How can I use Smoothwall as a router for my hyperV labs

[anyweb]

Introduction

This blog post is long over due and I've been asked to do it many times, today, I finally got around to writing it. Sorry for the delay.

Using Hyper-v labs to test all the new Endpoint Manager releases that Microsoft produces means you probably want to have multiple labs on the go at any time, one for Current Branch, one for Technical Preview, and another for testing out PKI or some other functionality. Having internet access in those labs is also usually a requirement, and keeping them separate from each other is also important. Using a Smoothwall to control internet into (and out of) each hyper v lab gives you control over when that lab gets access to the internet or not.

I've used a Linux based firewall solution called Smoothwall, and it works great, so much so that I have one Smoothwall virtual machine for each lab. The Smoothwall allows me to configure individual ports to virtual machines within each lab and lots more functionality. Some Linux experience helps, but it's really easy to use.

I've been asked several times over the years how I setup my Smoothwall and never got around to creating a guide for it, so here goes. Are there other ways of doing this, of course, but this is the way I do it.

Step 1. Get the ISO

Download the Smoothwall Express-3.1-x86_64.iso from here.

https://sourceforge.net/projects/smoothwall/files/SmoothWall/3.1/Express-3.1-x86_64.iso/download

Step 2. Create network switches

In hyper-v manager, create 2 network switches, one Private Network Switch for your lab (we'll name it #11 in this example) and one switch connected to a physical network card (either WI-Fi based or Ethernet) to share the  internet into the lab, we'll call that ICS for Internet Connection Sharing.

Below is the LAB network switch, it's private so computers within this individual lab can talk to each other but cannot talk to other labs on my host.

Below is the ICS switch, note that I do not allow the management operating system to share this network adapter. That can cause all sorts of problems in the host operating system, so don't select it. Also, this is a WI-Fi nic but it could be an Ethernet adapter, as long as it has internet in, it's good to go.

Step 3. Create a new virtual machine

In this step I'll use a PowerShell script to create a new virtual machine to host Smoothwall, the important thing to remember is that the virtual machine must be Legacy (type 1) and the network card must also be a Legacy Network Adapter. Here's an example for my lab #11.

Note: You only need 256 MB of ram for this virtual machine so either change the script or modify the virtual machine settings later.

 

 

Step 4. Add additional Legacy Network Adapter

In the virtual machine just created, add a new Legacy network adapter and point it to the ICS virtual switch.

Note: You CAN use regular network adapters in the Smoothwall (100/100mbit) however every time you reboot/restart the smoothwall you have to enter the root password and confirm the network cards to continue. So if you don't want that behavior, choose the legacy network adapters (10/10 mbit).

 

Step 5. Install Smoothwall

Attach the ISO to the CD rom drive in the Smoothwall virtual machine, change the boot order to CD and boot. Choose to install Smoothwall Express.

click Ok to the welcome and click OK to the file system preparation.

Click OK to erase.

and it's done.

When prompted to restore the configuration choose No.

Select your keyboard layout,

Select timezone

Give it a hostname

half open is fine...

 

for Network Configuration Type choose GREEN + RED as shown below

 

Use TAB to move to Done, think of the two colours as follows:

• GREEN: Lan
• RED: Internet

then click OK to no green interface assigned,

and next, select Assign network cards by clicking on Card Assignments

 

Click ok when prompted to set them

you'll be shown the 2 nics identified by MAC address in the following screens, so you can see which nic is assigned to which colour.

after that you'll be informed that all cards are successfully allocated, move to Address settings...

As Green is the lab IP of our smoothwall, I normally follow the ip address settings within each lab as follows

192.168.X.1 where X is the number of my lab, so this is lab #11 therefore I always use the following for each lab, the only thing that changes is the number replacing X

• DC01=DNS/DHCP/Domain Controller = 192.168.11.1
• CM01 = Endpoint Manager = 192.168.11.2
• Smoothwall = Linux firewall = 192.168.11.199

click ok

and here I configure the IP address to match the ip address range shown above for my #11 lab.

click ok, select the RED interface

I normally use DHCP on RED and get a separate IP from my home network

click ok, then Done when complete.

and tab again to Done (or configure DNS if needed)

Click Finished for Web Proxy

Next set the Admin password

set the root password

click ok when done !

Step 6. verify

after the reboot, login as root, it is case sensitive so at the prompt below type root and enter the password when prompted.

after logging in, type the following to list the ip addresses assigned to your smoothwall.

ifconfig 

you will see output something like so...it probably scrolled off screen, that's ok.

In the example above:

eth1 is the smoothwall RED interface and has my local network ip (from my Wi-Fi router),

eth0 is the smoothwall GREEN interface and has the ip address I manually assigned it namely 192.168.11.199

You can issue the following commands:
 

ifconfig eth0

ifconfig eth1

to list each nic individually.

 

Next, try pinging some address:

 

control +c to cancel, it works !

 

On a Windows virtual machine in the lab you are providing internet access (and routing) to, your network settings should be configured like so...pointing your Gateway to the smoothwall and DNS to the Domain Controller, this can be configured via DHCP server settings on the DC.

a quick ping to verify internet works

 

Step 7. Optionally configure port forwarding

On a Windows machine, open a web browser and browse to the ip address of your Smoothwall and include port 441 like so

https://192.168.11.199:441

you'll probably get a warning, it's safe to ignore

Click Advanced to continue...for username and password use the Admin user you created for web configuration

In this example I'm forwarding port 80 from my external internet connection to my internal lab, specifically the web server in lab #11.

 

Step 8. Configure things in AD

On your domain controller, configure the DHCP scope options to point 003 Router to the internal ip address (in this case 192.168.11.199) your new smoothwall so that all computers that get an ip, know how to use the smoothwall.

Point your forwarder in DNS on the DC to the smoothwall local ip address

finally, restart DNS and DHCP services.

I hope you found this useful !

If you'd prefer to watch a video of this then see here

 

cheers

niall

[hybrid]

Smoothwall Express will be OK for labs, but the folks at Smoothwall haven't updated this "community" edition of their product since 2014, in contrast to their commercial offerings (still based on open source, although I think they need to update that page). I'd be worried about security with a firewall product this out-of-date for any production use!

I'd recommend something like PFSense that gets regular updates! 👍

I've used PFSense on Hyper-V in some production environments for a while — it works beautifully!

 

Niall has pointed out on YouTube that there are post-install updates apparently still offered at

https://sourceforge.net/projects/smoothwall/files/SmoothWall%20Updates/3.1/

 

 

[anyweb]

Yup,

i've just tested the update function within Smoothwall, it works and the updates are right up to this year,

if you get any complaint from the Smoothwall about not being able to update then reboot the Smoothwall and try again