Home > windows server 2008 > Hyper-V + RRAS NAT + Port Forwarding + RDP, can I get it all working together?

Hyper-V + RRAS NAT + Port Forwarding + RDP, can I get it all working together?

April 19Hits:3
Advertisement

I am running a Windows 2008 R2 server with various services running natively and two virtualised servers running on Hyper-V.

The hardware server, I'm going to call it REAL1, has one external NIC, to which I can assign any of the following IP addresses: 1.2.3.4, 1.2.3.5, 1.2.3.6, etc...

I need to achieve the following: I would like to be able to connect to REAL1 via remote desktop (RDP / port 3389) on one IP address (say 1.2.3.4), but also to the virtualised servers (I'm going to call them VIRTUAL1 and VIRTUAL2) on the other available IP addresses (say 1.2.3.5 and 1.2.3.6).

The easiest way of doing this is to connect the virtual servers directly to the external interface and assign them each their own IP address. REAL1 will have 1.2.3.4, VIRTUAL1 will have 1.2.3.5 and VIRTUAL2 will have 1.2.3.6. Unfortunately, although I don't directly manage the two virtual servers, I have responsibility for their security. I would like to have some kind of firewall between the virtual servers an the internet.

I have tried running a virtual machine firewall, but have found the performance on Hyper-V pretty terrible.

The alternative I am now trying is Routing and Remote Access (RRAS):

  • I have set up a virtual network called 'Internal' and REAL1 has a virtual network adapter connected to this virtual network
  • I have connected each of the virtual servers to this network too
  • I have assigned each server static IP addresses on this virtual network (REAL1 has 10.1.1.1, VIRTUAL1 has 10.1.1.2 and VIRTUAL2 has 10.1.1.3)
  • I have installed RRAS and set up a NAT. The external interface is the external NIC, the internal interface is the virtual NIC connected to the internal network
  • I have assigned all the available external IP addresses to the external NIC on REAL1.
  • The virtual servers have been set up appropriately such that their default gateway is pointing to 10.1.1.1 and they can both access externally. Success! The RRAS is routing packets.

The problem I have is that when I try to port forward services from the external IP address on REAL1, it only works if there is not already a service bound to the port. Remote desktop 'greedily' binds to every available IP address on port 3389 on REAL1 so I can't selectively forward incoming traffic for 1.2.3.5:3389 to 10.1.1.2:3389. RRAS will allow me to set up this port forwarding, and no errors come up. It just doesn't work.

So the question I have is:

Is there a better way of doing this? Or at least is there a way of resolving the apparant conflict between RRAS and everything else on the physical server?

Answers

I have tried running a virtual machine firewall, but have found the performance on Hyper-V pretty terrible.

Häh? I run multiple RRAS / Firewall systems with Hyper-V (2 RRAS, one TMG) and performance is really ok for 99% of the things - actuall all Icare about.

If you are OK with RRAS as firewall, sue RRAS externally.

Put in a second NIC on REAL1 - a non-hardware one (Microsoft driver - look it up - I think it is called loopback adapter), then put up the virtual network around that one. RRAS can then forwar incoming TCP etc. connections there.

I personally would not run anything but Hyper-V on the physical server ;) Definitely not higher level functions, if it is exposed to the internet ;)

I don't see how performance can be so bad, I'd definitely go with a third virtual server that has your firewall/remote access/service publishing and keep the physical host clean of such things.

Obviously the best thing would be to slot a second NIC into the machine and dedicate it for the internal network if such a thing exists.

If no such internal network exists, then just use a third virtual server with something like TMG installed, assign it the external IP(s) and create a private network on the inside which is purely virtual and only connects the physical host, the two virtual servers and the TMGs inside interface together. Use NAT and several external IP addresses on the TMG to publish the other servers. This will partially shield not only the virtual servers but the physical host as well.

Are you running a high-end video adapter on your Hyper-V server? There is an issue with this configuration and a recommendation to use the basic svga drivers on Hyper-V servers.

Understanding High-End Video Performance Issues with Hyper-V

A possible option to solving your RDP problem is to add the Terminal Services Gateway to your Hyper-V server and then you can connect to your VM's through your Hyper-V Server. I wrote up an article that outlines this feature in Windows 2008 Server and use it every day to get to my VM's on my lab server.

Once you have TSG enabled you can extend it by adding RRAS with SSTP to add the option of a VPN connection into your home network, all over your Hyper-V server.

Related Articles

  • Hyper-V + RRAS NAT + Port Forwarding + RDP, can I get it all working together?April 19

    I am running a Windows 2008 R2 server with various services running natively and two virtualised servers running on Hyper-V. The hardware server, I'm going to call it REAL1, has one external NIC, to which I can assign any of the following IP addresse

  • VirtualBox NAT port forwarding on Ubuntu 64?

