Solved

Win 2008 R2 Server + Virtual Machine connected to Internet via 1 static IP

Posted on 2010-09-05
15
842 Views
Last Modified: 2012-06-27
The situation:
-------------------
I have a Windows 2008 R2 server connected directly to the Internet (no router - Network1).
I've added a Windows 7 virtual machine (VM).

The desired outcome:
---------------------------
I want to give Internet access to the VM.

There are many ways to accomplish this so I'd like to get your opinion.
This is what I see as potential solutions:

1. Add a router - assign the static IP to the router and use NAT to give internal IP addresses to both the Server and VM.

2. Ask the ISP for another static IP and configure it for the VM

3. The server has 2 NICs. Close to the server is a switch that is part of a totally different network (Network2), so would this work?
- connect NIC1 to the switch and get the Internet Access for the server from Network2
- connect NIC2 to the Ethernet drop with the static IP (Network1) and have the VM use that connection.

Network1 and Network2 are totally separate (with different subnets, gateways, etc.).
It is mandatory that VM's traffic to stay in Network1 - so it should NOT go out with Network2's static IPs.

4. Can I enable NAT in Win 2008 so the VM would use an internal IP like 192.168.2.x and go out on the Internet via the server's static IP (software NAT)?
If yes, how do I redirect ports to the VM?

I'd prefer option 3 or 4 if possible since it would not require buying equipment or paying the ISP for an additional IP address.
0
Comment
Question by:mihaisz
  • 8
  • 7
15 Comments
 
LVL 14

Expert Comment

by:theras2000
Comment Utility
Well done on providing excellent information.
I'm not certain what VM product you're using, but I'm familiar with VMWare Server 2, so I'll provide my answers in relatioin to what I've seen there.

1. I assume you're reluctant to do this because you want the public IP to reside on the VM.  You could config a router to have a DMZ and pass all traffic to the VM, so it's almost like having a public IP.

2. This should also work fine (mind you I've never tried bridging on an actual WAN link, so I hope there's no funny TCP/IP checking that messes it up).

3. This sounds like it would work fine.  You can choose which NIC you bind the VM to, so you can just force it to use NIC2.  The only prob would be that your server would have 2 paths to the internet, and I think the choice is random and arbitrary.  You might find from time-to-time that your traffic goes one way over the other.  You'd need to force the default route using the 'route add' command, and perhaps even organise that into a batch file so that you can run it again whenever you suspect that it's using the other route.

4. Yes you can do it and port forwarding should be available.  At least that's how VMWare Server 2 works.

On http://www.vmware.com/pdf/vmserver2.pdf page 215 lists the 3 basic network configs: bridged (your option 2), NAT, or host-only.  See page 251 for the port forwarding.
0
 

Author Comment

by:mihaisz
Comment Utility
Thanks for the quick response.
I'm using the Hyper-V from Win 2008 for virtualization.

Option 3 would be the preferred one if I can be absolutely sure that traffic from the VM does not go through Network2.
This is very important to me: the VM has to show ALWAYS the public IP of Network1 (ex as shown in the top left cornet of www.dnsstuff.com when I open that site in a browser).

The server's traffic can go through either Network1 or Network2, but I'd preffer to use Network1.
Could you give me the route command?
0
 
LVL 14

Expert Comment

by:theras2000
Comment Utility
The command is 'route add 0.0.0.0 mask 0.0.0.0 192.168.1.1' (where 192.168.1.1 should be the immediate next hop on NIC1's network).
You can also do this manually if you look in TCP/IP Properties, Advanced, Default Gateways.  This is on XP, but should look the same.  I'm pretty sure when you have multiple options, you can arrange the order of priority here.

You know what...  Now that I think about it carefully, I don't think option 3 would work.  To use bridging, the server and VM need different IPs.  You only have 1 public IP, so you want that IP to be for the VM.  This leaves you needing to give the server a fake IP (same subnet but not the actual one given by the ISP).  The only prob is that the VM can't bridge through the server's NIC if the NIC doesn't have a valid connection in the first place.  Now you've got me doubting myself and wishing I had the necessary stuff to test it myself.  Sorry but I don't.

So for option 3 to work, you'd still need to use the parts of your other options anyway: NAT, router or extra public IP.

