When build lab and proof-of-concept solutions in a virtual environment it's very useful to also have a virtual router to enable multiple networks to connect, and to simulate a larger environments. Depending on virtualization platform you can use built-in network configurations to route, and bandwidth-limit network traffic.
In this article you learn to use a Windows Server 2016 based router, but the steps also works for Windows Server 2012 R2. The configuration works for both Hyper-V and VMWare environments, but the detailed steps and screenshots are taken from a Hyper-V based setup.
Note: For a guide on using a more advanced, Linux-based router instead, check out this post:
Using pfSense Community Edition as a virtual router for your lab environment
https://deploymentresearch.com/614/Using-pfSense-Community-Edition-as-a-virtual-router-for-your-lab-environment
Scenario
In this guide you learn to setup NAT and Routing for two different sites: New York, and Chicago.
The NAT configurations is to provide Internet access to the sites, and the Routing is make sure machines in New York can reach machines in Chicago.
Very shiny Microsoft paint creation π
Note #2: There is a video available for a Windows Server 2012 R2 version of the setup.
Note #3: I have posted a guide on how to configure Windows Server 2012 R2 RRAS (Option 1) with PowerShell.
Note #4: If you only are interesting in providing Internet access for a single network, you can just use the NAT feature in Hyper-V or VMware, no need for a virtual router. Ami Casto (@mdtpro) blogged about the Hyper-V NAT feature here: https://deploymentresearch.com/558/Setting-Up-New-Networking-Features-in-Server-2016.
Note #5: Yes, I wrote this guide for Windows Server 2012 R2, but you can absolutely replace Windows Server 2012 R2 with Windows Server 2016 in this guide.
Scenario
The step-by-step guides in this article configure a virtual router for part of (two sites) the fictive ViaMonstra network. For a full IP plan for ViaMonstra network, see http://viamonstra.com/?page_id=25.
In this scenario you configure routing between the following local networks, and also provide them Internet access.
- New York: 192.168.1.0/24
- Chicago: 192.168.3.0/24
In addition ViaMonstra also have Internet access. In a real world (physical) network you would have many routers, but in a virtual environment where all virtual machines are running on the same host you only need one router. This also means that in this guide there are two internal virtual networks (virtual switches in Hyper-V), and one external network.
Creating the virtual networks (virtual switches in Hyper-V)
Using Hyper-V Manager (or PowerShell), create the following virtual switches (if you are new into Hyper-V, check this documentation on how to create virtual networks: http://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/connect-to-network):
- External network
- Name: External
- Connection Type: External network (connected to physical network adapter of your host)
- New York
- Name: New York
- Connection Type: Internal network
- Chicago
- Name: Chicago
- Connection Type: Internal network
The virtual switches configured.
Create the Virtual Router VM in Hyper-V
1. Create a virtual machine named GW01 with three network adapters (1 GB RAM and 60 GB disk).
2. In the virtual machine settings, connect network adapter #1 to the External virtual network.
3. Connect network adapter #2 to the New York virtual network.
4. Connect network adapter #3 to the Chicago virtual network.
5. On the virtual machine settings, make a note of the Mac Address for each network adapter. In my setup I had the following:
Adapter #1 (External): 00:15:5D:01:00:41
Adapter #2 (New York): 00:15:5D:01:00:42
Adapter #3 (Chicago): 00:15:5D:01:00:43
GW01 created with three network adapters.
Option 1 – Using a Windows Server 2012 R2 or Windows Server 2016 VM with Routing and Remote Access.
1. Install Windows Server 2012 R2 or Windows Server 2016 on GW01 and set the computer name to GW01.
2. Using Network Connections, configure the networks to the following.
Note: Use the Mac Address you noted earlier to find correct adapter, they are very likely to be different in your environment π
Adapter #1 (00:15:5D:01:00:41)
- Name: Internet
- IP Address: DHCP
Adapter #2 (00:15:5D:01:00:42)
- Name: New York
- IP Address: 192.168.1.1
- Subnet mask: 255.255.255.0
- DNS: 192.168.1.200
Adapter #3 (00:15:5D:01:00:43)
- Name: Chicago
- IP Address: 192.168.4.1/24
- Subnet mask: 255.255.255.0
- DNS: 192.168.1.200
Networks configured in Network Connections.
