Isolate virtual computer from network but allow internet access

1

I have the following setup:

  • a few client computers
  • 1 Hyper-V Server Core 2012 R2
    • 1 Windows Server 2012 R2 (Domain Controller)
    • 1 Windows 7 computer.

Now the Hyper-V server has 2 virtual switches 1 internal between the 2 virtual pc's and one that connects them to the router.

Now my question is there some way to isolate the Virtual Windows 7 computer from the rest of the network and only allow it PPTP, DNS and GRE access to specified servers? (excluding the communication with the domain controller via the internal network switch?)

How i accomplish this doesn't really matter, tried to configure the router but that didn't work..

Network setup

Any suggestions?

Peter

Posted 2014-12-01T11:41:07.430

Reputation: 357

Not possible. To isolate a computer entirely you cannot grant it internet access. – AStopher – 2014-12-01T11:59:30.650

I would say that in theory it might be possible to configure your network in such a way that you HAVE to be connected to a VPN in order to access the network but that would disconnect you from the internal network also if you were disconnected. Doing so would not isolate you from anything while connected to the client, and usage case for a computer not connected to anything, is sort of non-existent since you also wouldn't be connected to a domain either. – Ramhound – 2014-12-01T12:11:13.843

@cybermonkey could you elaborate on your statement? – Peter – 2014-12-01T13:57:22.510

Answers

1

You can get quite a reasonable attraction by configuring your physical machines as 10.0.0.0/8 and putting the virtual machines as 192.168.0.0/16. Only the gateway would know about the two networks, and it would be configured not to route traffic between the two networks.

You'd put the virtual network card in bridged mode, to make it virtually appear on the Ethernet without going through the host OS.

MSalters

Posted 2014-12-01T11:41:07.430

Reputation: 7 587

I don't want to restrict the Domain Controller only the Window 7 virtual machine but i guess i would only put that machine on the 192.168.0.0/16 network, but this would not restrict it from only using the specified protocols.. – Peter – 2014-12-01T12:20:12.550

@Peter - If its connected to the domain controller then it has to be connected to the rest of the network. – Ramhound – 2014-12-01T12:22:17.167

Well, DNS is a federated system anyway. Put a DNS proxy on the Windows Server, and point the Windows 7 DNS client to your own server. And for the other protocols, the 192.168.0.0 network only connects to your router which presumably can do port filtering. – MSalters – 2014-12-01T12:25:55.373

@Ramhound why would i have to be that? (the internal Hyper v Switch would only connect those 2 machines?) – Peter – 2014-12-01T12:26:14.670

@MSSalters, if i enable port filtering on my router it disables GRE and i have no way to activate it essentially killing PPTP – Peter – 2014-12-01T12:27:35.257

Hmm, makes sense - GRE isn't port 47 but type 47. That is to say, not TCP port but IP type. And it makes sense for a white-list port filter to block anything that's not port-based. Still, this means the question fundamentally is a firewall issue. What router do you use? – MSalters – 2014-12-01T12:36:52.070

@MSalters i use a Jensen Scandinavia Air:Link 1000G but i have been thinking about getting a new one as it doesn't support 5ghz wifi. – Peter – 2014-12-01T12:48:28.347

Asked: 2014-12-01T11:41:07.430

Viewed: 2 118 times

Active: 2014-12-01T12:21:00.373