Restrict Internet but allow LAN

Discussion in 'Virtualization' started by wendy123, Nov 6, 2013.

  1. wendy123

    wendy123 Guest

    I have VMWare Workstation 9 and bit stumped and this is a silly question. I want the VM to be able to access the LAN on the physical network i.e not in host mode or NAT but at the same time restrict it from accessing the internet.

    I currently have the VM setup as a bridged connection to the physical network and on my router I have denied internet access by MAC address. This works but I don't want to rely on my router and just in case the MAC address changes I would much like to do it in the VMWare.
     
  2. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,080
    60
    #2 Mr Jinje, Nov 6, 2013
    Last edited: Nov 6, 2013
    Maybe instead of blacklisting, you should whitelist the mac addresses that are allowed to access the interwebs (on your router). Then you only need to worry about changes when you get new physical hardware.

    Otherwise, I will have to think on that for a minute, I am not sure it's possible inside of VMware.
     
  3. deepfield

    deepfield MDL Novice

    Sep 22, 2010
    10
    3
    0
    wendy123

    If your router won't let you whitelist MAC addresses, you could instead change the network adapter settings of the virtual machine.

    Taking a Windows VM as an example:
    Network and Sharing Center > Change Adapter Settings > Local Area Connection > right click for Properties > Internet Protocol v4 > Properties

    Stop the router assisgning IP addresses and routes to that VM by choosing "Use the following IP address" then assign an available static IP address. So if your router is on say 192.168.1.254 you might assign your VM 192.168.1.99

    Set the subnet mask appropriately e.g. 255.255.255.0

    The crucial point is then to set the GATEWAY IP either blank or to the same IP as the VM itself.
    Your VM will then "know" about and be able to contact other devices on your LAN, but no VM IP packets will be routed to the Internet.

    I doubt you're using IPv6 on your LAN, so you could disable that on the adapter too.

    Hope this helps. ;)
     
  4. wendy123

    wendy123 Guest

    whitelisting is not an option because then I'd have to whitelist everyone and anything that wants to connect to my network. @deep ha simple enough, I just thought the restrict can be put in place from the VM workstation using the "Virtual Network Editor"
     
  5. deepfield

    deepfield MDL Novice

    Sep 22, 2010
    10
    3
    0
    Yup, it works well if you hypothetically wanted to stop Internet access to/from (say) a local KMS server...

    But Mr Jinje is right - MAC whitelisting is safer than blacklisting, especially as VMware has a habit of assigning a new MAC if you copy a VM.

    Also can't think how you might achieve this using the virtual network editor. Glad the simple solution works for you.
     
  6. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,080
    60
    #6 Mr Jinje, Nov 6, 2013
    Last edited by a moderator: Apr 20, 2017
  7. ZaForD

    ZaForD MDL Expert

    Jan 26, 2008
    1,180
    176
    60
    I use the same process Deepfield has suggested above, but with one little difference. All the VM's I want to restrict access to have IP's set within a range and that range of IP's is black listed instead of the MAC Address' on the router.
    (like you said white listing dozens of devices isn't always an option)
    I'm using Hyper-V and have migrated the VM's a few times with no problems. ;)

    And this is the main reason for doing it. :biggrin:
     
  8. wendy123

    wendy123 Guest

    #8 wendy123, Nov 7, 2013
    Last edited by a moderator: Nov 7, 2013
    (OP)
    huh that's so simple and very effective IMO, this is something that is easy to maintain and implement. As my lab grow's this will be easy to maintain and update, thanks for the tip. hmm I wonder if the range i choose can be outside the DHCP range? or how would stop the DHCP from assigning a restricted IP address to a device that shouldn't have restrictions?
     
  9. deepfield

    deepfield MDL Novice

    Sep 22, 2010
    10
    3
    0
    @Mr Jinje

    Thanks for the links - it's always good to be able to automate these restrictions!
    I must brush up on my Powershell :biggrin:
     
  10. deepfield

    deepfield MDL Novice

    Sep 22, 2010
    10
    3
    0
    #10 deepfield, Nov 7, 2013
    Last edited: Nov 7, 2013
    @ZaForD:

    I like that approach :p
     
  11. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,718
    3,728
    180
    Just set static IP and the gateway to 127.0.0.1

    Or DNS to 0.0.0.0
     
  12. ZaForD

    ZaForD MDL Expert

    Jan 26, 2008
    1,180
    176
    60
    My network is basically split into three ranges:
    1) Static Devices, APs, Routers, Servers, Printers, Multi-Media Devices, Etc. IP's pre-set on main Router via Device MAC Address and are blow the DHCP start IP.
    2) PC's Laptops, Phones, Tablets, PDAs, VM's, Etc. All assigned IP's via DHCP.
    3) Restricted IP Devices/VMs. Static IPs set above DHCP range.

    This also allows me to enable or block groups of devices from accessing the Net or different parts of the network. :)

    @Deepfield,
    Thanks, but I can't take the credit. I stole the idea from my old teacher. :)
     
  13. inca2319

    inca2319 MDL Novice

    Oct 16, 2009
    5
    0
    0
    Thank you Mr. Jinje -- this helped out immensely on a project I'm working on.
     
  14. TCM

    TCM MDL Addicted

    Aug 25, 2011
    793
    403
    30
    Assign a static MAC address? You don't have to have VMware pick one for you.
     
  15. trungpt

    trungpt MDL Addicted

    Dec 15, 2009
    520
    49
    30
    Is it possible with a free firewall such as Comodo firewall?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...