Hide home network from Virtual Machine network - someone can use my VM but can't browse my home computers

[rowebil]

I am pretty good with networking, have a few servers, few routers, few gigabit switches (3 8 port and 1 24 port) and a lot of Virtual Machines.

So I have a background, but one thing I don't understand clearly is subnetting and putting a VM on it's own 'network'.

I have my server2 on Windows Server 2012 R2, and am running VMware Workstation. I have it set to bridge my connection using a separate ethernet port from the server2. So It is bridged on it's own network card. My server2 is on a domain.

I want to have it configured so that my friend can use this virtual machine, get to my gateway, but cannot see the LAN.

I want him to use my home Internet connection, the same gateway IP, but not be able to see my sisters laptop (which is on WORKSTATION, not domain) and browse around.

Is this possible by changing the network and subnet mask? Could I still use the same gateway on the mask 255.255.255.0 if his subnet is different?

How would I do this? I want to isolate this VM so it cannot access anything, but the gateway. I then give an IP address to my friend, a RDP port which is port forwarded something random to internal default port.

I have 16GB on server 2, so I can actually create Untangle or pfSense to use as a router to switch from my home 255.255.255.0 to the network of the VM.

Is this possible using pfSense?

 

[bill001g]

So I had part of a answer written and I suspect the real answer is it depends how much virtualization you can get on the nics. Is it possible to create a virtual switch and what features can it have. This I don't know

I needed 2 different virtual machine assigned to different subnets but I only had a single ethernet port. I did not need to filter but I could have. What I did was run DD-WRT to get mostly vlan tagging. Any layer 3 switch would do similar. When you run tagged ports you get multiple virtual nics you can assign to virtual machines. In effect each would have what looked like its own cable. So if you have a router that can run dd-wrt you could use that device instead of a virtual pfsense firewall.

The main issue I would see if you wanted to do it with all virtual machines is how you manage to assign a virtual nic to multiple virtual machines and/or if you can assign the shared main nic and a virtual machine used tagged packets. I was very happy to be able to assign virtual nics going more layers of virutalization is well beyond my abilities.

 

[boosted1g]

Sounds like you just need some VLANs setup, if your router has tomato or dd-wrt on them you could do it from there.

You said you bridged 2 networks on the server, what two networks did you bridge?

Give me IP of the server, the gateway, the domain computers, your sisters computer (or a logical diagram would be great).

 

[rowebil]

VLANs! That is the 'idea' I was forgetting. I knew there was a way but I couldn't put my finger on it.

So my ISP router sucks with any other third party firmware, because the CPU quickly jumps to 100% and performance seems to be much slower.

I can actually VLAN from VMware, or vSphere (vSPhere Administrator, so I know vSphere pretty well), and then see if I can get tomato back on my router.

The server is 50 which is eth0. eth1 is bridged to VMware Workstation. So 50 is my 'manage' NIC, while eth1 is my VM NIC access to the LAN basically.

Now, these servers are downstairs using one wire from the middle floor.
So my gateway and router is on the middle floor. From that, an 8 port gigabit switch runs Cat5E to the basement 24 port gigabit switch.
So if I have VLAN on the router, don't I have to specify a LAN port? I can't VLAN the whole port because now the whole basement is on a VLAN...

OR, do I just have to set it so that the router is listening for VLAN traffic? I assumed you set a VLAN on a specific port on the router, and that whole segment is VLAN'd. If that is so, I cannot do it because I can't run a second wire down to the basement.

 

[bill001g]

It depends on your switches and if they support vlans and vlan tags.

What you do is between switches you would run a single cable. You can then assign the port to multiple vlans...the actual configuration varies a bit from brand to brand. So on this single cable between switches as the data leave the switch it inserts a tag into the packet based on the vlan it arrived on. When it gets to the far switch that switch removes the tag and forwards the packet to ports on the corresponding vlan.

The easiest way to look at this from a design prospective is to assume you have multiple cable run between the switches...they are just virtual. This is the same as the switch ports, all switch ports on the same vlan form a virtual switch.

You used to need fairly expensive switches to support vlans but lately there are a number of inexpensive ones that do not contain all the feature of a full manged switch but do support things like vlan tags. This feature is called 802.1Q when you are looking though feature lists.

 

[boosted1g]

Im not familiar with vsphere but you should be able to dissable dhcp on router and then assign it to the server. Then from vsphere you could try assigning your VLANs and restrict access as necessary.

 

[Duckhunt]

Yea give us your ip addresses we can test it for you? 😉 Especially the gateway. I am sure we are all nice here and won't do anything and peer in your network.

 

[boosted1g]

Yea give us your ip addresses we can test it for you? 😉 Especially the gateway. I am sure we are all nice here and won't do anything and peer in your network.

You do know the difference between LAN and WAN IP addresses right?

I was asking for his local LAN IP address schemes (most are 192.168.xxx.xxx) to create VLANS for seperate networks on his local end. I did not ask for his WAN IP address which is the IP address given to him by his ISP. From outside of his network the LAN IP address is useless without the WAN IP, and even then you have to take advantage of deliberately forwarded ports (which any half decent software firewall would detect us trying to port scan), you could of course use any of the usual virus infecting methods but they just use an exploit in whatever pc is accessing it, so it does not care about any specific local IP.

Hence asking for his Local LAN IP address is completely useless on its own for hacking. Hell 95% of consumer routers use 1 of 3 subnet addresses, and I would bet more then half use the 192.168.1.x scheme. So on that note, one of my networks uses 192.168.5.0 subnet, hack away!