VMware Communities
breakstuffmajor
Contributor
Contributor
‎09-26-2020 10:30 PM
Jump to solution

Isolating vmnet9 and vmnet10

I would like to setup 2 custom vmnets that are not able to communicate with one another but can communicate outbound to the internet. I would like to do this without any extra VMs acting as routers on the vmnets. Here are my assumptions:

1. If I setup 2 custom vmnets like vmnet9 and vmnet10 configured with NAT, these 2 vmnets would not be able to communicate with each other.

2. The guests on vmnet9 and vmnet10 would be able to communicate with the host, even if the "Connect a host virtual adapter" option is unchecked.

Are these assumptions correct?

Thanks!

Reply
0 Kudos
1 Solution

Accepted Solutions
louyo
Virtuoso
Virtuoso
‎09-27-2020 01:03 PM
Jump to solution

Yes, assuming that the VM's are each assigned IP's in the 2 different NAT subnets, it should  work. I am hosting WS 15 on Linux Mint. A Ubuntu guest and an LMDE guest work that way. Isolated from each other but can connect to host or Internet.

Edit: I might add that, to further isolate from everything, I plug in a USB Ethernet adapter and disable the built in one.

Lou

View solution in original post

Preview file
81 KB
Reply
0 Kudos
6 Replies
a_p_
Leadership
Leadership
‎09-27-2020 02:06 AM
Jump to solution

1. If I setup 2 custom vmnets like vmnet9 and vmnet10 configured with NAT, these 2 vmnets would not be able to communicate with each other.

You can unfortunately have only one NAT vmnet.

2. The guests on vmnet9 and vmnet10 would be able to communicate with the host, even if the "Connect a host virtual adapter" option is unchecked.

A virtual host adapter is required for a VM to communicate with the host, and vice versa.


André

Reply
0 Kudos
breakstuffmajor
Contributor
Contributor
‎09-27-2020 07:44 AM
Jump to solution

I currently have multiple vmnets with NAT:

nat.png

Also, with the configuration above, the guests on vmnet9 and vmnet10 can currently reach the host over ICMP and HTTP, even though there is no host virtual adapter on either of those vmnets. Am I missing something?

Reply
0 Kudos
a_p_
Leadership
Leadership
‎09-27-2020 08:10 AM
Jump to solution

Looks like I'm too much Windows focused 😉

Sorry, but I don't have Workstation on Linux, so I can't help you with this.


André

Reply
0 Kudos
louyo
Virtuoso
Virtuoso
‎09-27-2020 01:03 PM
Jump to solution

Yes, assuming that the VM's are each assigned IP's in the 2 different NAT subnets, it should  work. I am hosting WS 15 on Linux Mint. A Ubuntu guest and an LMDE guest work that way. Isolated from each other but can connect to host or Internet.

Edit: I might add that, to further isolate from everything, I plug in a USB Ethernet adapter and disable the built in one.

Lou

Preview file
81 KB
Reply
0 Kudos
breakstuffmajor
Contributor
Contributor
‎09-28-2020 01:49 PM
Jump to solution

Thanks for confirming. The downsides to doing this without using a dual-homed VM on each NAT'd vmnet to perform routing then seem to be the following:

A. vmnets9-10 can reach vmnets0-1,8, according to my testing

B. vmnets9-10 can reach upstream physical machines on my physical LAN

C. vmnets9-10 can reach the host

Point A is interesting because this doesn't seem immediately apparent and may not be expected by someone attempting to setup isolated vmnets. Is there any way to block points A-C without the presence of a VM that performs routing? The only way I can think of, would be if there's a way to use custom routing on the host itself.

Reply
0 Kudos
louyo
Virtuoso
Virtuoso
‎09-28-2020 06:13 PM
Jump to solution

Sounds like you want two VLANS that can communicate to the Internet but not to each other, the host, or any other system on the LAN. Have not tried such myself but it sounds like you need a router or firewall in between them and the rest of the LAN/host. Sorry I can't help.

Lou

Reply
0 Kudos