pfSense or a server's own routing?

Discussions related to using VirtualBox on Windows hosts.

pfSense or a server's own routing?

Postby AndyA » 24. Aug 2019, 15:46

Hi,

I've set up VB 6.0.10 with Windows Server 2008 R2 Standard and a Windows 7 Pro workstation. I want the server DHCP scope on a separate subnet but I also want the workstation to have Internet access.

Every post I've read uses a virtual router like pfSense for the routing.

But Windows Server 2008 has a routing function (and static routing can also be configured).

Why is pfSense recommended instead of Windows Server's own routing for simple subnet routing?

regards, AndyA
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby scottgus1 » 24. Aug 2019, 20:38

I have recommended pfSense as the intermediary between a test lab of guests and the host/LAN/world because pfSense can block access to the host's LAN and keep any network services on the test lab from interfering with the physical LAN while allowing internet access for the test lab. pfSense can effectually ensure that the lab does not know there's a host or a physical LAN out there while having the whole internet available. Useful for testing domain controllers & clients in an already domain-controlled office, for example. See viewtopic.php?f=1&t=76667#p356720

pfSense does not have to be the DHCP server. pfSene's DHCP server can be turned off & have a server guest in the test lab be the DHCP server.
Human government is like that crazy uncle who hides a quarter in his fist behind his back, then asks you to guess which fist the quarter is in...
No matter which side you choose, Left or Right, both Sides are empty.
scottgus1
Volunteer
 
Posts: 4663
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Win7

Re: pfSense or a server's own routing?

Postby AndyA » 24. Aug 2019, 22:38

Thanks for your reply. I'll read the post in the link in detail later.

I understand the advantages of pfSense for security, but I'm setting up a short-term lab server that will be used only by me. Security is not an issue. My web browsing will be limited to google to check that the Internet is working.

So, I'm looking for the *simplest* way to install a router, not the safest.

Do you know of a link to explain how to use built-in Windows Server routing instead of pfSense?

regards, AndyA
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby scottgus1 » 25. Aug 2019, 00:01

You could look at section 6 of the manual to see the types of Virtualbox networking you might try. I don't know of a specific tutorial nor know all the ways Windows Server can connect networks. But in the Server guest I'd try two network adapters in the Server guest, the first attached to NAT to allow the internet in, and the second to an 'Internal' network to which a client guest or two can also be connected. Have the Server guest use the NAT adapter act as the WAN side, and the Internal network as the LAN side. Then it can act as a router & DHCP server over the Internal network. How one makes a Windows Server act as a router? Got no idea. Google time...
Human government is like that crazy uncle who hides a quarter in his fist behind his back, then asks you to guess which fist the quarter is in...
No matter which side you choose, Left or Right, both Sides are empty.
scottgus1
Volunteer
 
Posts: 4663
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Win7

Re: pfSense or a server's own routing?

Postby BillG » 25. Aug 2019, 01:52

It is never a good idea to route through the host OS. The host should not be part of your virtual setup. Think of the host as a "black box" which powers your virtual system, not a part of it. That applies especially to the routing setup. Your host should know nothing about your virtual network setup.
Bill
BillG
Volunteer
 
Posts: 4190
Joined: 19. Sep 2009, 04:44
Location: Sydney, Australia
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 7,8,Server

Re: pfSense or a server's own routing?

Postby AndyA » 25. Aug 2019, 20:23

I think you need to re-read my initial post.

Nothing will be routing through the host OS.

Windows Server 2008 R2 Standard (English) is a guest, as is Windows 7 Pro x64 (French).

My host will not be involved in the routing that will be performed by the guests.

regards, AndyA
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby BillG » 26. Aug 2019, 04:48

Are you running RRAS as your router? That will work fine if you give the server two NICs - on in the private (virtual) network and one bridged to the physical network as the router's "public" NIC.

The reason for recommending pfSense is that people usually want to run their server as a DC, and running a DC as a router as well is definitely a no-no (no matter whether it is a physical or virtual server).
Bill
BillG
Volunteer
 
Posts: 4190
Joined: 19. Sep 2009, 04:44
Location: Sydney, Australia
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 7,8,Server

Re: pfSense or a server's own routing?

Postby AndyA » 26. Aug 2019, 11:49

Hi, Bill.

Yes, I've installed RRAS to enable routing on my test server. In VB, I gave the server two NICs, one bridged to the local network and one on a private network. They're both present in the server Device Manager and I can configure both adapters via Network and Sharing Center | Change adapter settings, but the private adapter is not found under RRAS | IPv4 | General. (The bridged adapter is found there.) When I right-click on General | New Interface, I'm told that there are no new interfaces available. There's something very simple that I'm not doing.

I've found lots of documentation for this on the web: here, for example, but I'm not yet able to see the internal adapter under RRAS.

Any suggestions would be appreciated.

