IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
By Mike Leary
With Windows 8 + Hyper-V you have the opportunity to create a great lab environment on a single workstation. When I build a lab I like it to be isolated from any production network but also flexible enough to get Internet access from the lab and files and such into the lab. I like the idea of isolation because I fear things like a rogue DHCP servers or duplicate domain controllers on a production network. As a Premier Field Engineer I needed the ability to quickly reproduce issues and verify behaviors in my own lab. This approach allows me to have complete control for testing (without tweaked configurations, 3rd party software, etc.)
The solution I am outlining in this article is not intended for a production network, but for personal testing on a single Hyper-V host. In most production environments there is no need for isolation and this networking layout would add an unneeded complexity.
If you are looking for a production ready solution that provides better flexibility and enterprise ready features I would suggest looking at solutions such as TMG, UAG, or RRAS. I will be adding a blog post shortly on how to configure TMG. Stay tuned.
So what is the solution? Well, it is not perfect- but I use a Linux based firewall/router running as VM. This solution has a very small footprint for both disk and memory (50mb and 32mb). It boots very quickly and provides lots of functionality. There are a few options in this realm including pfSense, m0mwall, and DD-WRT. In my testing I found that DD-WRT was the most stable platform and pfSense provided the best performance. Since I care more about ease of use and ease of installation I selected DD-WRT for my lab.
DD-WRT is an open source router firmware that has been ported to x86. It runs under Hyper-V with very little setup. It does require the use of Legacy network adapters and the throughput somewhat limited but it provides a great firewall, web interface, and port forwarding. For a full list of features visit http://dd-wrt.com.
Here is a simple diagram of the network setup I use:
What follows is a simple guide to get DD-WRT up and running in your lab (It assumes you have some experience with Hyper-V):
On the virtual switch in Hyper-V you will need to create an Internal network that is private only. Then create one network for each external interface. For example, I have WiFi and Ethernet, so I have 3 total network switches as seen in the following diagram:
Make sure that the External interfaces have the “Allow management operating system to share this network adapter” check box selected.
Next, create a new VHD on your host machine. Open Disk management and create a new VHD that is 50mb, fixed size. Make a note of the disk number (Disk 2 in this example):
Download physdiskwrite from http://m0n0.ch/wall/physdiskwrite.php
Download the latest DD-WRT image for x86: http://www.dd-wrt.com/routerdb/de/download/X86/X86///dd-wrt_public_vga.image/3744
Or search the router database at www.dd-wrt.com for x86
Open a command prompt with administrative privileges and run the following command:
Phydiskwrite –u dd-wrt_public_vga.image
It will prompt you to put the disk number in. This will erase the entire drive, so double check your disk number. Once this process is complete, dismount the VHD from the host machine.
Create a new VM (I name mine 1-Router so it is at the top of the list in Hyper-V manager). Set the memory to 32mb and NOT connected to a network.
Open the settings of the new VM and remove the Network adapter and add 2 new Legacy Network adapters.
Connect one of the Legacy network adapters to the internal network. Leave the other disconnected.
** If you connect the External network to the wrong adapter you will introduce DHCP to your External network. This will make you and everyone else on your network crazy, so don’t do it…
Boot the VM
Test the configuration from another VM:
From any VM on the internal network, set it to use DHCP. The router should give you a 192.168.1.x address. If you don’t get one, try switching the Internal network to the other legacy adapter in the VM configuration.
Once you get an address, open http://192.168.1.1 – if you get a web page, you did it correctly!
Connect the second VM Legacy network adapter to the external network (pick the one that is currently active).
Enable the WAN port:
Enable the WAN on the settings page. From there you should have a fully functional router/firewall in your environment.
I use port forwarding to allow RDP (port 3389) to one of my VMs. I use this to transfer files and work in the lab. This solution provides great isolation, internet access, and management access from your host machine.
Related blog post: