There's a good chance this content may be outdated!

This post is 6 years old—a long time on the internet. Any content within is provided as-is and is not guaranteed to work on modern systems - your mileage may vary.

1000px-Vmware.svgI run a VMWare lab on my computer. Virtualization is a great technology and it’s a subject I could probably write a hundred articles on. However, this article is about virtual networking within VMWare. My scenario may different a bit from yours but this is how I overcame the blockade and if you have found a better solution, I’d love to hear what you’ve done.

My scenario is that I need an isolated lab network, but the computers in the lab need internet access This is because I often test things on Active Directory domains including DNS and I want to keep all of this isolated from my production environment. By default, VMWare gives you the following network adapter choices:

  • Bridge Networking – this is like your virtual machine being directly plugged into a switch. It receives it’s own IP via your network’s DHCP server that is separate from the host’s.
  • NAT Networking – this is where the virtual machine and the host share the same IP address on the network. Your virtual machine will be routed packets via NAT.
  • Host-Only Networking – this is a completely separate and isolated network within your host. There is no internet access or access to the LAN your host resides on from the virtual machine.

To provide connectivity to the isolated network, I setup a pfSense firewall virtual machine. You can download the latest version of pfSense here. They once offered a preinstalled VMWare image of an installation, however the link is dead so you will need to setup a VMWare image of pfSense. The nice thing is, you can use pfSense as a LiveCD or actually install it. I created a virtual machine with 384 MB of RAM (it really could run on 256 MB) and installed it to a 20 GB virtual hard disk. To make pfSense work as a router between your virtual network and your LAN, you need to add another virtual NIC.

The main pfSense console from the terminalIn this screen shot, you can see I have two adapters. em0 and em1. In your virtual machine settings, you will need to set one of the adapters to Host-Only (this will be your LAN adapter) and the other to Bridge (this will be your WAN adapter). Your em0 adapter will be the first Network Adapter in the Virtual Machines settings window.

VMWare includes a DHCP server, you can disable it as pfSense has it’s own DHCP server and this is what we will use in the lab environment.

Next, you will need to modify your WAN port settings. To do this via the web interface, you will need a virtual machine on this isolated network or you can do it from the pfSense console.

Your settings will be very basic – the WAN will be DHCP (or assign it a static IP if you wish). I leave it as DHCP so I can move my lab from my work network to my home network without having to reconfigure anything other than starting the pfSense virtual machine. The important part to note are the settings regarding private IP addresses. As you are aware, routers are configured to not route packets for private networks. Since this pfSense installation has it’s WAN port connected to a private network, you need to allow pfSense to route private packets. To allow this, just uncheck the two boxes under Private Networks. Save and apply settings to the WAN port.

In the following example, you can see the virtual machine while on a Host-Only connection can access the internet via our pfSense firewall:


About Author

Hi! I'm Travis and I love technology.


  1. Haggai Yedidya on

    This appears as a great article. I will now try this methodology.

    My personal need is to run a malware lab which must receive internet access; Though it cannot put the host computer (and the host’s network) in risk.

    In case you have published a new article in this field or suggests new methods to put together an isolated network with Internet access, please let me know!

    • This method is still valid and recommended. A step up would be implementing VLANs and using them along with pfSense.

  2. This still works, but using this method, the machine behind the pfsense still has access to the host local network, which seem to defeat the purpose? How can one isolate the local network while still having internet access?

    • You have to play with the routing and firewall rules. I’ll look into posting an update since this post is 4 years old (technically, it’s pushing 5 years).

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.