Exposing Hyper-V host to the internet?
-
Hi all–
I'm wondering if what I'm thinking of doing is particularly dumb, and if so, what I should do instead.
Currently, I've got a functioning install of pfsense in Hyper-V performing double duty as moreorless a router.
Hyper-V is running on Server 2012 R2-- and that physical machine is plugged directly into my modem, via ethernet. None of the ports on the Hyper-V host have been 'granted access to share this port with the VM' to gain access to the internet-- or whatever the correct terminology is. So basically I've got a Hyper-V host with 8 NICs and currently no internet access itself... only the devices I plug into the physical NICs can get to pfsense, and thusly the WAN.
Is there a safe way to have some sort of internal network switch which 'connects' Server 2012 with LAN? This would mean, I think, my Hyper-V host would be as much 'behind' pfsense as the rest of my network-- right?
Am I crazy? is there a better way to give myself the occasional internet connectivity I want on the Hyper-V host for automatic updates etc?
-
I just use one of the ports on the server and connect it via cable to my physical LAN switch. This port is not shared or part of any virtual switch in hyper-v.
-
Hi all–
I'm wondering if what I'm thinking of doing is particularly dumb, and if so, what I should do instead.
Currently, I've got a functioning install of pfsense in Hyper-V performing double duty as moreorless a router.
Hyper-V is running on Server 2012 R2-- and that physical machine is plugged directly into my modem, via ethernet. None of the ports on the Hyper-V host have been 'granted access to share this port with the VM' to gain access to the internet-- or whatever the correct terminology is. So basically I've got a Hyper-V host with 8 NICs and currently no internet access itself... only the devices I plug into the physical NICs can get to pfsense, and thusly the WAN.
Is there a safe way to have some sort of internal network switch which 'connects' Server 2012 with LAN? This would mean, I think, my Hyper-V host would be as much 'behind' pfsense as the rest of my network-- right?
Am I crazy? is there a better way to give myself the occasional internet connectivity I want on the Hyper-V host for automatic updates etc?
I do it all the time with hyper-v and Forefront TMG as firewall but it works the same with pfsense. On one of the inside nics, check that "allow host operating system" or something like that checkbox.
The trick is to "see" each physical nic as a switch.
In your internet "switch" you have two connections, the modem and the external interface on your pfsense box
As I understand you, you also got seven internal "switches" connected to your pfsense box and to some internal computers or somthing else.
Now you want the physical host to connect to one of theese internal "switches". Thats easy. Just select that "allow host operating system" or something like that checkbox for the right nic/"switch". It will then plug in a virtual network cable between the virtual nic in the physical host and the virtual switch allowing the physical host access to the internal network and internet access through pfsense -
Not a dumb idea. Actually a pretty basic one to protect your host behind pfSense.
As Mats has explained, when you setup your vSwitch in Hyper-V Manager, there is an option to "Allow management operating system to share this network adapter”. By checking that box a new virtual NIC will appear in your host's network config. Configure that virtual NIC as if it was a physical NIC connected to that vSwitch. DO NOT change the configuration of the physical NIC in the Host's network config, that will break the vSwitch config. Basically you're using Hyper-V to virtualize your host network configuration the same way it's done for the VMs.
Ideally, to accomplish what you're looking for, the NIC that connects to your modem would be attached to a vSwitch where “Allow management operating system to share this network adapter” is NOT checked so your host OS doesn't have access to it. Then you share your LAN vSwitch and configure your host to use that.