Adding NAT to a Hyper-V host for access to isolated lab guests

Posted: January 15, 2010 in Virtualization

This latest cool solution comes from a colleague of mine, Andrew Abbate and looks at providing access to isolated VM guests.

In my lab environment, I had a major constraint around IP address space.  As such, I was given 4 IP addresses that covered my 4 Hyper-V hosts.  Thus I needed a way to address and reach my 40+ VMs that are configured in isolated networks.

The solution?  VLAN tagging and NAT.

The first step was to utilize the HP NIC utilities to create a tagged VLAN port (virtual interface). This can be done with any NIC that supports VLAN tagging including Broadcom and Intel Pro.

This gave me a 2nd interface to which I could bind an additional subnet without needing any additional network ports to activate additional networks in the Hyper-V servers.

In Hyper-V, the virtual switch is bound to the tagged VLAN interface

Similarly, the individual VMs are bound to the same VLAN tag.

Within the VM, the guest is configured to use an IP from the subnet which is on the tagged VLAN and it uses the Hyper-V host as its default gateway.

The Hyper-V host then receiveds the Network Access and Policy Services role.  This gives us Routing and more importantly, Network Address Translation.

The “public” interface on the Hyper-V host is listed as the “internet” interface, and the tagged interface is used as the “shared” interface.  This allows the IP range on the VMs to use the Hyper-V host as a NAT gateway. Useful to note is that if you forget to check “Enable virtual LAN identification” on the virtual switch interface (as shown above) the VMs will be able to talk to each other from host to host, but not talk to the host itself.  This can be annoying for getting non-ISOs from the host to the guest and will prevent NAT from working.

At this point, NAT allows the VMs to talk to networks on the other side of the Hyper-V host – including the Internet!

Now at this point, my needs became slightly more esoteric.  I needed to test USB devices against the VM.  Since Hyper-V doesn’t have the ability to pass a USB device from the host to the guest, I needed another way.  I needed to be able to RDP directly into a VM that was on a network that wasn’t routable.  This is where the NAT configuration provides a solution.

By going into the properties of the public interface in the RRAS interface:

And then into the Services and Ports tab:

I’m able to add a service for a NAT/PAT rule allowing RDP on a custom port:

In this case, I’m saying “if someone hits the public interface on Hyper-V on port 3390, pass that to a specific VM on port 3389.”  This allows me to publish all my VMs RDP services via a single IP address.  I simply have to alter the port in the RDP client:

Net result, I can reach my 40 VMs running on an isolated network from a production network without having to burn 40 IP addresses.  This can be very useful in a lab environment where you need to be able to bypass the processes of the network folks to get something working. Also a fun exercise in VLAN tagging and NAT rules.

Second option specific to RDP access is to deploy a TS gateway on the host to listen on the Untagged VLAN and provide connections to systems on the Tagged VLAN.

To accomplish this, I added RPC over HTTPS Proxy as a feature and Remote Desktop Services (R2) along with IIS as roles.  Defined the access rules and for now, just created the self signed cert.

Installed the self signed cert into the Trusted Root container in my workstation and I’m able to reference the Hyper-V host as my TS Gateway and list the “not really reachable” IP as my target and RDP works fine.

So while both options can be used to provide RDP access to isolated guests, the incoming NAT translation can be used for many other purposes since its protocol independent, for example, with it I’m able to run Windows Updates on my isolated Lab systems!


  1. This is great content – thanks for posting.
    I imagine I will refer to this content in the future – is there a means by which I can contact you?
    I’m @benjaminathawes on Twitter.

  2. One IT Ltd says:

    Any idea how to do this on the Standalone Hyper-V Server, the one without a GUI. I’m not sure the NAT or RRAS is available as a role on that.

    • Guy Yardeni says:

      RRAS isn’t supported on core so you can’t do it directly on the host (at least without a third party product but I don’t know of one that works on core), but you could do use one of the guests. Assuming that the isolation requirements allow for a guest connected to both networks, just deploy a guest running RRAS with the same configuration.

  3. Daniel Payne says:

    Thanks for writing this – what do you think of this alternative method that someone else came up with?

    • Guy Yardeni says:

      I think they are essentially the same method, except that my example is focused on allowing inbound traffic through the NAT whereas the other example is showing how to allow traffic out. The one material difference is the use of VLAN tagging which would be required if the virtual environment consisted of multiple hosts. The example linked would work well for guests on a single host but wouldn’t translate to multiple hosts due to the use of an internal only virtual network.

  4. Lucy Smith says:

    Wow, this is exactly what I need! I was trying to find a way to remotely update the IP addresses of multiple VMs in an isolated virtual lab network. Haha, silly me, your way is better. You rock!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s