I am running a Windows 2008 R2 server with various services running natively and two virtualised servers running on Hyper-V.
The hardware server, I'm going to call it REAL1, has one external NIC, to which I can assign any of the following IP addresses: 1.2.3.4, 1.2.3.5, 1.2.3.6, etc…
I need to achieve the following: I would like to be able to connect to REAL1 via remote desktop (RDP / port 3389) on one IP address (say 1.2.3.4), but also to the virtualised servers (I'm going to call them VIRTUAL1 and VIRTUAL2) on the other available IP addresses (say 1.2.3.5 and 1.2.3.6).
The easiest way of doing this is to connect the virtual servers directly to the external interface and assign them each their own IP address. REAL1 will have 1.2.3.4, VIRTUAL1 will have 1.2.3.5 and VIRTUAL2 will have 1.2.3.6. Unfortunately, although I don't directly manage the two virtual servers, I have responsibility for their security. I would like to have some kind of firewall between the virtual servers an the internet.
I have tried running a virtual machine firewall, but have found the performance on Hyper-V pretty terrible.
The alternative I am now trying is Routing and Remote Access (RRAS):
- I have set up a virtual network called 'Internal' and REAL1 has a virtual network adapter connected to this virtual network
- I have connected each of the virtual servers to this network too
- I have assigned each server static IP addresses on this virtual network (REAL1 has 10.1.1.1, VIRTUAL1 has 10.1.1.2 and VIRTUAL2 has 10.1.1.3)
- I have installed RRAS and set up a NAT. The external interface is the external NIC, the internal interface is the virtual NIC connected to the internal network
- I have assigned all the available external IP addresses to the external NIC on REAL1.
- The virtual servers have been set up appropriately such that their default gateway is pointing to 10.1.1.1 and they can both access externally. Success! The RRAS is routing packets.
The problem I have is that when I try to port forward services from the external IP address on REAL1, it only works if there is not already a service bound to the port. Remote desktop 'greedily' binds to every available IP address on port 3389 on REAL1 so I can't selectively forward incoming traffic for 1.2.3.5:3389 to 10.1.1.2:3389. RRAS will allow me to set up this port forwarding, and no errors come up. It just doesn't work.
So the question I have is:
Is there a better way of doing this? Or at least is there a way of resolving the apparant conflict between RRAS and everything else on the physical server?
Best Answer
Häh? I run multiple RRAS / Firewall systems with Hyper-V (2 RRAS, one TMG) and performance is really ok for 99% of the things - actuall all Icare about.
If you are OK with RRAS as firewall, sue RRAS externally.
Put in a second NIC on REAL1 - a non-hardware one (Microsoft driver - look it up - I think it is called loopback adapter), then put up the virtual network around that one. RRAS can then forwar incoming TCP etc. connections there.
I personally would not run anything but Hyper-V on the physical server ;) Definitely not higher level functions, if it is exposed to the internet ;)