Setting Up A DMZ on ESXi 5.5, with PfSense ready for a honeypot

So I have recently setup a kippo honeypot, let me show you how I setup my DMZ ready for the honeypot. This step by step guide will walk you through how to achieve this. We will be using VMWare Esxi 5.5 , PfSense and KIPPO SSH Honeypot.

Open up your vSphere Client

So we need to setup our server networking. Go to the configuration tab.

So here is an example network setup

This server has 2 physicla NIC’s . One is for WAN and the other is for LAN. But we want to setup a DMZ …

Add Networking

So we will need to click on Add Networking.

Choose Virtual Machine

Then click on NEXT

Create a Virtual Switch

We dont want to use one of the physical NIC’s so we want to choose the top option, not one of the physical adapters . Click NEXT

Type in the Network Label

So as we are making a DMZ lets give it a name …Click on NEXT, then on the screen after click FINISH

Now we have a DMZ

And thats it. We now have a DMZ.

Now you can see above that I’ve dragged 2 VM’s into this switch setup.

One is PfSense = Firewall
One is KIPPO – Honeypot

So this is the DMZ done, but what about the rest ?

So this is only half of the battle. We now need to setup the firewall rules to make it an actual DMZ. Lets jump over to the PfSense Firewall.
As you can see we have a WAN a LAN and a DMZ


So once you have setup the ESXi DMZ you now need to assign the interface, i have already done it but click on the menu above and choose (assign).


Where it says DMZ for me, you will have something like OPT1. Click on the drop down menu and choose the virtual NIC card of the DMZ you created in ESXi.

Setup The IP’s

Go back to the PfSense dashboard view and click on DMZ under Interfaces.

Static IP

Make sure your DMZ is statically set to a different subnet to your LAN.
E.G if your lan is then your DMZ needs to be different like
So we would set the DMZ IP as and choose the /24

We now have a ESXi DMZ and we have a PfSense firewall configured DMZ.

The last thing to do is setup the honeypot with a static ip in the DMZ range so anything in the 192.168.52.X range (exlude the ip you set above for the DMZ)
Then setup the honeypots gateway to point to the static IP you set above as the DMZ

Firewall Rules

So now we need to setup some Firewall Rules. Remember always from the top down.

So here i am blocking access from the DMZ –> LAN
i am also blocking DMZ –> VPN network
Then the bottom rule is allow DMZ –> WAN , this gives the DMZ access out to the internet.

So at this point the DMZ cant contact the LAN, which is good, but the LAN can access the DMZ which is fine and how we want it.

Port Forwarding

The last step is NAT, port forwarding. So we are going to allow port 22 ( as this is a Kippo SSH honeypot ) and forward it to the DMZ honeypot IP on port 2222 as this is the default Kippo port. Apply the changes

And we have a honeypot!

And we have a Kippo honeypot running and being attacked.

Hopefully this has helped someone out there that has read this, please support the site and me by showing your support. Enjoy honeypotting.