Again, my goal is to use Windows Server 2008 R2 Standard as a router to simplify use of a subnet for one or two workstations.

regards, AndyA
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby scottgus1 » 26. Aug 2019, 14:25

Lets first clarify if the Virtualbox network is working. We will run 'ping' tests.

Put the server OS in its default configuration, with a Bridged network and a "Private" (which in Virtualbox parlance would be the "Internal") network. Don't try to set up the "router server" function yet.

Attach a client to the Internal network too.

There are no DHCP servers on Internal networks, so you will probably need to set static IP addresses on the Internal network adapters in the server and client guests for the ping test.

Windows defaults to blocking 'ping', so turn that on in the firewalls.

Can you ping back and forth between the host and the server guest on the Bridged side? Can you ping back and forth between the server guest and the client guest on the Internal side?
Human government is like that crazy uncle who hides a quarter in his fist behind his back, then asks you to guess which fist the quarter is in...
No matter which side you choose, Left or Right, both Sides are empty.
scottgus1
Volunteer
 
Posts: 4663
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Win7

Re: pfSense or a server's own routing?

Postby AndyA » 29. Aug 2019, 11:59

FOA, thanks for your detailed instructions. Sorry for my extensive delay in responding.

I removed Network Policy and Access Services as a server role.

The host can ping the server and vice versa. The server sees both the WAN and LAN (internal) NICs in ncpa.cpl. The server's IP address on the WAN adapter is 192.168.0.200; on the LAN adapter it's 192.168.1.200.

There is a single Win 7 Pro client. Its IP address is 192.168.1.20. It uses the server LAN address (192.168.1.200) as the primary DNS and as the default gateway.

The client could ping the server without changing any server firewall rules. However, the server could not ping the client until a rule for echo request ICMPv4 was enabled in the client firewall.

So, now the server and client can ping each other.

I'd be especially grateful for any suggestions. Am I ready to re-install the Network Policy and Access Services server role?

regards, AndyA (who promises to respond more quickly)
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby BillG » 29. Aug 2019, 13:02

It is hard to see any Virtualbox connection in those questions. They sound like pure Windows Server questions.
Bill
BillG
Volunteer
 
Posts: 4190
Joined: 19. Sep 2009, 04:44
Location: Sydney, Australia
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 7,8,Server

Re: pfSense or a server's own routing?

Postby AndyA » 29. Aug 2019, 13:19

OK, I'll seek a reply in a Windows server forum.

regards, AndyA
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby scottgus1 » 29. Aug 2019, 13:29

Good you got pings both ways on WAN & LAN! Now that the Virtualbox "infrastructure" is working, you should be able to find out all the Windows-ish configuration on that Windows forum. Have fun!
Human government is like that crazy uncle who hides a quarter in his fist behind his back, then asks you to guess which fist the quarter is in...
No matter which side you choose, Left or Right, both Sides are empty.
scottgus1
Volunteer
 
Posts: 4663
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Win7

Re: pfSense or a server's own routing?

Postby AndyA » 27. Sep 2019, 22:08

With the help of a consultant found via Upwork.com, here is one way to configure VirtualBox (VB) 6.0.10 with Windows Server 2008 R2 Standard (WS) and a connected workstation (Wn7) so that the domain is on a subnet different from that of the host, Wn7 uses the server's DHCP and DNS, both WS and Wn7 have Internet access, and the subnet is configured via WS routing. A separate VM with a third party router (such as pfSense) is not used.

Note that this setup is simple, but it is only appropriate for testing and certainly not for production.

Also note that I am unaware of any documentation of this Windows-Server-as-router setup for a separate virtual subnet anywhere else. (If you know where it can be found, please add the link in a reply.)

The configuration steps assume that WS has been installed and that a domain has been configured. The Active Directory, DHCP, and DNS roles have all been installed. The Network Policy and Access Services role will be installed and configured below. WS and Wn7 have both been shut down, not merely saved.

  1. Configure the subnet in the VB host network adapter:

    Oracle VM VirtualBox Manager | File | Host Network Manager… | VirtualBox Host-Only Ethernet Adapter | Adapter (tab), Configure Adapter Manually | IPv4 Address: 10.0.0.1, IPv4 Network Mask: 255.255.255.0 | DHCP Server (tab), Enable Server UNCHECKED

    CRITICAL STEP: the VB Host-Only Ethernet Adapter is configured with a subnet IP address. DHCP is disabled, since it will be provided on the subnet by WS.

