Link to home
Start Free TrialLog in
Avatar of mihaisz
mihaiszFlag for Afghanistan

asked on

Win 2008 R2 Server + Virtual Machine connected to Internet via 1 static IP

The situation:
-------------------
I have a Windows 2008 R2 server connected directly to the Internet (no router - Network1).
I've added a Windows 7 virtual machine (VM).

The desired outcome:
---------------------------
I want to give Internet access to the VM.

There are many ways to accomplish this so I'd like to get your opinion.
This is what I see as potential solutions:

1. Add a router - assign the static IP to the router and use NAT to give internal IP addresses to both the Server and VM.

2. Ask the ISP for another static IP and configure it for the VM

3. The server has 2 NICs. Close to the server is a switch that is part of a totally different network (Network2), so would this work?
- connect NIC1 to the switch and get the Internet Access for the server from Network2
- connect NIC2 to the Ethernet drop with the static IP (Network1) and have the VM use that connection.

Network1 and Network2 are totally separate (with different subnets, gateways, etc.).
It is mandatory that VM's traffic to stay in Network1 - so it should NOT go out with Network2's static IPs.

4. Can I enable NAT in Win 2008 so the VM would use an internal IP like 192.168.2.x and go out on the Internet via the server's static IP (software NAT)?
If yes, how do I redirect ports to the VM?

I'd prefer option 3 or 4 if possible since it would not require buying equipment or paying the ISP for an additional IP address.
Avatar of theras2000
theras2000
Flag of United States of America image

Well done on providing excellent information.
I'm not certain what VM product you're using, but I'm familiar with VMWare Server 2, so I'll provide my answers in relatioin to what I've seen there.

1. I assume you're reluctant to do this because you want the public IP to reside on the VM.  You could config a router to have a DMZ and pass all traffic to the VM, so it's almost like having a public IP.

2. This should also work fine (mind you I've never tried bridging on an actual WAN link, so I hope there's no funny TCP/IP checking that messes it up).

3. This sounds like it would work fine.  You can choose which NIC you bind the VM to, so you can just force it to use NIC2.  The only prob would be that your server would have 2 paths to the internet, and I think the choice is random and arbitrary.  You might find from time-to-time that your traffic goes one way over the other.  You'd need to force the default route using the 'route add' command, and perhaps even organise that into a batch file so that you can run it again whenever you suspect that it's using the other route.

4. Yes you can do it and port forwarding should be available.  At least that's how VMWare Server 2 works.

On http://www.vmware.com/pdf/vmserver2.pdf page 215 lists the 3 basic network configs: bridged (your option 2), NAT, or host-only.  See page 251 for the port forwarding.
Avatar of mihaisz

ASKER

Thanks for the quick response.
I'm using the Hyper-V from Win 2008 for virtualization.

Option 3 would be the preferred one if I can be absolutely sure that traffic from the VM does not go through Network2.
This is very important to me: the VM has to show ALWAYS the public IP of Network1 (ex as shown in the top left cornet of www.dnsstuff.com when I open that site in a browser).

The server's traffic can go through either Network1 or Network2, but I'd preffer to use Network1.
Could you give me the route command?
The command is 'route add 0.0.0.0 mask 0.0.0.0 192.168.1.1' (where 192.168.1.1 should be the immediate next hop on NIC1's network).
You can also do this manually if you look in TCP/IP Properties, Advanced, Default Gateways.  This is on XP, but should look the same.  I'm pretty sure when you have multiple options, you can arrange the order of priority here.

You know what...  Now that I think about it carefully, I don't think option 3 would work.  To use bridging, the server and VM need different IPs.  You only have 1 public IP, so you want that IP to be for the VM.  This leaves you needing to give the server a fake IP (same subnet but not the actual one given by the ISP).  The only prob is that the VM can't bridge through the server's NIC if the NIC doesn't have a valid connection in the first place.  Now you've got me doubting myself and wishing I had the necessary stuff to test it myself.  Sorry but I don't.

So for option 3 to work, you'd still need to use the parts of your other options anyway: NAT, router or extra public IP.

Out of interest, what is the network mask for your WAN link?  255.255.255.252 or .248?
Avatar of mihaisz

ASKER

For option 3, just to make sure I won’t have to go to the data center again after this:

•      configure NIC1 with Public IP and connect NIC2 to the switch (will leave it with ‘Obtain IP address automatically’ since Network 2 has a DHCP server).
•      configure NIC1 as the adaptor for the VM

The problem might be that VM’s adaptor has IPv4 configured to ‘Obtain IP address automatically’ but Network1 does not have a DHCP. So I have to add IP information.
If I add the Public IP info, it will conflict with what I have for NIC1 on the server.

How do I resolve this?
Should I leave NIC1 with ‘Obtain IP address automatically’ so it will then get 2 IPs from Network2?
In that case, will the VM still be isolated to use Network1’s public IP?
Avatar of mihaisz

ASKER

Looks like I was writing my comment at the same time with you.

So I cannot do option 3...

I'll then just buy a router and solve it that way.

The subnet of the public IP is 255.255.255.252.
Yeah see you found my mistake too. :<

It doesn't matter now, but in your last post you got the NICs wrong on the bullet-point bit.  NIC2 needs the public IP and binds to the VM, while NIC1 connects to the switch.  At least that's how your original looked.
Avatar of mihaisz

ASKER

yes, you are right: NIC1 goes to the switch and NIC2 to the Public IP.
Thanks for your help. It saved me a trip to the data center.
Yep it definitely sounds the cleanest.  There's something safe and secure about having a little box between you and the big, bad world.  Besides, routers were designed to do this stuff.

However, I still think option 4 would have worked and is not so different to option 1 in regards to the VM still being NATted.  In regards to the server, the difference is that the server is publicly exposed on option 4, but behind the NAT router on option 1.  It depends if you can find the port forwarding on your VM NAT config, and if it works well.
NP.  Best of luck.  At least you stretched my brain a little.
Avatar of mihaisz

ASKER

So how do I do option 4?
I don't mind the server to be exposed directly to the Internet - I'll use Win 2008's firewall to controll access.

How do I configre NAT in Win 2008 so I can assign an internal IP to the VM?
I'm not good with commands, so is there a UI for it in Win 2008?
Ahh no it's not a Server 2008 feature like in RRAS.  It's something that the Hyper-V config would have to do.  You'll notice in the manual for VMWare that there's like an extra piece of software at Start, Programs, VMWare Server, Manage Virtual Networks.  This program doesn't manage the VMs at all, but just manages the settings of the virtual NIC attached to your physical NIC.

I'll see if I can find a manual or something that would show me how they do it in Hyper-V.
ASKER CERTIFIED SOLUTION
Avatar of theras2000
theras2000
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mihaisz

ASKER

I followed the steps from http://bryantlikes.com/SettingUpHyperVVirtualNetworking.aspx and it worked!

My VM is sharing the connection with the server and has Internet access.

The only remaining step is to forward port 4111 to the VM (so I do telnet <Public IP> 4111 to get to the VM).

How do I do that?

Here's what it looked like in XPsp1 I think http://www.dslreports.com/r0/download/181339;bd105dc7c26c9fbad8be83372f13319d/icsconfigXP.jpg
or http://forum.portforward.com/YaBB.cgi?num=1134525903
It's probably within the Settings button that you could see on that guide you already followed.
Avatar of mihaisz

ASKER

Worked like a charm!
Thanks for your help!