DaveTheWaveSlav
Contributor
Contributor

Is there a way to firewall a single VM away from the Internet while still giving access to the LAN?

Jump to solution

I'm trying to figure out a way, if possible, to partition a single VM away from the WAN (Internet) while still allowing access to a Class-C subnet using VMWare Workstation and from outside the VM guest itself?

Installing a 2nd NIC isn't my preferred option.  Host & Guest are Windows.

I'm currently trying to configure the MS Loopback adapter with host firewall rules, but can't seem to figure out the trick to get this setup working.

If anyone has suggestions?

Thanks in advance...

0 Kudos
1 Solution

Accepted Solutions
Scillonian
Hot Shot
Hot Shot

If you have admin access to the router that provides your connection to the Internet you could give the VM a fixed IP address and set an access rule on the router to only allow access to IP addresses in the local subnet.

View solution in original post

0 Kudos
8 Replies
rcporto
Leadership
Leadership

There is only one subnet in your network ? If yes, you can try remove the Default Gateway from VM and this way this VM will not get access to different networks, that includes internet.

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
TommyFreddy
Enthusiast
Enthusiast

You have to configure proxy?Firewall  r to control this one. Like you can use MikroTick or any linux proxy server to control who will get internet or who will not.

Scillonian
Hot Shot
Hot Shot

If you have admin access to the router that provides your connection to the Internet you could give the VM a fixed IP address and set an access rule on the router to only allow access to IP addresses in the local subnet.

0 Kudos
DaveTheWaveSlav
Contributor
Contributor

Thanks for the interesting and innovative approach.  I'm assuming you're referring to the network configuration of the VM.

I tried your suggestion by manually setting the guest's network IP and subnet to correct values but intentionally mis-configuring the gateway IP.  Unfortunately this broke windows networking.  I tried putting the relevant machines into a VLAN but the NBT traffic never even made it to the router as far as I can tell.  I might have done something wrong; it was pretty late at night.

0 Kudos
DaveTheWaveSlav
Contributor
Contributor

Gee, I guess I could have just used bridge networking, set the IP, then blocked it at the router.  That would have been really easy.

The only downside to this approach is some that I didn't mention - I'm aiming for a way to set up & tear down sets of VM's which need access to a central file server but are blocked from the internet.  This approach would have added a bit of network configuration, but that's a small downside.

Thanks for the help.

0 Kudos
DaveTheWaveSlav
Contributor
Contributor

Thanks for the help, all.  I think I found an approach that works well for me.  It's a bit unorthodox, but instead of taking a network-centric approach, I ended up just copying vmware.exe to vmware-restricted.exe, which gives the host (windows) firewall a unique signature to separate one set of rules from another.  I.e. I'm now able to allow one EXE while restrict the other at the firewall.

This approach appears to work, but software updates might be a problem.  Are there any other downsides that I'm not thinking of?

Again, thanks for taking the time to help out.

0 Kudos
Scillonian
Hot Shot
Hot Shot

The only downside to this approach is some that I didn't mention - I'm aiming for a way to set up & tear down sets of VM's which need access to a central file server but are blocked from the internet.  This approach would have added a bit of network configuration, but that's a small downside.

You could set rules for an appropriately sized block of IP addresses on the router and as long as the VMs are allocated one of the addresses in this block you will only need to set the router once.

0 Kudos
DaveTheWaveSlav
Contributor
Contributor

I agree that your suggestion is the more technically correct solution.  And you're right that setting aside a block of addresses simplifies the problem.  The only reason the more unorthodox approach works a little better for us is that the network security model doesn't have external dependencies.  It can be backed up (it's just host configuration which is where I want to centralize the solution) and doesn't rely on internal (guest) or external (router) configuration to enforce security.

However, separate EXE names has the downside that if the VM is ever loaded into the unrestricted vmware.exe, the door would be open to the vm guest.  We might combine both approaches just to be safe.

0 Kudos