Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Simulating a private network (with a public interface) using VMware

Posted on 2008-06-13
6
1,393 Views
Last Modified: 2010-04-21
Hi Experts.
I want to set-up two virtual machines on a single host machine to simulate a private network with a public interface.
I've got two machines on my lan behind a adsl/router/switch.  One of these machines is headless (I use VNC) and it is the headless machine which is to host the two VM's.
I want one of the VM's to act as the perimeter of the private network and it needs to have a public interface (where public doesn't actually mean public, just public as far as the VM private network is concerned) and a private interface to serve as the gateway for the other VM.
I want to install Snort on the gateway VM and I'm thinking of running it on openSUSE.
The idea is that from my main PC, I want to be able to perform attacks against the public interface of the VM network hosted on the headless PC - as if I was an attacker on the open internet.  I want to be able to VNC into the headless PC and log into the private VM and see how those attacks look from the "inside".  I'm going to use this set-up to host all kinds of services and get some experience of defending against serious attacks.

With me so far?  I'm not sure I am, so well done you! :)

So my question is really in two parts:
How do I set-up VMWare Workstation networking for the Gateway VM to have both a public and a private network such that Snort will work on it and it will act as the gateway for the private VM?
Do I need to do anything to my LAN of two PC's to make this work?

I thank you in advance for your help.
0
Comment
Question by:jahboite
  • 4
6 Comments
 
LVL 18

Accepted Solution

by:
larstr earned 275 total points
ID: 21787799
What you suggest is possible. You can setup your gateway VM with two virtual nics. One with "host only" networking and one with "bridged" netorking. If you now also put your other VMs on the host only network and set their default gateway to the gateway pc, you should be able to achieve what you want.

As long as you don't need your two LAN PCs also behind this virtual gateway this is all you need to do to get it working.

Lars
0
 
LVL 12

Author Comment

by:jahboite
ID: 21788019
Thanks larstr, that sounds quite easy!
0
 
LVL 11

Assisted Solution

by:jfields71
jfields71 earned 225 total points
ID: 21793804
You can indeed do what you are seeking to do.  There is even a virtual appliance you can download that may save you some time: http://www.vmware.com/appliances/directory/185.  
JF
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 12

Author Comment

by:jahboite
ID: 21835993
Quick update,  I'm getting closer to getting there.  I've installed openSUSE 11 (which looks great!) and have managed to get two interfaces set-up on it.  I tried setting-up the VM with both a Bridged and a Host only interface from the outset, but this turned out to be a horrible idea because for some unknown reason, the suse installation configured the host-only interface with an IP address, but wouldn't assign one to the bridged and I got zero connectivity to the outside world with either.  Setting-up the VM with just the bridged network and later adding the host-only was much less problematic.  I haven't made the other (internal) VM yet nor have I looked in any detail if I need to do anything to Suse to act as a gateway (I see there are packages for this kind of thing, but I intend to try and do nothing), but I'm getting there...

Thanks for the suggestion JF.  This may be useful if the Snort install proves too difficult (which hopefully it won't).  I think I'm a little too paranoid to use the virtual appliance on my home network, but if the worst comes to the worst...
0
 
LVL 12

Author Comment

by:jahboite
ID: 22049987
Okay then.  This was fairly easy in the end, but it was a struggle getting there for various reasons.

Here's some details for those coming along after:
  • Created a new virtual network using VMware Virtual Network Editor (vmnetcfg.exe) for the private network.  Did this on the Host Virtual Network Mapping tab by assigning a subnet to VMnet2 (Not bridged).  Did not add a Host Virtual Adapter, nor configure DHCP for the network.
  • Installed openSuSE as a VMware guest OS and assigned to it a Bridged Network Interface (for the outside world) and a Custom (specific virtual network) Interface for which I selected VMnet2.
  • Already had a Windows VM for the private network side so I just changed it's adapter to VMnet2 and, as I wasn't intending to have the suse box do dhcp straight away, I assigned a static IP address.
  • Told SusE Network Manager that I'd manage network stuff with ifup - Network Manager seems to just want to do its own thing...
  • Configured SuSE network adapters with static IP addresses using by creating scripts for eth0 and eth1 in /etc/sysconfig/network (ifcfg-eth0 and ifcfg-eth1)
  • Created a route to the internet through my real gateway/router via the bridged eth0 interface and to the private network on VMnet2 via eth1 by creating scripts in /etc/sysconfig/network (ifroute-eth0 and ifroute-eth1)
  • Configured the Windows VM network properties Gateway and DNS to point to the eth1 adapter address on the SuSE box
  • Installed BIND on the SuSE box - I hit a bug with the Yast DNS Server package which I wanted to use to set-up BIND, so for now, that's as far as I've got with BIND - I tried editing named.conf by hand, but was getting no response for DNS requests from the windows VM so I've got some more reading to do there (or wait until the bug is fixed)
Here's where I've temporarily diverged from the plan:
I haven't installed Snort yet and have instead used the SuSE firewall to set up masquerading (NAT)  and IP forwarding (can't exactly remember if I had to do something other than just turn on masquerading in order for forwarding to work).  This is just a temporary thing.

As it stands at the moment, I can:
  • Not access the windows vm from my real network.  Good.
  • Not access services on the SuSE vm from my real network, but it's sitting there on the network.  Good.
  • Talk to the outside world (and my real network) from the SuSE vm. Good.
  • Talk to the windows vm from the SuSE vm and vice versa.  Good.
  • Talk to the outside world (using IP addresses only) from the windows vm, via the SuSE vm.  Partly Good.
So I've only got the following to do:
  • Get BIND servicing client DNS requests.
  • Install Snort and make sure that it doesn't stop the SuSE vm acting as the gateway for the private network.
Anyone got any bright ideas for the last two?
0
 
LVL 12

Author Closing Comment

by:jahboite
ID: 31467126
Thank you for your input.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unified EndPoint Management 1 46
VMWare environment audit 8 63
host cache 3 50
Veeam Replication vs. SRM for DR scenario ? 6 66
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question