3. Verify that you have Internet access by running the Test-NetConnection command in a PowerShell prompt.
Verifying Internet access on GW01.
4. Using Windows Firewall with Advanced Security, enable the File and Printer Sharing (Echo Request β ICMPv4-In) inbound rule.
Configuring the firewall rules on GW01.
5. Using Server Manager, add the Remote Access role, click Next three times, and on the Role services page, select Routing, and accept to add the features that are required.
6. Complete the Add Roles and Features Wizard with the default settings, and when the setup is completed, click Close.
7. Using Routing and Remote Access (from the start menu), right-click GW01 (local), and select Configure and Enable Routing and Remote Access.
8. Use the following settings for the Configure and Enable Routing and Remote Access Setup Wizard:
- Configuration: Network address translation (NAT)
- NAT Internet Connection:
Selecting the Internet network interface.
- Network Selection: Select the New York network
Note: When finish the Routing and Remote Access Server Setup Wizard, ignore the error about the VPN firewall setting. That feature is not used when routing only.
9. Still in Routing and Remote Access, navigate to GW01 (Local) / IPV4 / NAT.
10. Right-click NAT and select New Interface. Then select the Chicago and click OK.
11. On the Network Address Translation Properties β Chicago page, make sure the private interface connected to private network option is selected, and click OK.
12. Still in Routing and Remote Access, navigate to GW01 (Local)
Done! π
Verifying that routing and NAT works
Time to verify that everything works: For example by deploying two virtual machines with Windows 10. In this scenario the PC0001 VM is in the New York site, and the PC0002 VM is in the Chicago site.
Testing NAT on the New York site
Configure the PC0001 VM to be connected to the New York virtual switch, and assign the following IP configuration to it:
- IP Address: 192.168.1.90
- Subnet mask: 255.255.255.0
- Default Gateway: 192.168.1.1
- DNS: Whatever DNS you are using, but for example 8.8.8.8 (Google DNS) works fine for testing.
Verify that you can ping 192.168.1.1
Verify that you can ping 8.8.8.8
Try to browse the Internet.
Testing NAT on the Chicago site
Configure the PC0002 VM to be connected to the New York virtual switch, and assign the following IP configuration to it:
- IP Address: 192.168.4.90
- Subnet mask: 255.255.255.0
- Default Gateway: 192.168.4.1
- DNS: Whatever DNS you are using, but for example 8.8.8.8 (Google DNS) works fine for testing.
Verify that you can ping 192.168.4.1
Verify that you can ping 8.8.8.8
Try to browse the Internet.
Testing Routing between the sites:
From a command prompt on PC0001, verify that you can ping PC0002 (192.168.4.90).
Note: If you canβt ping PC0002, verify that you donβt have a firewall rule that prevents it.
Happy Routing / Johan
Thank you so much for this nice tutorial! It was very useful for me.
Glad you liked it.
/ Johan
Hi Johan,
Great little guide this and its really good for learning so many thanks.
Is there a way I can get the Chicago and New York office as part of the same domain now?
I have the Chicago server on a domain already, just want to join the New York server as a DC part of the same domain.
For a lab environment its usually simpler to just have a single DC, otherwise they are likely to go out of sync unless running at all the time. But, if you really want another DC in New York, you just configure it for another DC in the same domain.
Hi Johan,
I completely simulated this guide in the Windows.
Now, I need on how to simulate this in vsphere vmware environment.
Thanks,
-Anthony
pfSense works fine in VMWare, and you can more or less follow the same guide. The only difference would be the virtual network configuration on the VMWare host, and on the VM itself. If you search Internet for pfsense vmware guide you'll find many examples.
