This blog post is long over due and I've been asked to do it many times, today, I finally got around to writing it. Sorry for the delay.
Using Hyper-v labs to test all the new Endpoint Manager releases that Microsoft produces means you probably want to have multiple labs on the go at any time, one for Current Branch, one for Technical Preview, and another for testing out PKI or some other functionality. Having internet access in those labs is also usually a requirement, and keeping them separate from each other is also important. Using a Smoothwall to control internet into (and out of) each hyper v lab gives you control over when that lab gets access to the internet or not.
I've used a Linux based firewall solution called Smoothwall, and it works great, so much so that I have one Smoothwall virtual machine for each lab. The Smoothwall allows me to configure individual ports to virtual machines within each lab and lots more functionality. Some Linux experience helps, but it's really easy to use.
I've been asked several times over the years how I setup my Smoothwall and never got around to creating a guide for it, so here goes. Are there other ways of doing this, of course, but this is the way I do it.
Step 1. Get the ISO
Download the Smoothwall Express-3.1-x86_64.iso from here.
In hyper-v manager, create 2 network switches, one Private Network Switch for your lab (we'll name it #11 in this example) and one switch connected to a physical network card (either WI-Fi based or Ethernet) to share the internet into the lab, we'll call that ICS for Internet Connection Sharing.
Below is the LAB network switch, it's private so computers within this individual lab can talk to each other but cannot talk to other labs on my host.
Below is the ICS switch, note that I do not allow the management operating system to share this network adapter. That can cause all sorts of problems in the host operating system, so don't select it. Also, this is a WI-Fi nic but it could be an Ethernet adapter, as long as it has internet in, it's good to go.
Step 3. Create a new virtual machine
In this step I'll use a PowerShell script to create a new virtual machine to host Smoothwall, the important thing to remember is that the virtual machine must be Legacy (type 1) and the network card must also be a Legacy Network Adapter. Here's an example for my lab #11.
Note: You only need 256 MB of ram for this virtual machine so either change the script or modify the virtual machine settings later.
Step 4. Add additional Legacy Network Adapter
In the virtual machine just created, add a new Legacy network adapter and point it to the ICS virtual switch.
Note: You CAN use regular network adapters in the Smoothwall (100/100mbit) however every time you reboot/restart the smoothwall you have to enter the root password and confirm the network cards to continue. So if you don't want that behavior, choose the legacy network adapters (10/10 mbit).
Step 5. Install Smoothwall
Attach the ISO to the CD rom drive in the Smoothwall virtual machine, change the boot order to CD and boot. Choose to install Smoothwall Express.
click Ok to the welcome and click OK to the file system preparation.
Click OK to erase.
and it's done.
When prompted to restore the configuration choose No.
Select your keyboard layout,
Select timezone
Give it a hostname
half open is fine...
for Network Configuration Type choose GREEN + RED as shown below
Use TAB to move to Done, think of the two colours as follows:
GREEN: Lan
RED: Internet
then click OK to no green interface assigned,
and next, select Assign network cards by clicking on Card Assignments
Click ok when prompted to set them
you'll be shown the 2 nics identified by MAC address in the following screens, so you can see which nic is assigned to which colour.
after that you'll be informed that all cards are successfully allocated, move to Address settings...
As Green is the lab IP of our smoothwall, I normally follow the ip address settings within each lab as follows
192.168.X.1 where X is the number of my lab, so this is lab #11 therefore I always use the following for each lab, the only thing that changes is the number replacing X
DC01=DNS/DHCP/Domain Controller = 192.168.11.1
CM01 = Endpoint Manager = 192.168.11.2
Smoothwall = Linux firewall = 192.168.11.199
click ok
and here I configure the IP address to match the ip address range shown above for my #11 lab.
click ok, select the RED interface
I normally use DHCP on RED and get a separate IP from my home network
click ok, then Done when complete.
and tab again to Done (or configure DNS if needed)
Click Finished for Web Proxy
Next set the Admin password
set the root password
click ok when done !
Step 6. verify
after the reboot, login as root, it is case sensitive so at the prompt below type root and enter the password when prompted.
after logging in, type the following to list the ip addresses assigned to your smoothwall.
ifconfig
you will see output something like so...it probably scrolled off screen, that's ok.
In the example above:
eth1 is the smoothwall RED interface and has my local network ip (from my Wi-Fi router),
eth0 is the smoothwall GREEN interface and has the ip address I manually assigned it namely 192.168.11.199
You can issue the following commands:
ifconfig eth0
ifconfig eth1
to list each nic individually.
Next, try pinging some address:
control +c to cancel, it works !
On a Windows virtual machine in the lab you are providing internet access (and routing) to, your network settings should be configured like so...pointing your Gateway to the smoothwall and DNS to the Domain Controller, this can be configured via DHCP server settings on the DC.
a quick ping to verify internet works
Step 7. Optionally configure port forwarding
On a Windows machine, open a web browser and browse to the ip address of your Smoothwall and include port 441 like so
https://192.168.11.199:441
you'll probably get a warning, it's safe to ignore
Click Advanced to continue...for username and password use the Admin user you created for web configuration
In this example I'm forwarding port 80 from my external internet connection to my internal lab, specifically the web server in lab #11.
Step 8. Configure things in AD
On your domain controller, configure the DHCP scope options to point 003 Router to the internal ip address (in this case 192.168.11.199) your new smoothwall so that all computers that get an ip, know how to use the smoothwall.
Point your forwarder in DNS on the DC to the smoothwall local ip address
finally, restart DNS and DHCP services.
I hope you found this useful !
