General Questions

In my network, I use VMware ESX to host all of my servers.

I'm examing the possibility of using a MonoWall to bridge two virtual switches (unmanaged L2 switches)... one with access to the physical network, one with all of the protected virtual machines.

The idea is to have an extra layer of protection between the protected VMs (SQL servers and the like) and the rest of the network.

That being said, I can implement ACLs right on my core switches to prevent the flow from one VLAN to another... ACLs are L3 - can filter protocols and ports.

Attached is a diagram of exactly what I mean, since re-reading it I can see room for all kinds of interpretation - a picture is worth a thousand words.  The picture may be a bit out of date... I did up the diagram before I saw the option of using Advanced NATing (to turn the NATing right off, which is what I'm interested in doing - I want to be able to directly hit any VM within the protected segment, so long as it is a valid port).  The IPs are abstracted, but the idea was to use the MonoWall's LAN IP as the default gateway on the protected VMs... since all of the LAN IPs are on separate vSwitches, there shouldn't be any IP conflicts.

My question to you, is can you see any benefit to doing it with the MonoWall, or would I be best off not re-inventing the wheel and just using the ACLs already available to me?

Thank you so much.

From what I can tell in the image, your protected VM's are on the same subnet as the normal servers, correct? If that is the case, I definitely agree with turning off NAT - that would just be more trouble than it's worth. However, having the same subnet on both sides of the router (m0n0wall) would be a bit tricky as far as configuring the routes.  I think something like the following would be best for your situation:

protected VM > vSwitch 2 > (lan interface, subnet A) m0n0wall VM (wan interface, subnet B) > vSwitch 1 > etc.

The m0n0wall would have NAT disabled and would be mainly just a firewall/router.