1

I'd like to wire up a VM with LAN access but restrict it from accessing the Internet. I've come across a couple of comments—such as this one—indicating that this can be done via two NICs, but the exact configuration details are a bit hazy.

Here's some background on what's driving this effort:

A recent Windows Update (not sure which one) has toppled the mighty QuickBooks. I've been able to set it aright inside a new network-isolated Win10 VM, so as to prevent Windows Updates from shuffling in the door (I'll have to connect it briefly for activation, but oh well). It's presently at a patch level that's lower than the offending update, and I'd like to keep it that way—at least for the near-term future.

But frequent and repeated access via Hyper-V Manager is, well... cumbersome at best. If I were able to RDP into it, that'd also mean I could share local drive resources for manually copying various files back and forth.

For the automated nightly backups I can write a PowerShell script to do something like this:

  1. Shut down the VM
  2. Mount the VHDX
  3. Use RoboCopy to sync a folder
  4. Dismount the VHDX
  5. Start the VM

The comment sort of hints that the setup is something easy to put together. Well... easy if you know how!

For example:

one in the isolated test and another in the production network

Is he talking VLANs?

Make sure both nics are set to not register in DNS

How does one accomplish this? Does he mean omit the DNS server entries on the NICs' IPv4 property sheets?

Just set a static record on each sides DNS

See above.

Is this what's called a 'DMZ?'

I know a little bit about DNS, but absolutely nothing about VLANs. Not that I'm against studying up on the wonderful topic, but I'm loathe to chase down rabbit holes to learn about something that may ultimately wind up not contributing to what I'm after. That's why I appreciate you fine folks so much—you actually know how to pull this stuff off, and what parts/pieces it takes to do it.

Shucks, I can't even figure out whether he's talking about standing up another VM in addition to my QuickBooks VM.

I've tried my due diligence, searching for solutions, but I'm afraid I'm not familiar enough with the terminology here to even know what to look for. Search results are coming up with how-tos for everything but. I was lucky to find the one that I did.

There's a ton of stuff out there about Copy-VMFile, but that flows the wrong way. I need guest-to-host, not host-to-guest. The search engines don't seem to be smart enough to figure this out from my keywords (e.g. hyper-v get files from isolated vm or hyper-v internal network access no internet). All links point to Rome, not from it. All links think I'm complaining about no Internet access. I'm not. I want to know how to restrict it ON PURPOSE.

I don't have time to wait for these two behemoths to slug it out. I need to keep moving and slip past the clumsy feet of the lumbering giants. This has already set me behind with my critical accounting work.

What steps (like you're coaching a beginner, please) do I need to take in order to build what he's talking about?

InteXX
  • 713
  • 13
  • 31

2 Answers2

2

If you use a firewall, you'll likely block all internet traffic from the host. If the goal is to simply prevent Windows updates, there are less severe mechanisms.

I do this with PiHole DNS server. It's pretty simple to set up. Basically, it acts like a DNS blackhole. I use it to blacklist the microsoft update sites. That way, other internet stuff can happen, but Windows updates only happen when I want them to.

When the time comes to allow an update, I simply point my host to my ISP's DNS. When I'm done, I point it back to the PiHole.

If you really just want to block all internet traffic, but still allow local LAN traffic, just don't set a default route on the Windows machine. No need for firewall rules and all of that. When you want to allow updates, set the route and let it go... then delete the route. Easy-peasy.

mikem
  • 408
  • 2
  • 6
  • *"PiHole DNS server"* Hm, that's interesting. I can anticipate a game of whack-a-mole, though. Microsoft may choose to change hostnames at any time. – InteXX Sep 02 '20 at 13:11
  • *"just don't set a default route on the Windows machine"* Routing is another area in which I'm technically challenged. I would have no idea how to implement this. – InteXX Sep 02 '20 at 13:12
  • With PiHole, you can block entire domains (ie. microsoft.com). So far, for the most part, their update servers havent changed the base domain names very much. If you aren't thet technically skilled, removing/setting the default route would probably be the easiest way to block ALL internet access. See the "How to assign static IP address using Control Panel" section at (https://pureinfotech.com/set-static-ip-address-windows-10/) for step by step instructions. In those steps, simply leave the Default Gateway empty, or set it to 0.0.0.0. – mikem Sep 02 '20 at 14:39
  • *"simply leave the Default Gateway empty"* Aha. Default gateway=default route. I didn't know that before today, so thanks. I've decided to go with this solution, but I'm going to leave the other one as selected. I don't want to take back something I already gave—that'd be rude. I'll mark you up for a +1, though. Thank you! Fair 'nuff? – InteXX Sep 02 '20 at 15:00
  • That would be fine. Good luck! – mikem Sep 02 '20 at 15:01
  • p.s. Along the lines of PiHole, I found this: http://mayakron.altervista.org/support/acrylic/Home.htm – InteXX Sep 02 '20 at 15:01
  • I've read about PiHole a lot recently and planning to deploy it in my lab. In addition, it can help blocking ads. – Stuka Sep 06 '20 at 08:05
1

You can set up a static IP address in your guest VM, and then configure your network firewall to block outside access for that IP address.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58