If you'd prefer to watch a video of this then see here
Introduction
This blog post is long over due and I've been asked to do it many times, today, I finally got around to writing it. Sorry for the delay.
Using Hyper-v labs to test all the new Endpoint Manager releases that Microsoft produces means you probably want to have multiple labs on the go at any time, one for Current Branch, one for Technical Preview, and another for testing out PKI or some other functionality. Having internet access in those labs is also usually a requirement, and keeping them separate from each other is also important. Using a Smoothwall to control internet into (and out of) each hyper v lab gives you control over when that lab gets access to the internet or not.
I've used a Linux based firewall solution called Smoothwall, and it works great, so much so that I have one Smoothwall virtual machine for each lab. The Smoothwall allows me to configure individual ports to virtual machines within each lab and lots more functionality. Some Linux experience helps, but it's really easy to use.
I've been asked several times over the years how I setup my Smoothwall and never got around to creating a guide for it, so here goes. Are there other ways of doing this, of course, but this is the way I do it.
Step 1. Get the ISO
Download the Smoothwall Express-3.1-x86_64.iso from here.
https://sourceforge.net/projects/smoothwall/files/SmoothWall/3.1/Express-3.1-x86_64.iso/download
Step 2. Create network switches
In hyper-v manager, create 2 network switches, one Private Network Switch for your lab (we'll name it #11 in this example) and one switch connected to a physical network card (either WI-Fi based or Ethernet) to share the internet into the lab, we'll call that ICS for Internet Connection Sharing.
Below is the LAB network switch, it's private so computers within this individual lab can talk to each other but cannot talk to other labs on my host.
Below is the ICS switch, note that I do not allow the management operating system to share this network adapter. That can cause all sorts of problems in the host operating system, so don't select it. Also, this is a WI-Fi nic but it could be an Ethernet adapter, as long as it has internet in, it's good to go.
Step 3. Create a new virtual machine
In this step I'll use a PowerShell script to create a new virtual machine to host Smoothwall, the important thing to remember is that the virtual machine must be Legacy (type 1) and the network card must also be a Legacy Network Adapter. Here's an example for my lab #11.
Note: You only need 256 MB of ram for this virtual machine so either change the script or modify the virtual machine settings later.
Step 4. Add additional Legacy Network Adapter
In the virtual machine just created, add a new Legacy network adapter and point it to the ICS virtual switch.
Note: You CAN use regular network adapters in the Smoothwall (100/100mbit) however every time you reboot/restart the smoothwall you have to enter the root password and confirm the network cards to continue. So if you don't want that behavior, choose the legacy network adapters (10/10 mbit).
Step 5. Install Smoothwall
Attach the ISO to the CD rom drive in the Smoothwall virtual machine, change the boot order to CD and boot. Choose to install Smoothwall Express.
click Ok to the welcome and click OK to the file system preparation.
Click OK to erase.
and it's done.
When prompted to restore the configuration choose No.
Select your keyboard layout,
Select timezone
Give it a hostname
half open is fine...
for Network Configuration Type choose GREEN + RED as shown below
Use TAB to move to Done, think of the two colours as follows:
then click OK to no green interface assigned,
and next, select Assign network cards by clicking on Card Assignments
Click ok when prompted to set them
you'll be shown the 2 nics identified by MAC address in the following screens, so you can see which nic is assigned to which colour.
after that you'll be informed that all cards are successfully allocated, move to Address settings...
As Green is the lab IP of our smoothwall, I normally follow the ip address settings within each lab as follows
192.168.X.1 where X is the number of my lab, so this is lab #11 therefore I always use the following for each lab, the only thing that changes is the number replacing X
click ok
and here I configure the IP address to match the ip address range shown above for my #11 lab.
click ok, select the RED interface
I normally use DHCP on RED and get a separate IP from my home network
click ok, then Done when complete.
and tab again to Done (or configure DNS if needed)
Click Finished for Web Proxy
Next set the Admin password
set the root password
click ok when done !
Step 6. verify
after the reboot, login as root, it is case sensitive so at the prompt below type root and enter the password when prompted.
after logging in, type the following to list the ip addresses assigned to your smoothwall.
you will see output something like so...it probably scrolled off screen, that's ok.
In the example above:
eth1 is the smoothwall RED interface and has my local network ip (from my Wi-Fi router),
eth0 is the smoothwall GREEN interface and has the ip address I manually assigned it namely 192.168.11.199
You can issue the following commands:
to list each nic individually.
Next, try pinging some address:
control +c to cancel, it works !
On a Windows virtual machine in the lab you are providing internet access (and routing) to, your network settings should be configured like so...pointing your Gateway to the smoothwall and DNS to the Domain Controller, this can be configured via DHCP server settings on the DC.
a quick ping to verify internet works
Step 7. Optionally configure port forwarding
On a Windows machine, open a web browser and browse to the ip address of your Smoothwall and include port 441 like so
https://192.168.11.199:441
you'll probably get a warning, it's safe to ignore
Click Advanced to continue...for username and password use the Admin user you created for web configuration
In this example I'm forwarding port 80 from my external internet connection to my internal lab, specifically the web server in lab #11.
Step 8. Configure things in AD
On your domain controller, configure the DHCP scope options to point 003 Router to the internal ip address (in this case 192.168.11.199) your new smoothwall so that all computers that get an ip, know how to use the smoothwall.
Point your forwarder in DNS on the DC to the smoothwall local ip address
finally, restart DNS and DHCP services.
I hope you found this useful !
If you'd prefer to watch a video of this then see here
cheers
niall
Share this post
Link to post
Share on other sites