Simulating a private network (with a public interface) using VMware

Posted on 2008-06-13
Last Modified: 2010-04-21
Hi Experts.
I want to set-up two virtual machines on a single host machine to simulate a private network with a public interface.
I've got two machines on my lan behind a adsl/router/switch.  One of these machines is headless (I use VNC) and it is the headless machine which is to host the two VM's.
I want one of the VM's to act as the perimeter of the private network and it needs to have a public interface (where public doesn't actually mean public, just public as far as the VM private network is concerned) and a private interface to serve as the gateway for the other VM.
I want to install Snort on the gateway VM and I'm thinking of running it on openSUSE.
The idea is that from my main PC, I want to be able to perform attacks against the public interface of the VM network hosted on the headless PC - as if I was an attacker on the open internet.  I want to be able to VNC into the headless PC and log into the private VM and see how those attacks look from the "inside".  I'm going to use this set-up to host all kinds of services and get some experience of defending against serious attacks.

With me so far?  I'm not sure I am, so well done you! :)

So my question is really in two parts:
How do I set-up VMWare Workstation networking for the Gateway VM to have both a public and a private network such that Snort will work on it and it will act as the gateway for the private VM?
Do I need to do anything to my LAN of two PC's to make this work?

I thank you in advance for your help.
Question by:jahboite
  • 4
LVL 18

Accepted Solution

larstr earned 275 total points
ID: 21787799
What you suggest is possible. You can setup your gateway VM with two virtual nics. One with "host only" networking and one with "bridged" netorking. If you now also put your other VMs on the host only network and set their default gateway to the gateway pc, you should be able to achieve what you want.

As long as you don't need your two LAN PCs also behind this virtual gateway this is all you need to do to get it working.

LVL 12

Author Comment

ID: 21788019
Thanks larstr, that sounds quite easy!
LVL 11

Assisted Solution

jfields71 earned 225 total points
ID: 21793804
You can indeed do what you are seeking to do.  There is even a virtual appliance you can download that may save you some time:  
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

LVL 12

Author Comment

ID: 21835993
Quick update,  I'm getting closer to getting there.  I've installed openSUSE 11 (which looks great!) and have managed to get two interfaces set-up on it.  I tried setting-up the VM with both a Bridged and a Host only interface from the outset, but this turned out to be a horrible idea because for some unknown reason, the suse installation configured the host-only interface with an IP address, but wouldn't assign one to the bridged and I got zero connectivity to the outside world with either.  Setting-up the VM with just the bridged network and later adding the host-only was much less problematic.  I haven't made the other (internal) VM yet nor have I looked in any detail if I need to do anything to Suse to act as a gateway (I see there are packages for this kind of thing, but I intend to try and do nothing), but I'm getting there...

Thanks for the suggestion JF.  This may be useful if the Snort install proves too difficult (which hopefully it won't).  I think I'm a little too paranoid to use the virtual appliance on my home network, but if the worst comes to the worst...
LVL 12

Author Comment

ID: 22049987
Okay then.  This was fairly easy in the end, but it was a struggle getting there for various reasons.

Here's some details for those coming along after:
  • Created a new virtual network using VMware Virtual Network Editor (vmnetcfg.exe) for the private network.  Did this on the Host Virtual Network Mapping tab by assigning a subnet to VMnet2 (Not bridged).  Did not add a Host Virtual Adapter, nor configure DHCP for the network.
  • Installed openSuSE as a VMware guest OS and assigned to it a Bridged Network Interface (for the outside world) and a Custom (specific virtual network) Interface for which I selected VMnet2.
  • Already had a Windows VM for the private network side so I just changed it's adapter to VMnet2 and, as I wasn't intending to have the suse box do dhcp straight away, I assigned a static IP address.
  • Told SusE Network Manager that I'd manage network stuff with ifup - Network Manager seems to just want to do its own thing...
  • Configured SuSE network adapters with static IP addresses using by creating scripts for eth0 and eth1 in /etc/sysconfig/network (ifcfg-eth0 and ifcfg-eth1)
  • Created a route to the internet through my real gateway/router via the bridged eth0 interface and to the private network on VMnet2 via eth1 by creating scripts in /etc/sysconfig/network (ifroute-eth0 and ifroute-eth1)
  • Configured the Windows VM network properties Gateway and DNS to point to the eth1 adapter address on the SuSE box
  • Installed BIND on the SuSE box - I hit a bug with the Yast DNS Server package which I wanted to use to set-up BIND, so for now, that's as far as I've got with BIND - I tried editing named.conf by hand, but was getting no response for DNS requests from the windows VM so I've got some more reading to do there (or wait until the bug is fixed)
Here's where I've temporarily diverged from the plan:
I haven't installed Snort yet and have instead used the SuSE firewall to set up masquerading (NAT)  and IP forwarding (can't exactly remember if I had to do something other than just turn on masquerading in order for forwarding to work).  This is just a temporary thing.

As it stands at the moment, I can:
  • Not access the windows vm from my real network.  Good.
  • Not access services on the SuSE vm from my real network, but it's sitting there on the network.  Good.
  • Talk to the outside world (and my real network) from the SuSE vm. Good.
  • Talk to the windows vm from the SuSE vm and vice versa.  Good.
  • Talk to the outside world (using IP addresses only) from the windows vm, via the SuSE vm.  Partly Good.
So I've only got the following to do:
  • Get BIND servicing client DNS requests.
  • Install Snort and make sure that it doesn't stop the SuSE vm acting as the gateway for the private network.
Anyone got any bright ideas for the last two?
LVL 12

Author Closing Comment

ID: 31467126
Thank you for your input.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate VM to other host 12 95
Hyper v or VMWare Player? 11 139
AnyConnect VPN endpoint authentication/validation 4 44
Esxi host patches. 5 36
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question