How to replace a physical router with a virtual router for colocating Windows Server 2012 machine with multiple VM’s

colocationhyper-vroutingrraswindows-server-2012

I am currently setting up a Windows Server 2012 machine that will be colocated. It will have around 10 VM's on it that allow various users to connect in and run them from home. Most of the VM's will be Windows 8 unless they are for basic testing purposes. I do have access to creating a second Windows Sever 2012 machine as a VM if needed.

The physical machine will be connected directly to the colocation service so I will have a specific static IP that I will need to use for the physical machine. I am new to networking like this and I'm having trouble figuring out how to setup either a) the physical machine with routing capability or b) setting up a VM to act as the router. In both cases I will not have the ability to put my own physical router in the location and thus need to be able to route traffic to the VM's using a virtual router.

Since I have the one public static IP I am assuming that will need to go to the physical machine and then through something like RRAS I would somehow create the equivalent of a router that could either a) assign IP's to the VM's through DHCP or b) route to static IP's that have been assigned to each VM. All the VM's will need to be able to access the internet.

I guess my question is through what I have described is it possible for me to use something that is built in to Windows Server 2012 to achieve what I want with 1 physical NIC, 1 public static IP, 1 physical server, and multiple VM's on Hyper-V? If so does anyone know of any good information on how to set this up because I keep finding information out there but in most cases there is some physical router being assumed in what I have read and thus I am stuck at the moment.

UPDATE:
I'm told by my boss that he wants to keep everything in a windows environment for various reasons of his own. I have read about using a loopback adapter with RRAS as a possible way to solve this? Does anyone know if that might work and if so how?

Thank you for any help you may provide.

Best Answer

I would suggest you run pfSense in a VM as your router. It's fairly easy to work with, and free.

Essentially though, your setup will look like this:

                      Physical box with one NIC
                  +------------------------------------------------------+
+------------+    |                                                      |
|  Internet  |{--}| {Lan Bridge} [ROUTER] {-VMLAN-} [ Virtual Machines]  |
+------------+    |                                                      |
                  +------------------------------------------------------+

Using this, all your virtual machines have a private subnet(say, 192.168.34.0/24), Your router is bridged to the World on the physical interface. and has a virtual link to the VM LAN network. Your physical system then has no direct connection using it's physical interface, and an a private address on a virtual link to the VM LAN as well.

Related Solutions

Nat – VMware Server Host-Only Network Routing

As long as you're only allowed one MAC address you are looking at some kind of NAT solution. Instead of using VMWare's builtin network config, I would add a 4th VM, and set it up with a light firewall applicance (The vmware appliance download page has several of these). Set up this VM as your single outside mac address and configure rules accordingly. This will give you more options than the builtin vmware networking options.

Still, the easy way is just do have them enable more mac addresses for you. Even if there's an added cost to this, i bet it beats a quirky network setup, especially in the long run.

Iptables – Azure Site-to-Site VPN with a Linux based router to bridge the VPN ports to a RRAS server while keeping NAT for other traffic

So I've managed to figure this out after a lot of digging around, I am able to use the native Azure Site-to-Site VPN functionality with OpenSwan which runs on a linux box (Raspberry Pi/Arch Linux) behind my home network's NAT router.

Network topology:

192.168.0.0/24 - Home network
192.168.1.0/24 - Azure network
192.168.0.1 - Home router's private IP
192.168.0.2 - Linux box acting as the home network's VPN server and gatewat

Firstly I set up Azure with:

It's remote network as normal
My local network with the VPN address as my public IP
Enabled the Site-to-Site checkbox on the Azure network linking it to my local network
Created a static gateway so IKEv1 is used

On my home network's router I forwarded the following to my Linux gateway running Openswan (192.168.0.2):

UDP 500
UDP 4500
Protocol 50 (GRE)

My ipsec.conf looks like this:

version 2.0

config setup
    nat_traversal=yes
    virtual_private=%4:192.168.0.0/24
    protostack=auto
    interfaces="ipsec0=eth0"

conn azure
    authby=secret
    auto=start
    type=tunnel
    left=192.168.0.2
    leftsubnet=192.168.0.0/24
    leftnexthop=192.168.0.1
    right=<azure's VPN gateway IP>
    rightsubnet=192.168.1.0/24
    ike=3des-sha1-modp1024,aes128-sha1-modp1024
    esp=3des-sha1,aes128-sha1
    pfs=no

ipsec.secrets:

192.168.0.2 <azure vpn gateway> : PSK "Azure's PSK"

That got the link up and running, to allow routing between sites (both ways after a lot of frustration):

/etc/sysctl.conf:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

A bash script that runs on boot to keep 'ipsec verify' happy:

#!/bin/bash

for vpn in /proc/sys/net/ipv4/conf/*; do
    echo 0 > $vpn/accept_redirects;
    echo 0 > $vpn/send_redirects;
done

sysctl -p

Finally my iptables rules which took the most amount of fiddling:

filter table, this allows the home network to connect to Azure and allows the connection to be established, but Azure VM's still aren't yet able to connect to home network servers:

-A FORWARD -s 192.168.1.0/24 -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p esp -j ACCEPT

nat table, this allows the Azure VM's to connect to any machine on my home network:

-A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination <azure public vpn ip>:4500
-A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination <azure public vpn ip>:500
-A POSTROUTING -o eth0 -j MASQUERADE

With all this I can ping and communicate in both directions, all Azure VM's can see my home network, all home network machines can see my Azure VM's.

The Azure side routes correctly on it's own, for my home network I set up a static route in my router to send 192.168.1.0/24 to 192.168.0.2 but for testing on my machine I just created a static route:

route -p ADD 192.168.1.0 MASK 255.255.255.0 192.168.0.2 METRIC 100

I hope at least someone finds this useful, getting this set up has taken a long time and there isn't a good complete guide out there just a mixture of solutions which partially work.

Best Answer

Related Solutions

Nat – VMware Server Host-Only Network Routing

Iptables – Azure Site-to-Site VPN with a Linux based router to bridge the VPN ports to a RRAS server while keeping NAT for other traffic

Related Topic