  2. Confirm the VB host network adapter configuration on the host:

    (host) Network Connections (via ncpa.cpl) | VirtualBox Ethernet Adapter | (changes will already have been propagated)

  3. Configure two network adapters in VB for WS:

    Windows Server | Settings | Network | Adapter 1 | Attached to: Bridged Adapter, Name: (your host adapter) | MAC Address: [NOTE THIS! Let's assume the last 4 characters are "1111"] | Adapter 2 | Attached to: Host-only Adapter, Name: VirtualBox Host-Only Ethernet Adapter or Internal Network | MAC Address: [NOTE THIS! Let's assume the last 4 characters are "aaaa"]

    CRITICAL STEP: WS has two NICs, one that is bridged (for Internet access) and a second that is a VB Host-Only Ethernet Adapter or Internal Network (for connection to the independent subnet)

  4. Configure the network adapter in VB for Wn7:

    Settings | Network | Adapter 1 | Attached to: Host-only Adapter Name: VirtualBox Host-Only Ethernet Adapter or Internal Network

    CRITICAL STEP: Wn7 is connected to the independent subnet

  5. Start up WS

  6. rename the NICs to "WAN" and "LAN"

    Network Connections (via ncpa.cpl) | right-click on each of the two NICs | Status | Details | Physical Address: find the adapter with the MAC address that terminates with "1111" and rename this adapter to "WAN"; the other adapter's MAC address should terminate with "aaaa", so rename this adapter to "LAN"

  7. configure the WAN adapter with a static IP and a gateway, and itself and the host's DNS server as the DNS servers:

    WAN adapter | Properties | Internet Protocol Version 4 (TCP/IPv4) | Properties | Use the following IP address: (an IP address on the host's subnet) | Subnet mask: 255.255.255.0 | Default gateway: (the host's gateway) | Use the following DNS server addresses: 127.0.0.1 and add the host's DNS server

  8. configure the LAN adapter with a static IP, no gateway and itself as the DNS server:

    LAN adapter | Properties | Internet Protocol Version 4 (TCP/IPv4) | Properties | IP address: 10.0.0.200, Subnet mask: 255.255.255.0 | Default gateway: (blank), Use the following DNS server addresses: 127.0.0.1

    CRITICAL STEP: the server's LAN adapter has a static IP address and no gateway

  9. configure DHCP:

    DHCP | (servername.domainname.extension) | IPv4 | Scope, 10.0.0.100 - 10.0.0.110 | add one Scope Option: 006 DNS Servers 10.0.0.200

  10. configure DNS:

    DNS | (servername) | Properties | Interfaces: (server's static IP address on the host subnet) and 10.0.0.200 CHECKED | Forwarders: (the host's DNS server)

  11. install the Network Policy and Access Services role

    Add role | Network Policy and Access Services | check: "Routing and Remote Access Services", "Remote Access Service" and "Routing" | Install | (reboot if necessary) | Routing and Remote Access, right-click | Configure and Enable Routing and Remote Access | Configuration, choose "Network Address Translation (NAT)" | NAT Internet Connection, Use this public interface to connect to the Internet: choose "WAN" | Finish

    CRITICAL STEP: configuration of routing on the server to provide Internet access to the subnet

  12. check routing configuration on the server:

    Routing and Remote Access | (servername) (local) | IPv4 | General | WAN … IP Address: (server's static IP address on the host subnet) | LAN … IP Address: 10.0.0.200 | NAT: WAN | Properties | NAT (tab), Interface Type: Public interface connected to the Internet, Enable NAT on this interface CHECKED | LAN | Properties | NAT (tab), Interface Type: Private interface connected to private network

  13. check that WS has Internet access

  14. start up Wn7 and check configuration (should be OK by default)

    Network Connections (via ncpa.cpl) | (the single NIC) | Properties | Internet Protocol Version 4 (TCP/IPv4) | Properties | Obtain an IP address automatically, Obtain DNS server address automatically

    ipconfig /all : (ethernet adapter name) | DHCP Enabled : Yes, IPv4 Address: (in 10.0.0.100 scope), Default Gateway: 10.0.0.200, DHCP Server: 10.0.0.200, DNS Server: 10.0.0.200

  15. check that Wn7 has Internet access

DONE!


VirtualBox and Windows Server have been configured to provide a separate subnet for the domain, the domain workstation uses DHCP and DNS on the server and both the server and the domain workstation have Internet access without use of a third-party router.

Your comments are welcome, especially if you have suggestions for further simplifying this configuration.

regards, AndyA
Last edited by AndyA on 2. Oct 2019, 12:03, edited 1 time in total.
AndyA
 
Posts: 11
Joined: 24. Aug 2019, 15:27

Re: pfSense or a server's own routing?

Postby scottgus1 » 28. Sep 2019, 19:41

Looks complicated to me, but I'm sure that's just my lack of familiarity. I see your Windows 7 client guest is able to access the internet through the WS 'router', delivered from the host's physical LAN. Is the client blocked from accessing other PCs on the host's physical LAN?

One point I see is the use of the Host-Only network as the LAN network for the WS 'router'. This can allow host access into the test network, but may also be a point of "leakage" from the test network, too. Internal network instead of Host-Only would cut off host access and/or block the 'leak', depending on how one views it.
Human government is like that crazy uncle who hides a quarter in his fist behind his back, then asks you to guess which fist the quarter is in...
No matter which side you choose, Left or Right, both Sides are empty.
scottgus1
Volunteer
 
Posts: 4663
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Win7

Next

Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: No registered users and 51 guests