Go Premium for a chance to win a PS4. Enter to Win


Simulating a private network (with a public interface) using VMware

Posted on 2008-06-13
Medium Priority
Last Modified: 2010-04-21
Hi Experts.
I want to set-up two virtual machines on a single host machine to simulate a private network with a public interface.
I've got two machines on my lan behind a adsl/router/switch.  One of these machines is headless (I use VNC) and it is the headless machine which is to host the two VM's.
I want one of the VM's to act as the perimeter of the private network and it needs to have a public interface (where public doesn't actually mean public, just public as far as the VM private network is concerned) and a private interface to serve as the gateway for the other VM.
I want to install Snort on the gateway VM and I'm thinking of running it on openSUSE.
The idea is that from my main PC, I want to be able to perform attacks against the public interface of the VM network hosted on the headless PC - as if I was an attacker on the open internet.  I want to be able to VNC into the headless PC and log into the private VM and see how those attacks look from the "inside".  I'm going to use this set-up to host all kinds of services and get some experience of defending against serious attacks.

With me so far?  I'm not sure I am, so well done you! :)

So my question is really in two parts:
How do I set-up VMWare Workstation networking for the Gateway VM to have both a public and a private network such that Snort will work on it and it will act as the gateway for the private VM?
Do I need to do anything to my LAN of two PC's to make this work?

I thank you in advance for your help.
Question by:jahboite
  • 4
LVL 18

Accepted Solution

larstr earned 1100 total points
ID: 21787799
What you suggest is possible. You can setup your gateway VM with two virtual nics. One with "host only" networking and one with "bridged" netorking. If you now also put your other VMs on the host only network and set their default gateway to the gateway pc, you should be able to achieve what you want.

As long as you don't need your two LAN PCs also behind this virtual gateway this is all you need to do to get it working.

LVL 12

Author Comment

ID: 21788019
Thanks larstr, that sounds quite easy!
LVL 11

Assisted Solution

jfields71 earned 900 total points
ID: 21793804
You can indeed do what you are seeking to do.  There is even a virtual appliance you can download that may save you some time: http://www.vmware.com/appliances/directory/185.  
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

LVL 12

Author Comment

ID: 21835993
Quick update,  I'm getting closer to getting there.  I've installed openSUSE 11 (which looks great!) and have managed to get two interfaces set-up on it.  I tried setting-up the VM with both a Bridged and a Host only interface from the outset, but this turned out to be a horrible idea because for some unknown reason, the suse installation configured the host-only interface with an IP address, but wouldn't assign one to the bridged and I got zero connectivity to the outside world with either.  Setting-up the VM with just the bridged network and later adding the host-only was much less problematic.  I haven't made the other (internal) VM yet nor have I looked in any detail if I need to do anything to Suse to act as a gateway (I see there are packages for this kind of thing, but I intend to try and do nothing), but I'm getting there...

Thanks for the suggestion JF.  This may be useful if the Snort install proves too difficult (which hopefully it won't).  I think I'm a little too paranoid to use the virtual appliance on my home network, but if the worst comes to the worst...
LVL 12

Author Comment

ID: 22049987
Okay then.  This was fairly easy in the end, but it was a struggle getting there for various reasons.

Here's some details for those coming along after:
  • Created a new virtual network using VMware Virtual Network Editor (vmnetcfg.exe) for the private network.  Did this on the Host Virtual Network Mapping tab by assigning a subnet to VMnet2 (Not bridged).  Did not add a Host Virtual Adapter, nor configure DHCP for the network.
  • Installed openSuSE as a VMware guest OS and assigned to it a Bridged Network Interface (for the outside world) and a Custom (specific virtual network) Interface for which I selected VMnet2.
  • Already had a Windows VM for the private network side so I just changed it's adapter to VMnet2 and, as I wasn't intending to have the suse box do dhcp straight away, I assigned a static IP address.
  • Told SusE Network Manager that I'd manage network stuff with ifup - Network Manager seems to just want to do its own thing...
  • Configured SuSE network adapters with static IP addresses using by creating scripts for eth0 and eth1 in /etc/sysconfig/network (ifcfg-eth0 and ifcfg-eth1)
  • Created a route to the internet through my real gateway/router via the bridged eth0 interface and to the private network on VMnet2 via eth1 by creating scripts in /etc/sysconfig/network (ifroute-eth0 and ifroute-eth1)
  • Configured the Windows VM network properties Gateway and DNS to point to the eth1 adapter address on the SuSE box
  • Installed BIND on the SuSE box - I hit a bug with the Yast DNS Server package which I wanted to use to set-up BIND, so for now, that's as far as I've got with BIND - I tried editing named.conf by hand, but was getting no response for DNS requests from the windows VM so I've got some more reading to do there (or wait until the bug is fixed)
Here's where I've temporarily diverged from the plan:
I haven't installed Snort yet and have instead used the SuSE firewall to set up masquerading (NAT)  and IP forwarding (can't exactly remember if I had to do something other than just turn on masquerading in order for forwarding to work).  This is just a temporary thing.

As it stands at the moment, I can:
  • Not access the windows vm from my real network.  Good.
  • Not access services on the SuSE vm from my real network, but it's sitting there on the network.  Good.
  • Talk to the outside world (and my real network) from the SuSE vm. Good.
  • Talk to the windows vm from the SuSE vm and vice versa.  Good.
  • Talk to the outside world (using IP addresses only) from the windows vm, via the SuSE vm.  Partly Good.
So I've only got the following to do:
  • Get BIND servicing client DNS requests.
  • Install Snort and make sure that it doesn't stop the SuSE vm acting as the gateway for the private network.
Anyone got any bright ideas for the last two?
LVL 12

Author Closing Comment

ID: 31467126
Thank you for your input.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question