t connect to the internet at all.
Back to the room explanation. Lets say room A has a window that allows people to talk through (but they can’t enter). This would be our “internet”. Room B does not have this so it cannot talk to people through any windows nor can anyone talk to them from outside that room. But wait! John and Johanas are the same person, so technically they could talk to people on the outside through Johanas.
So what we end up with is we create a network (room B) which is isolated from the internet as we already have VM Network. Then we create a server that exists in both networks.
Implementing Our Network
First lets create our isolated network. Create a vSwitch named internal_windows and a Port Group named internal_windows. Go to Networking on left sidebar at the bottom and then
Select Virtual Switches. Select Add standard virtual switch and name the switch. Also make sure you remove the Uplink 1 (there is an “x” to the right). Finish by selecting Add. Next add a Port Group by going over to the Port Group tab and selecting Add port group. Name the Port Group and for the Virtual switch select the one you just created. All concurrent references to internal_windows refers to the Port Group. You have successfully created 2 networks!.
Pfsense
So what does this router do? It routes traffic (this is our John/Johanas). When a request comes in wether its TCP, UDP, HTTPS, etc the router will figure out how to handle it based on various information. EX: You visit example.com which directs to 192.168.9.24 which is one of the IPs of the router. The router then sees you are trying to access 192.168.9.24. There should then be a iptable which redirects this to the internal server (such as 192.168.1.4). Routers can do much much more but l will only be covering directing to an ip and allowing certain ports.
Its up to you what router software you want to use. If you are more technically advanced you can take a shot with VyOS (previously named Vyatta) or literally just use a linux server. I will use Pfsense for ease of understanding.
For installing Pfsense we need the iso which you can download from here: https://www.pfsense.org/download/. (Select architecture as amd64 and installer as iso). Once you have downloaded this you need to add this iso to your ESXI server. Go to Storage on left sidebar and select the Datastore browser. Here you should see an option to upload to the datastore. Upload your iso. (If you are more technically advanced, using ssh and sting into the ESXI server and using wget to download might be faster).
IPs and How They are Provided
Usually what these companies do is they provide these IPs through one network card. How is that possible? Virtual Mac addresses. Say you have a dedicated ip 123.456.78.9 which is your main ip. This has Mac address FF:FF:FF:FF:FF:FF and you have a subnet /30 on 321.654.87.1 (for subnet cheat sheet see https://www.aelius.com/njh/subnet_sheet.html.). this is IPs 1 to 4. (4 IPs, 2 hosts) with 2 useable IPs. These IPs usually are given a random macaddress. Sometimes the provider allows you to change this. OVH for example has you define a macaddress for each IP. Given the macaddress you are able to set this macaddress on the network card in the vm. This will allow the IPs to be available to that machine.
Pfsense
One you have that information, keep note as you will need it soon.
We are ready to create our first VM. Here are the specs for a pfsense vm:
- CPU: 1
- Memory: 1 GB
- Hard Disk: 8 GB
When creating the VM give it 2 networks. The default one with the proper mac address for your subnet and the other one you created (automatic mac address). On setup you will need to define your WAN (Wide Area Network) and your LAN (Local Area Network). Your WAN is your default network as this is what connects to the internet. Your LAN is your created network as its only for the machines connected to it.
When first starting pfsense you will be displayed the network interfaces and their mac addresses. When asked to setup VLANs, Type `y` and enter the right interfaces for each section.
Once pfsense is loaded you will need to setup gateway and local ips. Select option 2 and when prompted setup WAN interface. Do not configure as DHCP instead set a static ip. Important part here is the subnet. If your subnet is 23 then you need set it as xxx.xxx.xxx.xxx/23. This will setup your subnetmask. In addition you need to setup your gateway. The information you got from your Provider should provide you with a gateway ip. Here you add that ip. For now turn off ipv6 you can add this later if you need it (prob you don’t).
Installing Windows and Making Sure we get Internet
Next you need to somehow get access to the web interface. Go setup a windows or ubuntu machine. In this tutorial I will use windows. Make sure the network interface is your LAN. You should be able to get internet on the vm. In the case that you dont we will go over it in the next section. Once the vm is installed you can use the browser and navigate to 192.168.1.1. This is the default url for pfsense on LAN. Install vmware tools while you are at it as well tho it is not necessary. Default username/password is admin/pfsense. Once logged in go through the basic setup. If you did not set the nac address earlier you should do so now. For now leave everything as default and change your admin password. The moment you finish this setup your vm should have internet.
Setting up pfsense to allow RDP
You now successfully setup a ESXI, and pfsense with default settings, and a vm that has internet access. Now what if you want to RDP into that VM? Ideally you want this behind a VPN but for the sake of this tutorial I will set up to be accessible from WWW. There will be another tutorial about setting up OVPN with Pfsense in the future.
Pfsense gives quite a few options. We will look at Virtual IPs, NAT, and Rules (all under firewall). If you only have 1 ip then you can skip to the rules section. In your subnet you should have a few ips. You will take one of them and use it as a virtual IP. For this to work set the fac address for that ip to same as your WAN. Next, head over to Firewall > Virtual IPs. You will then need to add a IP Alias. Set address type to single and in Address(es) add your external ip address. At the bottom add a description so you know what this is for. Next, got to Firewall > NAT and add a 1:1 NAT. For external IP add your virtual IP and for internal add your internal IP which is the IP of the vm (192.168.1.2). Again add a description so you know what it is. Finally add a Rule to your firewall to allow RDP to that destination (internal IP). Go to Firewall > Rules and add a rule. In the destination section for Protocol set to MS RDP (3389) and for Destination set to single host and add your internal IP.
Now you have enabled RDP access to your windows machine (this is actually dangerous please don’t keep it like this). Now you just have to enable RDP on your windows vm. Once that is done you should be able to use your external IP to access your windows VM from anywhere in the world!
Conclusion
Real use case for this would be if you set up something like a Plex server and you need to allow port 80 and 443 (and a few others) to use your Plex server from anywhere. Another use case is setting up web servers such as Wordpress site, PHP application, Nodejs app, or even setup a full Kubernetes cluster (there will be a tutorial on kube setup in the future!