Configure XenServer 6.2 to Host a Virtual Firewall

Introduction

There are two main methods for installing a virtual firewall onto a XenServer host. One uses multiple NICs on the host, the other takes advantage of VLANs and a managed Ethernet switch.

Option 1: Using dedicated physical host ports

You need to have multiple NIC ports available in the XenServer host and the capability to dedicate two of them for two different purposes (trusted network, untrusted network).

In XenCenter with the XenServer host selected go into the networks tab. Create two external networks, one will be for your trusted (private) network, and the other will be for the untrusted (public/Internet) network. Be sure to specifically assign two different host NIC ports for these two networks.

Plug your Internet connection and LAN into their respective new host ports.

Create a new VM for the firewall virtual appliance (such as pfSense) and during the creation specifically add both of the new external networks to the VM (both the untrusted and the trusted). Boot the virtual firewall appliance and configure the network interfaces appropriately.

Do not expose the XenServer management interface to the Internet or untrusted network. It should be on its own dedicated NIC port.

Option 2: Using VLANs with an external switch

If the XenServer host has an Ethernet port that is VLAN capable and connected to a VLAN-capable physical switch you can also create two new external networks against the same single host port (same way as usual) on the host but enable different specific VLAN IDs which you have set up on the VLAN switch.

On the switch you would have a VLAN trunk port with the XenServer host plugged into it, and other ports configured as access ports with one being on a different VLAN dedicated to the untrusted Internet connection.

Create a new VM for the firewall virtual appliance (such as pfSense) and during the creation specifically add both of the new external networks to the VM (both the untrusted and the trusted). Boot the virtual firewall appliance and configure the network interfaces appropriately.

Do not expose the XenServer management interface to the Internet or untrusted network. It should be on its own dedicated NIC port.

Conclusion

There may be pros and cons to consider in connecting a hypervisor host to the Internet, but using a virtual environment for the firewall has some interesting advantages. Be certain to keep the XenServer management on a dedicated NIC inaccessible to the Internet.