Jump to content

Need help finding a way to allow Hyper-V VMs access to the internet without allowing them to access devices on the LAN

Mnky313
 Share
Posted

So I have 4 VMs that friends use to host game servers and other stuff on but I am trying to find a way to still allow the VMs internet access without allowing them to access devices on the same LAN as the server (i.e. everything else in my house).

I assume the best way to do this is with VLANs but I can not figure out how to set that up, right now the router is running pfSense and I'm using an external vSwitch in Hyper-V so the VMs all show up on the same LAN as the server and that works but it has access to everything on that LAN.

If I create a VLAN for the LAN interface on pfSense and assign it the same tag as the virtual switch on a VM the VM can't reach the router at all (I can't ping 192.168.4.1 (which should be the router)).

pfSense Interface:
image.thumb.png.ba821d0a963881caa84525e6f3be99eb.png
pfSense VLANs:
image.thumb.png.c65f7d36f10f94552ed9b340d6177574.png

VM network adapter settings:

image.png.7f4d4b825c5a00565a94284032a3d474.png


image.png.6e96fd3068c0e51773b5545064d54b81.png

 

If anyone has any ideas or a different way of doing this that would be awesome...

why no dark mode?
Current:

Watercooled Eluktronics THICC-17 (Clevo X170SM-G):
CPU: i9-10900k @ 4.9GHz all core
GPU: RTX 2080 Super (Max P 200W)
RAM: 32GB (4x8GB) @ 3200MTs

Storage: 512GB HP EX NVMe SSD, 2TB Silicon Power NVMe SSD
Displays: Asus ROG XG-17 1080p@240Hz (G-Sync), IPS 1080p@240Hz (G-Sync), Gigabyte M32U 4k@144Hz (G-Sync), External Laptop panel (LTN173HT02) 1080p@120Hz

Asus ROG Flow Z13 (GZ301ZE) W/ Increased Power Limit:
CPU: i9-12900H @ Up to 5.0GHz all core
- dGPU: RTX 3050 Ti 4GB

- eGPU: RTX 3080 (mobile) XGm 16GB
RAM: 16GB (8x2GB) @ 5200MTs

Storage: 1TB NVMe SSD, 1TB MicroSD
Display: 1200p@120Hz

Asus Zenbook Duo (UX481FLY):

CPU: i9-12900H @ Up to 5.0GHz all core
- GPU: RTX 3050 Ti 4GB
RAM: 32GB @ 4800 MTs

Storage: OEM 1TB M.2
Display: Main 1800p@120Hz OLED + Screnpad Plus 2880x864@120Hz

Custom Game Server:

CPUs: Ryzen 7 7700X @ 5.1GHz all core

RAM: 128GB (4x32GB) DDR5 @ whatever it'll boot at xD (I think it's 3600MTs)

Storage: 2x 1TB WD Blue NVMe SSD in RAID 1, 4x 10TB HGST Enterprise HDD in RAID Z1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I don't have the answer but I can possibly help explain why the VLAN's aren't working.

 

VLAN is a purely layer 2 function. If you create a VLAN tag and segregate it's traffic from the default VLAN anything associated with it will lose connectivity to that original VLAN which includes routing and DHCP services.

 

I can only vouch for CISCO equipment. Don't know about pfSense but you may need to create sub-interfaces and assign that sub-interface a DHCP server & subnet for both the native VLAN and the one you created. Once enabled you'll have two independent networks running on one interface.

 

Or you could do it the quick'n'dirty way. Install a NIC in the pfSense box. Add a NIC to your PC. Assign Hyper-V that NIC. Create a network for the NIC in pfSense and that should get her done. Only downside being if the VM were compromised they could access the pfSense router. Which would be bad but don't allow router management on that network and you should be OK. Probably.

Guides & Tutorials:

PROXMOX - Rebuilding ZFS RAID rpool After Disk Failure

Mass Deploying Customized Windows 10/11 Installs

Building a GNU/Linux Based Windows Deployment Server

GNU/Linux Installer Server: Installation & Configuration

How to: Use (i)PXE to Install Windows from a Network

Why Memorize IP's When You Can Self-Host DNS Instead?

Ventoy - The USB Multi-Boot Utility!

Introduction to PXE/iPXE Network Boot Featuring FreeBSD & Ubuntu Server

 

Don't see what you need? Check the Full List or *PM me, if I haven't made it I'll add it to the list.

*NOTE: I'll only add it to the list if the request is something I know I can do.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, Windows7ge said:

Or you could do it the quick'n'dirty way. Install a NIC in the pfSense box.

Not really an option, it's a tiny PC with no PCIe expansion, I guess I could use USB to ethernet dongles but eh.