Out of interest, what is the network mask for your WAN link?  255.255.255.252 or .248?
0
 

Author Comment

by:mihaisz
Comment Utility
For option 3, just to make sure I won’t have to go to the data center again after this:

•      configure NIC1 with Public IP and connect NIC2 to the switch (will leave it with ‘Obtain IP address automatically’ since Network 2 has a DHCP server).
•      configure NIC1 as the adaptor for the VM

The problem might be that VM’s adaptor has IPv4 configured to ‘Obtain IP address automatically’ but Network1 does not have a DHCP. So I have to add IP information.
If I add the Public IP info, it will conflict with what I have for NIC1 on the server.

How do I resolve this?
Should I leave NIC1 with ‘Obtain IP address automatically’ so it will then get 2 IPs from Network2?
In that case, will the VM still be isolated to use Network1’s public IP?
0
 

Author Comment

by:mihaisz
Comment Utility
Looks like I was writing my comment at the same time with you.

So I cannot do option 3...

I'll then just buy a router and solve it that way.

The subnet of the public IP is 255.255.255.252.
0
 
LVL 14

Expert Comment

by:theras2000
Comment Utility
Yeah see you found my mistake too. :<

It doesn't matter now, but in your last post you got the NICs wrong on the bullet-point bit.  NIC2 needs the public IP and binds to the VM, while NIC1 connects to the switch.  At least that's how your original looked.
0
 

Author Comment

by:mihaisz
Comment Utility
yes, you are right: NIC1 goes to the switch and NIC2 to the Public IP.
Thanks for your help. It saved me a trip to the data center.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 14

Expert Comment

by:theras2000
Comment Utility
Yep it definitely sounds the cleanest.  There's something safe and secure about having a little box between you and the big, bad world.  Besides, routers were designed to do this stuff.

However, I still think option 4 would have worked and is not so different to option 1 in regards to the VM still being NATted.  In regards to the server, the difference is that the server is publicly exposed on option 4, but behind the NAT router on option 1.  It depends if you can find the port forwarding on your VM NAT config, and if it works well.
0
 
LVL 14

Expert Comment

by:theras2000
Comment Utility
NP.  Best of luck.  At least you stretched my brain a little.
0
 

Author Comment

by:mihaisz
Comment Utility
So how do I do option 4?
I don't mind the server to be exposed directly to the Internet - I'll use Win 2008's firewall to controll access.

How do I configre NAT in Win 2008 so I can assign an internal IP to the VM?
I'm not good with commands, so is there a UI for it in Win 2008?
0
 
LVL 14

Expert Comment

by:theras2000
Comment Utility
Ahh no it's not a Server 2008 feature like in RRAS.  It's something that the Hyper-V config would have to do.  You'll notice in the manual for VMWare that there's like an extra piece of software at Start, Programs, VMWare Server, Manage Virtual Networks.  This program doesn't manage the VMs at all, but just manages the settings of the virtual NIC attached to your physical NIC.

I'll see if I can find a manual or something that would show me how they do it in Hyper-V.
0
 
LVL 14

Accepted Solution

by:
theras2000 earned 500 total points
Comment Utility
It sounds like I'm only half-right.  The 'Virtual Network Manager' is the tool to setup just the virtual networks, (awfully similar to the 'Manage Virtual Networks' that I mentioned, but then you use ICS or RRAS to do the port-forwarding.  Clever.

http://www.petri.co.il/configuring-virtual-networks-with-hyper-v.htm - VNM setup
http://bryantlikes.com/SettingUpHyperVVirtualNetworking.aspx - VNM + ICS
http://blog.jim80.net/2010/01/19/setting-up-hyper-v-with-nat/ - RRAS (text only)

I can't find much better than those, but I think they point you to the right places.  Looks pretty simple, really.  I gotta go to bed, but I'll check in on this tomorrow.
0
 

Author Comment

by:mihaisz
Comment Utility
I followed the steps from http://bryantlikes.com/SettingUpHyperVVirtualNetworking.aspx and it worked!

My VM is sharing the connection with the server and has Internet access.

The only remaining step is to forward port 4111 to the VM (so I do telnet <Public IP> 4111 to get to the VM).

How do I do that?

0
 
LVL 14

Expert Comment

by:theras2000
Comment Utility
Here's what it looked like in XPsp1 I think http://www.dslreports.com/r0/download/181339;bd105dc7c26c9fbad8be83372f13319d/icsconfigXP.jpg
or http://forum.portforward.com/YaBB.cgi?num=1134525903
It's probably within the Settings button that you could see on that guide you already followed.
0
 

Author Comment

by:mihaisz
Comment Utility
Worked like a charm!
Thanks for your help!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now