2

I have a Hyper-V Server 2012 R2 installed (because it's free). I have 2 virtual machines on this server, an Ubuntu Server (vLS) and a Windows Server (vWS).

I only have 1 external IP address for the host machine, so the virtual machines are on an internal 192.168.110.0/24 subnet with the host machine (192.168.110.1), (I created the virtual switch in a connected Hyper-V manager).

I want to set up a basic NAT, where I want to bind the external port 80 to port 80 on vWS, so the server acts as a web server (in time I will want to allow access to both virtual machines on various ports, so port 80 is only an example).

The problem is that Hyper-V Server does not allow the RRAS role to be installed, neither ICS is available.

Some other questions pointed to using New-NetNat but since it's not Server 2016 yet, the InternalIPInterfaceAddressPrefix is not available. This is the last version of Hyper-V server that runs without SLAT so upgrading to 2016 is not an option.

I have tried to use it with the ExternalIPInterfaceAddress and InternalRoutingDomainId parameters, but I was not able to figure out what a valid Internal Routing Domain ID is, and how can I figure mine out (it seems to be some sort of GUID). I have tried it with a bunch of zeroes, but to no avail.

I have looked at NAT32 but it seemed to hang on startup on the server, GUI never popping up. I will experiment with it further, but I'm hoping for native functionality on the server without installing anything 3rd party (that being said I would gladly settle for a 3rd party solution if I could get it work).

Is there a way to set up NAT in Hyper-V Server 2012 R2 and bind some ports of the virtual machines to the external IP? If yes how can I do it?

vinczemarton
  • 211
  • 1
  • 4
  • 13
  • Hyper-V Server 2012 R2 does not provide NAT. See http://superuser.com/questions/522179/how-can-i-configure-my-server-2012-hyper-v-lab-setup-with-nat – longneck Dec 20 '16 at 16:47
  • @longneck I would be satisfied with a 3rd party solution, or a lot of typing. – vinczemarton Dec 20 '16 at 17:06

2 Answers2

2

You need two vswitches, and a VM to do the NAT for you.

  • A VM running some sort of firewall software, and assigned two NICs.
  • An Internal vswitch can connect to VM's and the host, but not a physical NIC. This will be your 192.168.110.0/24 network. Change all of your existing VM's to this vswitch, and one of the NICs for the firewall VM.
  • An External vswitch can connect to a physical NIC. The other virtual NIC for the firewall should be connected to this NIC. You should also un-check the box that says "Allow management operating system to share this network adapter."

On your host, the two vswitches should show up as network adapters in your control panel. Configure a 192.168.110.0/24 IP on the adapter that matches the Internal vswitch. Now the only way the host can talk to the outside world is through your firewall VM.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • I was thinking about installing pfSense in a virtual machine for example, but I was not able to figure out how to put it "in front of" the host machine. Your answer seems to include that by some magic with virtual switches which is a little hard to digest (I'm trying), could you elaborate on that? – vinczemarton Dec 20 '16 at 17:24
  • 1
    I re-wrote in my answer. – longneck Dec 20 '16 at 17:44
  • I have tried this way to add the Windows Server to the external vswitch, disabled "allow management" on the host OS, but it fails to connect to the outside network (or it seems to connect, but "No internet access" in the status, no received packets, and zenmap cannot see it's ports). I'll fiddle around some more. – vinczemarton Dec 20 '16 at 17:56
0

You could install another Windows Server in a VM and set that up a RRAS, or you could install and configure VyOS virtual router and configure that to forward all tcp port 80 traffic (for arguments sake) to your Windows Servers that will act as web servers.

For the VyOS configuration it is pretty simple. You need to download the .iso for the VyOS virtual router and install that in a VM. Connect two vNICs to that VM; one connected to an external vSwitch that is connected to your LAN adapter and the other to your internal or private vSwitch to which your VMs are connected. So your VyOs router has to be connected to two networks; your external internet access network and your private or internal VM network.

After you install the VyOS image you can run a few commands to configure your VyOS router's interfaces.

set interface eth eth0 address dhcp
set interface eth eth1 address 192.168.110/24

The above commands set the external interface to obtain its address via DHCP, and configure the router's next interface to be on the same network as your virtual servers (VMs).

Next you will run a few simple commands to forward all TCP 80 traffic to an internal server of your choice.

set nat destination rule 1 description 'Port Forwarding: HTTP to 192.168.110.254'
set nat destination rule 1 destination port 80
set nat destination rule 1 inbound-interface 'eth0'
set nat destination rule 1 protocol 'tcp'
set nat destination rule 1 translation address '192.168.110.254'

And there you have a virtual router forwarding all TCP 80 packets to an internal servers with the address 192.168.110.254 (just for arguments sake).

Dalean Barnett
  • 25
  • 6