Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Simulating a private network (with a public interface) using VMware

Posted on 2008-06-13
Medium Priority
Last Modified: 2010-04-21
Hi Experts.
I want to set-up two virtual machines on a single host machine to simulate a private network with a public interface.
I've got two machines on my lan behind a adsl/router/switch.  One of these machines is headless (I use VNC) and it is the headless machine which is to host the two VM's.
I want one of the VM's to act as the perimeter of the private network and it needs to have a public interface (where public doesn't actually mean public, just public as far as the VM private network is concerned) and a private interface to serve as the gateway for the other VM.
I want to install Snort on the gateway VM and I'm thinking of running it on openSUSE.
The idea is that from my main PC, I want to be able to perform attacks against the public interface of the VM network hosted on the headless PC - as if I was an attacker on the open internet.  I want to be able to VNC into the headless PC and log into the private VM and see how those attacks look from the "inside".  I'm going to use this set-up to host all kinds of services and get some experience of defending against serious attacks.

With me so far?  I'm not sure I am, so well done you! :)

So my question is really in two parts:
How do I set-up VMWare Workstation networking for the Gateway VM to have both a public and a private network such that Snort will work on it and it will act as the gateway for the private VM?
Do I need to do anything to my LAN of two PC's to make this work?

I thank you in advance for your help.
Question by:jahboite
  • 4
LVL 18

Accepted Solution

larstr earned 1100 total points
ID: 21787799
What you suggest is possible. You can setup your gateway VM with two virtual nics. One with "host only" networking and one with "bridged" netorking. If you now also put your other VMs on the host only network and set their default gateway to the gateway pc, you should be able to achieve what you want.

As long as you don't need your two LAN PCs also behind this virtual gateway this is all you need to do to get it working.

LVL 12

Author Comment

ID: 21788019
Thanks larstr, that sounds quite easy!
LVL 11

Assisted Solution

jfields71 earned 900 total points
ID: 21793804
You can indeed do what you are seeking to do.  There is even a virtual appliance you can download that may save you some time: http://www.vmware.com/appliances/directory/185.  
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

LVL 12

Author Comment

ID: 21835993
Quick update,  I'm getting closer to getting there.  I've installed openSUSE 11 (which looks great!) and have managed to get two interfaces set-up on it.  I tried setting-up the VM with both a Bridged and a Host only interface from the outset, but this turned out to be a horrible idea because for some unknown reason, the suse installation configured the host-only interface with an IP address, but wouldn't assign one to the bridged and I got zero connectivity to the outside world with either.  Setting-up the VM with just the bridged network and later adding the host-only was much less problematic.  I haven't made the other (internal) VM yet nor have I looked in any detail if I need to do anything to Suse to act as a gateway (I see there are packages for this kind of thing, but I intend to try and do nothing), but I'm getting there...

Thanks for the suggestion JF.  This may be useful if the Snort install proves too difficult (which hopefully it won't).  I think I'm a little too paranoid to use the virtual appliance on my home network, but if the worst comes to the worst...
LVL 12

Author Comment

ID: 22049987
Okay then.  This was fairly easy in the end, but it was a struggle getting there for various reasons.

Here's some details for those coming along after:
  • Created a new virtual network using VMware Virtual Network Editor (vmnetcfg.exe) for the private network.  Did this on the Host Virtual Network Mapping tab by assigning a subnet to VMnet2 (Not bridged).  Did not add a Host Virtual Adapter, nor configure DHCP for the network.
  • Installed openSuSE as a VMware guest OS and assigned to it a Bridged Network Interface (for the outside world) and a Custom (specific virtual network) Interface for which I selected VMnet2.
  • Already had a Windows VM for the private network side so I just changed it's adapter to VMnet2 and, as I wasn't intending to have the suse box do dhcp straight away, I assigned a static IP address.
  • Told SusE Network Manager that I'd manage network stuff with ifup - Network Manager seems to just want to do its own thing...
  • Configured SuSE network adapters with static IP addresses using by creating scripts for eth0 and eth1 in /etc/sysconfig/network (ifcfg-eth0 and ifcfg-eth1)
  • Created a route to the internet through my real gateway/router via the bridged eth0 interface and to the private network on VMnet2 via eth1 by creating scripts in /etc/sysconfig/network (ifroute-eth0 and ifroute-eth1)
  • Configured the Windows VM network properties Gateway and DNS to point to the eth1 adapter address on the SuSE box
  • Installed BIND on the SuSE box - I hit a bug with the Yast DNS Server package which I wanted to use to set-up BIND, so for now, that's as far as I've got with BIND - I tried editing named.conf by hand, but was getting no response for DNS requests from the windows VM so I've got some more reading to do there (or wait until the bug is fixed)
Here's where I've temporarily diverged from the plan:
I haven't installed Snort yet and have instead used the SuSE firewall to set up masquerading (NAT)  and IP forwarding (can't exactly remember if I had to do something other than just turn on masquerading in order for forwarding to work).  This is just a temporary thing.

As it stands at the moment, I can:
  • Not access the windows vm from my real network.  Good.
  • Not access services on the SuSE vm from my real network, but it's sitting there on the network.  Good.
  • Talk to the outside world (and my real network) from the SuSE vm. Good.
  • Talk to the windows vm from the SuSE vm and vice versa.  Good.
  • Talk to the outside world (using IP addresses only) from the windows vm, via the SuSE vm.  Partly Good.
So I've only got the following to do:
  • Get BIND servicing client DNS requests.
  • Install Snort and make sure that it doesn't stop the SuSE vm acting as the gateway for the private network.
Anyone got any bright ideas for the last two?
LVL 12

Author Closing Comment

ID: 31467126
Thank you for your input.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
August and September have been big months for VMware—from VMworld last month to our new Course of the Month in VMware Professional - Data Center Virtualization. We reached out to Andrew Hancock, resident VMware vExpert, to have a more in-depth discu…
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question