pfSense or a server's own routing?

[AndyA]

Looks complicated to me

What's complicated for me is the installation of a separate VM to perform a service that is already part of Windows server.

Is the client blocked from accessing other PCs on the host's physical LAN?

It's immaterial here. As I stated, this is a test domain, not a production domain. I'm now able to set up any Windows server and clients just as they'd be in production for testing purposes. Interaction with the host isn't important to me, since there is no "host" in my production environments.

I'll get back to you with an answer to your question.

use of the Host-Only network… for the WS 'router'. This… may… be a point of "leakage" from the test network, too. Internal network instead of Host-Only would cut off host access and/or block the 'leak'…

Good point. I'll try out Internal network and see how it works.

regards, AndyA

[scottgus1]

a separate VM to perform a service that is already part of Windows server.

Active Directory, DHCP, and DNS roles have all been installed

running a DC as a router as well is definitely a no-no (no matter whether it is a physical or virtual server).

Active Directory, DHCP, and DNS roles have all been installed

Your setup is interesting as an experiment, and I am interested in seeing how it would work. But it isn't a good setup for a real test environment because it probably would not be done that way in real life.

Bill warns against putting router services on a domain controller. Googling confirms. Letting unfiltered internet into a domain controller can go pear-shaped rather badly. So while the setup may work, it probably wouldn't be done in a responsible production environment. Another server instance would be needed for safety & best practices. Then, using a separate VM or real server with Window$ $erver (dollar signs and all that that implies) to be a router seems like using a daisy cutter to pull a weed.

Blocking access from the test environment to the host LAN can be very material depending on the tests being done. For example, back in the day two SBS servers could not exist on the same network, they'd fight each other. Thus a completely isolated test environment with internet. Router/firewall OS's like pfSense take very little from the host, leaving more test space for the test VMs, and reliably block LAN while allowing internet.

[AndyA]

it isn't a good setup for a real test environment because it probably would not be done that way in real life.

As I clearly stated, this is a test repeat test environment. It is not repeat not for production.

What I wanted to document here is how to set up Windows server as a router under VirtualBox with a separate subnet and working DHCP, DNS and Internet access on that subnet. As I wrote earlier, I can find no coverage of such a configuration anywhere else on the web. (I'm probably wrong about that – a link would be appreciated.) This is an option to a third-party router. I never claimed that it is a preferable option for everyone, but if someone wants to try it, they now can find out how.

regards, AndyA

[scottgus1]

That's good! You figured out how to make Windows Server act as a router, and you let us all know it can be done and how to do it. Good on ya' mate!

Your comments are welcome, especially if you have suggestions for further simplifying this configuration.

You did ask for thoughts, and you know what they say, "You might get what you asked for." My thoughts weren't how to simplify, true, but they do highlight other aspects of this test setup that users should know. I apologize if my thoughts didn't smooth your feathers the right way. But just as folks can know how to set up this test environment, folks should also know that this test environment doesn't accurately reflect what would be done in the data center.

FWIW I should point out that a router/firewall guest can serve just as a gateway & LAN-block to the test network, while allowing a full domain controller and DHCP server running in Windows server to be master of the test domain.

[AndyA]

Reply to scottgus1 (Sept 28 message):

… the use of the Host-Only network as the LAN network for the WS 'router'. This can allow host access into the test network, but may also be a point of "leakage" from the test network, too. Internal network instead of Host-Only would cut off host access and/or block the 'leak'

I substituted the Internet Network for the Host-Only Network. AFAICT, it made little-to-no difference. The host could not access Wn7. Wn7 could access host folders shared on VB, which is expected behavior.

The host could access shared folders on WS and vice versa, which is also expected behavior since the server is present on the host's network.

I edited the instructional post (Sept 27 message) to include use of the Internal Network as an alternative to the Host-Only Network.

regards, AndyA