Solved

VMWare Workstation Firewall

Posted on 2010-08-25
10
1,704 Views
Last Modified: 2013-11-16
Hallo,
I have installed VMWare Workstation 7 on Windows Server 2008, Bridged Network connection, everything runs fine. Now I have to close all ports but one (svn 3690) on the VMs (Win XP), what I did with some Firewall-tools installed on the VMs directly, but this is quite complex to administer and can be turned off by admin-users on the VM.

Is there a possibility to set up the firewall for the Bridged Network of Workstation directly? I tried to set up the firewall on the host (Windows 2008), but these settings were then not for the VMs as they have an own, fixed IP.

Thank you for helping.
0
Comment
Question by:skiaholic
  • 6
  • 4
10 Comments
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 500 total points
ID: 33522833
Probably not - the host firewall will not work because the IP address belongs to the virtual machine and the host won't see traffic destined for the vm.

What you can do is install a virtual firewall like monowall (http://m0n0.ch/) into your environment and control access to your vm that way. It would look something like:

host -> bridged -> monowall outside -> monowall inside -> guest

monowall outside will be a bridged connection to the host (and own the IP presently held by guest)
monowall inside will be a host only network (addressed on the range for your host ony)
guest will also be on the same host only network (addressed on the range for your host ony, with a gateway to the monowall inside)

The monowall is a very low overhead virtual machine, it has three network interfaces (but you won't need the DMZ network for what you are doing) and only uses about 64 Mbit of RAM

Hope this helps
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33522855
There are other virtual router firewalls you can also look at such as PFsense or Vyatta, they also have free editions like monowall - I use monowall extensively myself so that one always comes to mind first.
0
 

Author Comment

by:skiaholic
ID: 33533869
Thank you for this tip, I've just installed monowall as a VM in Workstation now, trying to set it up. But something seems wrong I think with my monowall-inside network configuration or the host-only VMnet1.

monowall
- WAN set to a fixed IP of my subnet, gateway same as the old VM
- LAN set to fixed IP of my subnet
- Network Adapter 1 to VMnet0 (bridged to uplink)
- Network Adapter 2 to VMnet1 (host-only)

new VM
- Network Adapter set to VMnet1 (host-only)
- a fixed IP of my subnet, gateway the monowall-LAN
- can't ping gateway


no changes on host-network and the old VM is still running bridged fully connected to outside. Any idea what I could have done wrong?
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 500 total points
ID: 33534038
In my monowall setup there are three network adapters

Network Adapter 1 should be assigned to host-only (It is LAN on monowall)
Network Adapter 2 should be assigned to bridged (it is WAN on monowall)
Network Adapter 3 Will be unused in your setup, bridge it to NAT if you wish (it is DMZ on monowal)

On monowall WAN looks good - should have old VM address/gateway
On monowall LAN should have IP address on your host-only, can be anything but typically go with subnet assigned by VMware install
On monowall DMZ just leave as DHCP

VM setup looks good
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33534054
Looks like just switch NA1 to host-only and NA2 to briddged should do it
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 

Author Comment

by:skiaholic
ID: 33534124
I tried that before, then I can't connect to webGui anymore (from host). switching it back it connects again.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33534288
.To connect from the host you will need to make sure your host only networking is what vmware workstation is expecting. In my case (see screen shot) my VMnet1 host only is on 192.168.142.0.

Now if you go into Network properties you will find the Workstation has assigned to the NIC it created for VMnet1 an IP4 address of x.x.x.1 - in my case 192.168.142.1.

You should assign monowall something like x.x.x.5 (.5 is what I use, but anything other than .1 will work) then you will be able to manage it from the host.

Now on your VM setup networking as x.x.x.whatever and make the gateway x.x.x.5

Your WAN address on the monowall will be whatever your vm address was while it was bridged.

Hope this helps
0
 

Author Comment

by:skiaholic
ID: 33683730
Hallo, thank you for support until now, in the last weeks I could not have a look at this topic because of other things. Now I have set up a monowall-VM and a WinXP-VM. I setup the firewall rules and this works all (I can connect from WinXP to outside and bloc ports in monowall).

Now only one problem: I want to connect to the WinXP-VM from outside. From my idea this would work with the IP of monowall-VM (WAN-address), and forward the port to the IP of WinXP-VM (mine 192.168.0.2), I'm using Radmin right now.

It doesn't work. I can't ping monowall-WAN-IP. Any idea why? Thanks for your help!!
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33684696
You are correct - you will need to setup two things on the monowall.

1. An inbound nat rule that will take traffic on a particular port on WAN interface IP and translate it to your XP vm ip address and port on LAN segment

2. A firewall rule under the WAN tab that allows the traffic  to the WinXP vm. I believe if you create this first it will offer to create the NAT rule for you

Good Luck
0
 

Author Closing Comment

by:skiaholic
ID: 33689618
Finally, everything works as the idea was at the beginning. Thanks very much for your help and patience!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now