Dedicated IP for VM with NAT for VPN at router level?

Hi,

I hope someone can be kind enough to help me with suggestions on my VM setup.

What I have:
Windows 10 host. (Motherboard has two LAN ports)
Virtualization through Hyper-V or Virtualbox
1 main router (192.168.1.1)
1 potential secondary router.

What I want:
NAT "type" setup. I do not want VM to have access to host or any other device on the network but I want it to have internet access. However, I would like to use router based VPN tunneling only for my VM and would need to have a dedicated IP number. However, I don't want my host to be on a VPN, so I can't use software-based VPN on host.

How
1) Is it possible to somehow give a dedicated IP for the VM using NAT type of setup in Hyper-V or VirtualBox?

2) If I connect two LAN cables from my Router 1 to my host, can my host have 2 IP addresses in the router? Would it be possible to force all host traffic onto LAN1 so that no traffic goes through LAN2, except the VM? That would give me the option of doing router based VPN based in IP address.

3) If I connect my host to 2 routers (Router1 for host) and Router2 intended for VPN tunneling, could this be done in a similar fashion as above? Force all host traffic onto Router1, except the VM that would be forced onto router2? If that is the case, then Router 2 could be main router after ISP modem (192.168.0.1) and tunneling only the IP from the VM and Router1 could be secondary (192.168.1.1) chained router. That would mean the VM would have no access to nework on Router 1?

4) Or would you suggest the easiest way - software-based VPN tunneling on the VM? However, this would take a few moments to fire up after startup of computer, the reason why I prefer router-based VPN.

I would appreciate any help in understanding what setup is doable and what your suggestions are.
Many thanks.

Hi there

@Mr Blob

I would have thought that NAT - at least on VMWare type of VM's isolates the VM from the HOST (the VM runs on a separate subnet) whilst allowing Internet access.

Bridged Networking (where the VM has its own "Real IP address") is the method that allows complete connectivity throughout the network.

I'm not sure though if NAT will allow connectivity to other machines on a LAN -- Host isolation though works.

The other way might be (at least on a HOME Lan) is to give the VM a different "workgroup" name .

Using 2 ethernet NIC's (ports / connectors) to router works in all sorts of ways but you still have the problem of Internet access but not to rest of LAN -- different subnets would work in this case -- you need then to have a VM system that allows you to "pass thru" the specific NIC card for the VM rather than using a "Virtual NIC" .

I've tested this on a machine with two lan ports -- but I can only get it to work using a Linux Host and running the VM as a KVM/QEMU Windows Virtual machine -- passing through one NIC which has a different subnet to the Host does the job perfectly --- I'm sure this probably could be achieved on a HOST Windows system using HYPER-V -- although Hyper-V networking is "well beyond my paygrade". I don't think VMWare or VBOX will do this unless you can force a virtual NIC to use a specific physical NIC on your machine.

There could be other ways like blocking by mac id or whatever --I'm not a network Guru and usually for VM's on my network --I want them to have maximum connectivity -- so I'll pass on other possible suggestions and leave it to Network Gurus.

For things like tunnelling etc --use Putty but this is used more for things like RDP etc.

BTW if your Mobo only has ONE ethernet NIC you can always use a USB->Ethernet adapter for a 2nd NIC).

Cheers
jimbo

Your 2 network interfaces on my main machine would have to go into 2 routers as you would need to be on 2 distinct IP networks to keep your traffic 100% segregated. So, 1 NIC could be on 192.168.1.x/24 and the other NIC could be on 192.168.2.x/24.

pparks1 said:

Your 2 network interfaces on my main machine would have to go into 2 routers as you would need to be on 2 distinct IP networks to keep your traffic 100% segregated. So, 1 NIC could be on 192.168.1.x/24 and the other NIC could be on 192.168.2.x/24.

Hi there

I'm not a network Guru so "please don't shoot the messenger" !! and I'm also learning about this stuff ever day --but I've found some "so called experts" aren't always that accurate either.

But couldn't a single router with multiple Lan inputs do this too -- maybe using DD-WRT or whatever.
Some routers seem to have the ability to be able to run multiple subnets.

Also from a Home even if you have Multiple Routers --you probably have only one ISP connection --at least for those paying a single sub.

Sorry here if I seem obtuse --but I want to understand this stuff too.

Cheers

jimbo

I'm not sure though if NAT will allow connectivity to other machines on a LAN

Incredible... VmWare Workstation 12.5.9: how to share folders between VMs?

The other way might be (at least on a HOME Lan) is to give the VM a different "workgroup" name .

Nonsense. No reason to read further.

A simple solution I would choose is to get a VPN client on VM.

It protects guest connections to internet from host attacks but does not deny connections from guest to host (as required).

No problem to reconfigure/disable/uninstall vpn software at guest... The only real way to fully & securely isolate guest from host (while retaining guest access to inet) is to connect them to different network devices using two host NICs: one for host, one passed exclusively to guest. If you know whether NIC passthru is or isn't possible in hyperv/virtualbox (I don't care), please post it; other ways do not work.