 

2 minutes ago, Windows7ge said:

I can only vouch for CISCO equipment. Don't know about pfSense but you may need to create sub-interfaces and assign that sub-interface a DHCP server & subnet for both the native VLAN and the one you created. Once enabled you'll have two independent networks running on one interface.

I actually have a DHCP server set up for that interface:
image.thumb.png.ac556e98d781d49ad0e31c3aeee06f2b.png


Besides that I haven't really set up anything special on the pfSense side.

From the tutorials I've seen on pfSense I think it's set up right but I have to real way of testing it.

why no dark mode?
Current:

Watercooled Eluktronics THICC-17 (Clevo X170SM-G):
CPU: i9-10900k @ 4.9GHz all core
GPU: RTX 2080 Super (Max P 200W)
RAM: 32GB (4x8GB) @ 3200MTs

Storage: 512GB HP EX NVMe SSD, 2TB Silicon Power NVMe SSD
Displays: Asus ROG XG-17 1080p@240Hz (G-Sync), IPS 1080p@240Hz (G-Sync), Gigabyte M32U 4k@144Hz (G-Sync), External Laptop panel (LTN173HT02) 1080p@120Hz

Asus ROG Flow Z13 (GZ301ZE) W/ Increased Power Limit:
CPU: i9-12900H @ Up to 5.0GHz all core
- dGPU: RTX 3050 Ti 4GB

- eGPU: RTX 3080 (mobile) XGm 16GB
RAM: 16GB (8x2GB) @ 5200MTs

Storage: 1TB NVMe SSD, 1TB MicroSD
Display: 1200p@120Hz

Asus Zenbook Duo (UX481FLY):

CPU: i9-12900H @ Up to 5.0GHz all core
- GPU: RTX 3050 Ti 4GB
RAM: 32GB @ 4800 MTs

Storage: OEM 1TB M.2
Display: Main 1800p@120Hz OLED + Screnpad Plus 2880x864@120Hz

Custom Game Server:

CPUs: Ryzen 7 7700X @ 5.1GHz all core

RAM: 128GB (4x32GB) DDR5 @ whatever it'll boot at xD (I think it's 3600MTs)

Storage: 2x 1TB WD Blue NVMe SSD in RAID 1, 4x 10TB HGST Enterprise HDD in RAID Z1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Mnky313 said:

Not really an option, it's a tiny PC with no PCIe expansion, I guess I could use USB to ethernet dongles but eh.

pfSense is based on FreeBSD yeah? Don't know how well a USB NIC would work for you. May not show up at all.

 

3 minutes ago, Mnky313 said:

I actually have a DHCP server set up for that interface:


Besides that I haven't really set up anything special on the pfSense side.

From the tutorials I've seen on pfSense I think it's set up right but I have to real way of testing it.

Again, I don't really speak pfSense. Just sharing what I understand about VLANs from CISCO equipment. When you configure VLAN tagging something has to segregate the traffic and it's done on CISCO equipment by configuring sub-interfaces on the router. These are virtual interfaces on a single physical NIC assigned to each VLAN and each hosts it's own DHCP server with it's own subnet range. This provides the network segregation without the need for adding physical NICs.

 

Hoped this information might give you a eureka moment or something. I can't really instruct you on pfSense from here though. Sorry.

Guides & Tutorials:

PROXMOX - Rebuilding ZFS RAID rpool After Disk Failure

Mass Deploying Customized Windows 10/11 Installs

Building a GNU/Linux Based Windows Deployment Server

GNU/Linux Installer Server: Installation & Configuration

How to: Use (i)PXE to Install Windows from a Network

Why Memorize IP's When You Can Self-Host DNS Instead?

Ventoy - The USB Multi-Boot Utility!

Introduction to PXE/iPXE Network Boot Featuring FreeBSD & Ubuntu Server

 

Don't see what you need? Check the Full List or *PM me, if I haven't made it I'll add it to the list.

*NOTE: I'll only add it to the list if the request is something I know I can do.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If it is applicable you may want to try adding a second nic to the VM server, if there isn't one already and putting that on a separate subnet.   This would require you to be able to asign a different subnet to a specific port on your switch/router.  I do that for my management connections on our servers.  Then just create another virtual switch in hyper v and assign it to that second nic.  Finally asign the vm's to it.  This should let the vm's connect to the internet without talking to the other nics on your lan.  As mentioned above, USB dongles may be the only option if there is no pcie expansion.

 

Perphaps if setting a port to use a seprate vlan is not an option u could try some subnet mask trickery.  Some class b addresses work in a class a scheme.  for example if u put all your computers on 10.1.1.1 with a class a address but then setup your vm u want just on the network to be 10.2.1.1 and set the vm to use a class b, then maybe u can work your away around it.  The vm would still be able to talk to the router/firewall but it wouldn't go looking for address out side the subnet.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×