Sorry, don't have any troubleshooting guides for RRAS or Vyatta. Typically it's just making sure the correct network adapter is connected to the correct virtual network. Other than it's basic tcp/ip routing, with (or without) nat.
/ Johan
Hello! Thank you for writing up these detailed instructions. I've followed the instructions for option 1 exactly as you suggested, but have had no luck. The VMs that I'm trying to connect into the subnets cannot ping each other nor the internet. It seems that they are just getting IP addresses assigned from DNS. Any suggestions for trouble shooting? Do you need to set up static routes or anything in order to connect the subnets to the internet virtual switch?
Any advice would be greatly appreciated!
Hello! Thank you for writing up these detailed instructions. I've followed the instructions for option 1 exactly as you suggested, but have had no luck. The VMs that I'm trying to connect into the subnets cannot ping each other nor the internet. It seems that they are just getting IP addresses assigned from DNS. Any suggestions for trouble shooting? Do you need to set up static routes or anything in order to connect the subnets to the internet virtual switch?
Any advice would be greatly appreciated!
Doesn't matter, could be in any domain, or just a workgroup machine.
/ Johan
If setting this up in an existing domain environment, does the Gateway (GW01) need to be a member of the existing domain, a new (Virtualized) domain, or just a Workgroup computer?
Hi Zak,
Difficult to say, but most time people mix up the network cards in the virtual machine. Since it's only takes about ten minutes to redo the entire config I often recommend to start over from scratch again. Often quicker than to troubleshoot.
/ Johan
I have followed the instructions but somewhere I'm having an issue. I can ping the DC from GW01 but neither my DC or CM server can reach outside. I can also ping GW01 from both the DC and the CM server. I'm not sure what is wrong.
Never mind i worked it out. It seems a few of the NIC adpaters for DC01, MDT01, and PC001 got corrupted or just needed to be reinstalled in Hyper-V Did the reinstall, and setup the router via 2012R2 as above and all is working fine now. I am able to ping to DC01 over to DC03 Stockholm.
As long as you don't mind DC01 handling DHCP on your home network, that will work.
I would just change the home network to something that is not commonly used for lab and test environments, like 192.168.10.0/24
/ Johan
Hello.
I followed option 1 but i realized that my IP address scheme on my host machine is the same as the one in the book, and this lab. Is there a way around this? Every time i boot up the GW01 I lose internet access on my host machine. Also i am unable to ping between DC01 New York Site, and DC03 Stockholm site. Should i just point all my vm's towards the outside interface and not bother with the virtual router?
Thanks
Hey Chris,
I verified the instructions, and couldn't find anything missing in them… That being said, I decided to record the steps when verifying, so I have published (today) a new video that will guide you through the whole setup: youtu.be/i3tovlbf46k
/ Johan
I tried both options. What I'm saying is that your instructions are somehow missing something in Option 1. Check it out. Between the selecting of the Internet network interface and the selecting of the New York network. It doesn't make sense, sorry.
After that, I tried Option 2. Thanks for the video link. Maybe it will point me in the right direction.
Chris
Option 1 is not using Vyatta, it's using Windows Server 2012, and that setup is pretty straight forward… First you select NAT, yhen what interfaces that are used… Here is an old video (for 2008 R2) http://www.youtube.com/watch?v=Eb_7wWFO600 but the main topics still applies.
/ Johan
There seems to be something missing under Option 1. Between 3b "Select the Internet network interface" and the next part which says "Select the New York network". What's missing between those two parts? As for Option 2, I got it set up exactly as described, and can ping out to the Internet from the Vyatta router. But I can't get any of my virtual machines on my only virtual (New York) subnet to connect to the Internet. I'm using the Hydration Kit from the SCCM SP1 book and have DC01, CM01, PC0001, and PC0002 built. But none of them will… Read more »