VMware Communities
SommyJo
Enthusiast
Enthusiast
‎08-04-2023 04:03 PM

In Win 10/11 use a NIC to create the WAN NIC of a Firewall VM

My PC with Workstation Pro 17 has 3 NICs.
Two are connected to two internal networks.
The third is connected directly to the router. The Router's IP is 192.168.100.51 and the NIC's is .52.

I want to create a firewall VM with 4 V-NICs
Two VM-NIC are for Host-Only VMs which I will only reach by going through the firewall.
A V-NIC will be Bridge associated with a NIC of my PC and I will only need it to access the Firewall. Basically it will be the LAN.
The fourth V-NIC will be the WAN of the firewall, but to connect it I have to associate it with the NIC of the PC which is already connected to the router.

The problem is that in this way the Win10 PC has direct access to the Internet. How do I configure it to always go through the Firewall?
Or stay direct if Workstation is off and go through the virtual firewall if Workstation is on.

I'm looking for some documentation on the net, but I'm getting lost with suggestions that don't work.

Many thanks in advance for your help and suggestions.

Reply
0 Kudos
8 Replies
Brisk
Enthusiast
Enthusiast
‎08-06-2023 11:03 PM

When you say "Win 10 PC", do you mean your physical PC or a VM running in workstation?
What you're trying to do is certainly possible and you're on the right track. 

What I did in the past was the same as you did. You only have the firewall VM connected to the "WAN" nic and all the other VMs connect to a host-only  NIC that is also connected to the firewall. In that way you can direct all traffic of the host only VMs through the firewall VM.

Your physical PC will always be connected to the internet as you said.

Reply
0 Kudos
SommyJo
Enthusiast
Enthusiast
‎08-11-2023 11:45 PM

Thanks for the reply.
My PC is Win 10 Pro, a "physical" PC.
In Workstation I have installed some "dedicated" VMs that I would like to use for work.
If I create a VM as a Firewall and put the other VMs in a Virtual LAN, then they are protected by the VM Firewall.

However, if the "phisical" PC is connects directly to the Internet, then it is not protected by this virtual firewall.
I would have the same problem if it was a server and in this I created a virtual network protected by a virtual firewall. The physical server would remain protected only by the router.

Reply
0 Kudos
louyo
Virtuoso
Virtuoso
‎08-12-2023 03:15 PM

If you are attempting to connect the host machine to the Internet via one of the virtual machines on that host, that won't work. If you want a  firewall between the host system, you have to install one. 

Reply
0 Kudos
SommyJo
Enthusiast
Enthusiast
‎08-13-2023 04:53 AM

On my (physical) LAN there is a (physical) firewall downstream of a router.
My PC has a NIC on the LAN managed by the firewall.
It also has a NIC that is connected directly to the router and is normally disabled.
So all my In/Out traffic is handled by the firewall.

Workstation Pro 17 is also on my PC and I'm trying to simulate a situation where the firewall is not physical, but virtual.

Around I have already seen several Server Hosts, ESXi or Hyper-V, with virtual firewalls. I don't remember exactly, but I'm almost certain I also saw some Win10 or Linux PCs with Workstation Pro and virtual Firewalls inside.

How can these servers/PCs be isolated from the Internet if the firewall is a VM inside them?

Reply
0 Kudos
louyo
Virtuoso
Virtuoso
‎08-13-2023 06:41 AM

perhaps I am not understanding your goal. Sit down and draw it out to see if it makes sense. It seems like the equivalent of plugging a power strip into itself and expecting to get electricity.

ESXi allows you to pass through PCIe cards to directly connect the VM to hardware. We do this with  multiple NIC's. Other than USB, workstation does not allow direct access to hardware. USB is, well, USB. 

 

Tags (1)
Reply
0 Kudos
SommyJo
Enthusiast
Enthusiast
‎08-14-2023 03:53 AM

Maybe I'm the one who can't explain myself well.

You have already answered me: even with a VM acting as a Firewall, the PC can surf the Internet directly using the physical NIC connected to the router.

I was wondering instead what happened with an ESXi server that has a VM to act as a firewall. Is the server also exposed to the internet in that case?

Reply
0 Kudos
RDPetruska
Leadership
Leadership
‎08-14-2023 05:03 AM

Yes, you can do this... Ulli has a page detailing the setup of a "transparent bridge" here http://www.sanbarrow.com/transparentbridge.html .  Note that you will need to disable TCP/IP and any other protocols you use on the host's primary NIC you are using - only have the VMware Bridge Protocol client enabled. 

Reply
0 Kudos
SommyJo
Enthusiast
Enthusiast
‎08-15-2023 02:58 AM

Thanks, I'll study it now.

Reply
0 Kudos