VMWare Private Virtual Network w/ Internet Connectivity

1000px-Vmware.svgI run a VMWare lab on my computer. Virtualization is a great technology and it’s a subject I could probably write a hundred articles on. However, this article is about virtual networking within VMWare. My scenario may different a bit from yours but this is how I overcame the blockade and if you have found a better solution, I’d love to hear what you’ve done.

My scenario is that I need an isolated lab network, but the computers in the lab need internet access This is because I often test things on Active Directory domains including DNS and I want to keep all of this isolated from my production environment. By default, VMWare gives you the following network adapter choices:

  • Bridge Networking – this is like your virtual machine being directly plugged into a switch. It receives it’s own IP via your network’s DHCP server that is separate from the host’s.
  • NAT Networking – this is where the virtual machine and the host share the same IP address on the network. Your virtual machine will be routed packets via NAT.
  • Host-Only Networking – this is a completely separate and isolated network within your host. There is no internet access or access to the LAN your host resides on from the virtual machine.

To provide connectivity to the isolated network, I setup a pfSense firewall virtual machine. You can download the latest version of pfSense here. They once offered a preinstalled VMWare image of an installation, however the link is dead so you will need to setup a VMWare image of pfSense. The nice thing is, you can use pfSense as a LiveCD or actually install it. I created a virtual machine with 384 MB of RAM (it really could run on 256 MB) and installed it to a 20 GB virtual hard disk. To make pfSense work as a router between your virtual network and your LAN, you need to add another virtual NIC.

The main pfSense console from the terminalIn this screen shot, you can see I have two adapters. em0 and em1. In your virtual machine settings, you will need to set one of the adapters to Host-Only (this will be your LAN adapter) and the other to Bridge (this will be your WAN adapter). Your em0 adapter will be the first Network Adapter in the Virtual Machines settings window.

VMWare includes a DHCP server, you can disable it as pfSense has it’s own DHCP server and this is what we will use in the lab environment.

Next, you will need to modify your WAN port settings. To do this via the web interface, you will need a virtual machine on this isolated network or you can do it from the pfSense console.

Your settings will be very basic – the WAN will be DHCP (or assign it a static IP if you wish). I leave it as DHCP so I can move my lab from my work network to my home network without having to reconfigure anything other than starting the pfSense virtual machine. The important part to note are the settings regarding private IP addresses. As you are aware, routers are configured to not route packets for private networks. Since this pfSense installation has it’s WAN port connected to a private network, you need to allow pfSense to route private packets. To allow this, just uncheck the two boxes under Private Networks. Save and apply settings to the WAN port.

In the following example, you can see the virtual machine while on a Host-Only connection can access the internet via our pfSense firewall:

Hyper-V Virtual Lab Setup (Part 1)

Why should you invest in a virtual lab? It’s dangerous to implement software or hardware changes into your production environment without fully testing it in a lab environment. All too often, many systems and network administrators utilize their production environment as a lab which can cause disruptions in employee work flow, or even worse, destroying or taking vital systems offline. This guide will assist you in setting up a basic Hyper-V lab. In later guides, I’ll show you how to setup a multi-server lab.

What you need

  • Hardware server capable of running Hyper-V
  • Windows Server 2008 R2
  • 4 GB of RAM (more recommended)
  • Hard drive space for storing your VMs and snapshots
  • At least 2 NICs, though 1 will still work
  • IPCop

Creating your lab server

First, get started by installing Windows Server 2008 R2 on your server. Typical installation is perfectly fine. You don’t need to do anything special.

Set your NIC with a static IP address (this will be our WAN IP, more on this later).

Join your server to your production domain. The virtual network will be completely isolated from our production network, but we’re going to give it access to the internet which is available on our production network. This is where IPCop comes into play.

Install the Hyper-V role and only the Hyper-V role. It’s bad practice to install any other roles on your host.

Creating virtual networks

What we need to do now is create our virtual networks. Hyper-V has 3 types of networks:

  • External – This is your production network
  • Internal – This allows your VM to also communicate with your host as well as the other VMs
  • Private – This is a network connection that is only shared between the VMs. This is your lab network.

What we’re going to do now is create two virtual networks. Here’s a screenshot to show you what I mean:

You can see I have two networks. My “Production Network” and my “Virtual Lab Network”. The production network is set to External and the option to allow the host operating system to share management is enabled. If I had a VLAN to assign to the adapter, I could also set the VLAN ID.

The Virtual Lab Network is setup in a similar way except instead of “External” it is set to “Private”.

You’re now ready to install the IPCop virtual machine which I will cover in Part 2.