I have VMWare Workstation 9 and bit stumped and this is a silly question. I want the VM to be able to access the LAN on the physical network i.e not in host mode or NAT but at the same time restrict it from accessing the internet. I currently have the VM setup as a bridged connection to the physical network and on my router I have denied internet access by MAC address. This works but I don't want to rely on my router and just in case the MAC address changes I would much like to do it in the VMWare.
Maybe instead of blacklisting, you should whitelist the mac addresses that are allowed to access the interwebs (on your router). Then you only need to worry about changes when you get new physical hardware. Otherwise, I will have to think on that for a minute, I am not sure it's possible inside of VMware.
wendy123 If your router won't let you whitelist MAC addresses, you could instead change the network adapter settings of the virtual machine. Taking a Windows VM as an example: Network and Sharing Center > Change Adapter Settings > Local Area Connection > right click for Properties > Internet Protocol v4 > Properties Stop the router assisgning IP addresses and routes to that VM by choosing "Use the following IP address" then assign an available static IP address. So if your router is on say 192.168.1.254 you might assign your VM 192.168.1.99 Set the subnet mask appropriately e.g. 255.255.255.0 The crucial point is then to set the GATEWAY IP either blank or to the same IP as the VM itself. Your VM will then "know" about and be able to contact other devices on your LAN, but no VM IP packets will be routed to the Internet. I doubt you're using IPv6 on your LAN, so you could disable that on the adapter too. Hope this helps.
whitelisting is not an option because then I'd have to whitelist everyone and anything that wants to connect to my network. @deep ha simple enough, I just thought the restrict can be put in place from the VM workstation using the "Virtual Network Editor"
Yup, it works well if you hypothetically wanted to stop Internet access to/from (say) a local KMS server... But Mr Jinje is right - MAC whitelisting is safer than blacklisting, especially as VMware has a habit of assigning a new MAC if you copy a VM. Also can't think how you might achieve this using the virtual network editor. Glad the simple solution works for you.
I use the same process Deepfield has suggested above, but with one little difference. All the VM's I want to restrict access to have IP's set within a range and that range of IP's is black listed instead of the MAC Address' on the router. (like you said white listing dozens of devices isn't always an option) I'm using Hyper-V and have migrated the VM's a few times with no problems. And this is the main reason for doing it.
huh that's so simple and very effective IMO, this is something that is easy to maintain and implement. As my lab grow's this will be easy to maintain and update, thanks for the tip. hmm I wonder if the range i choose can be outside the DHCP range? or how would stop the DHCP from assigning a restricted IP address to a device that shouldn't have restrictions?
@Mr Jinje Thanks for the links - it's always good to be able to automate these restrictions! I must brush up on my Powershell
My network is basically split into three ranges: 1) Static Devices, APs, Routers, Servers, Printers, Multi-Media Devices, Etc. IP's pre-set on main Router via Device MAC Address and are blow the DHCP start IP. 2) PC's Laptops, Phones, Tablets, PDAs, VM's, Etc. All assigned IP's via DHCP. 3) Restricted IP Devices/VMs. Static IPs set above DHCP range. This also allows me to enable or block groups of devices from accessing the Net or different parts of the network. @Deepfield, Thanks, but I can't take the credit. I stole the idea from my old teacher.