    VirtualBox NAT port forwarding on Ubuntu 64?September 19

    I have an Ubuntu 9.04 desktop 64-bit guest OS running on an Ubuntu 9.04 desktop 64-bit host OS (yes, the same OS). I'd like to run a web server on the guest and make it accessible through NAT on the host. I (think I) followed the VirtualBox port forw

  • cisco 1800 series NAT port forwarding for mail sendingJune 4

    I have centOS mail & web servers configured in a computer in LAN. My cisco router carries a external IP needs translation so that any request to my global IP at http port will be forwarded to my LAN's centOS carrying terminal. So I did that with the

  • iptables and NAT/port forwarding not working after server rebootNovember 22

    I'm new to NAT and iptables, I have my physical server running CentOS 6 with KVM installed, 2 more linux box is started as VM - VM2 and VM3, and their ip is 192.168.122.2 and 192.168.122.3 accordingly. Since I have one real IP only, NAT is used for p

  • Cloudmin GPL Xen PV with Nat Port ForwardingDecember 24

    I'm running Cloudmin GPL on CentOS 5 64bit and am trying to allow my Xen PV guest to access the internet via a NAT/port forwarding setup.. I've done the following: (on dom0) echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUT

  • Connecting to a second guest from a guest using NAT port forwarding

    Connecting to a second guest from a guest using NAT port forwardingJanuary 18

    I'm having a bear of a time, using VirtualBox, connecting to a 2nd guest from another guest that is using NAT port forwarding. I've tried setting the second guest to the bridge adapter, but that doesn't seem to work. I've also read through the docume

  • VirtualBox NAT port forwarding configuration ( 1024)September 3

    I'd like to forward requests from 127.0.0.1:80 to a guest OS in VirtualBox VM (CentOS 7) - 10.0.2.15:8080. Is that possible? If I forward 127.0.0.1:9090 everything works fine, but as soon as I forward 127.0.0.1:80 things stop working. Is there a way

  • Hyper-V: NAT Port Forwarding February 21

    I rented one dedicated server (Win Server 2012) with one adapter/static IP address. I want to install Hyper-V and guest OS (Win also), that can expose some of its services to the internet. For example, guest OS will have IIS and one web site that sho

  • Basic iptables NAT port forwardingOctober 31

    I have three machines: A local PC (public IP 1.2.3.4), an Ubuntu 10 Server box in a datacentre (eth0 on 5.6.7.8 public IP), and a third-party server hosting a website outside of my network (let's say Slashdot on 216.34.181.45). Using iptables, how do

  • OpenBSD 5.0 pf with NAT & Port ForwardingJanuary 5

    Port forwarding does not seem to work properly, incoming connections apparently are blocked. Is there something wrong with my pf.conf? # Performance limits set limit states 200000 set limit src-nodes 200000 set limit frags 1000000 set limit tables 20

  • Linux Firewall NAT Port Forwarding IssuesAugust 18

    At my home I have a Linux server (it's only job is NAT, DHCP, and DNS) with Ubuntu 10.10 Server 64-bit. I have webmin installed on the server too, but I do know my way around a command line quite well, so I can do anything suggested. I have a game se

  • NAT port forwarding from host to client in VMWare Fusion 5?January 28

    How do I forward ports from my host machine to the virtualized machine when I'm using NAT to share my network connection? I found some instructions for earlier versions of VMWare, but I don't see the files they mention in the same location in my inst

  • Confusion Post FedoraCore Upgrade: NAT / port forwarding trouble, and POSTROUTING MASQUERADE has unexpected influence on forwarding portsJanuary 30

    Following a gateway / firewall system's hardware failure, a younger version of Fedora Core (17) was installed on new hardware, and the old 'iptables' and system-config-firewall files from /etc/sysconfig were used (and nothing else). Old version of FC

  • NAT / Port Forwarding with iptables firewall April 3

    This question already has an answer here: How come I can't redirect TCP ports on this wireless router? 1 answer I've got the following setup: firewall (iptables) eth0 internal interface, 192.168.2.10 ppp0 external interface, public_ip (IP masqueradin

  • cisco ip nat / port forwardingApril 13

    I have been trying to get port forwarding working with a newly installed cisco router. I cannot seem to find where my fault is and have been looking for quite a while. The relevant section of my config: interface FastEthernet0/0 ip address dhcp ip na

  • Route/NAT/Port forwarding for one port only?May 22

    I'm not sure what is the correct term to use and I don't know what tools should I use. The only thing I have is a goal which I'd like to accomplish. I have two linux machines(A and B) and a remote service. The service is listening on port 16000. The

  • NAT Port Forwarding in VirtualBox

    NAT Port Forwarding in VirtualBoxMarch 4

    I have enabled two adapters in my VirtualBox (running Ubuntu 12.10 Server Edition), with types as: Host-only and NAT. My main motive is to be able to connect two VMs running on two different hosts (physical machines) on a port (say 22). I know the an

  • Switch with NAT/port forwarding?June 17

    I'm sorry for this basic question, but I'm stuck. I'm looking for some networking equipment that allows me to route WAN traffic (internet) to a client on a local LAN based on TCP/UDP port. That is, basically what you can do with a simple ISP router.

  • Allow LAN users to access my VirtualBox using NAT+Port Forward?November 17

    I have a VirtualBox setup with Ubuntu + LAMP with OpenSSH. I'd like my colleagues to access services on it-such as ftp, http, ssh--through the LAN. I can't setup the VirtualBox via network bridging because I don't have control over the physical compu

  • Cannot ping virtual host behind NAT port forwardingJune 3

    I'm creating network between real Windows 8.1 (R) and two virtual Debian 8 (V1, V2) using VM Ware. V1 has running Tomcat and should have access only to V2 and R should redirect V2 to V1. I used two interfaces in V2 (eth0 for connecting R and eth1 for

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.367 s.