I need to setup a VM on VMWare ESXi 6.0 that would have internet access but without any LAN access.
This is for an external user to remotely login to machine and work using the internet who shouldn't have any access to the LAN.
The network is setup in a simple way. The router is a Huawei HG8244H and is setup as 192.168.1.1 / 255.255.255.0, without any Microsoft ISA server, I thought about:
- changing the router network mask to 255.255.0.0
- setting the "external user" VM in the 192.168.2.x network.
- Adding a Linux VM with two IP addresses (192.168.1.x and 192.168.100.x) with iptables to forward any traffic from the first VM directly to the router and blocking all other access to the .1 network.
This seems like overkill, so I'm looking for a simpler solution. Thanks in advance!
Best Answer
The options of the router you use (Huawei HG8244H) seems to be limited.
The most simple solution would be adding small VM and redirect all traffic through that VM.
I would install a small DD-WRT guest ( http://www.casler.org/wordpress/?p=15 ). It is really light-weight compared even compared to a minimal popular linux distro.
Configure the DHCP-server on the dd-wrt to hand out IP adresses in a different IP range.
Connect the dd-wrt WAN interface to your current network. On the LAN interface connect an internal lan network only used by the dd-wrt router and the isolated guest.
Configure port forwarding on both routers (huawei and dd-wrt) for the desired ports and you are good to go.
Verify that other network nodes are unreachable from the isolated host and if not change the firewall rules on dd-wrt accordingly.
Note: Any other router virtual appliance with the same features would suffice. I just had personal experience with the dd-wrt appliance in the past.