Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Is there a way to put a VM in the DMZ?

Sorry for such a noob question, but I am much more used to dealing with systems here on my home network and more simplistic routers with built-in firewalls.

Anyway, I have a network associated/supported by a Sonicwall on which I have a hyperV configuration supporting numerous virtual machines. I want to put just one of those VMs in the DMZ to test a program that is failing to work properly on our network.

Outside of the network [on a home network], the application works w/o issue. And, that home network does NOT have a fast a communication channel as our business network. We have disable all A/V & firewall-like programs on this VM to no avail and we want to find out if there is something about being inside the firewall causing the issue.

So, again, I'm used to specifying an IP address on my home network to be "in the DMZ" and wondered if there is a way to do this with the Sonicwall, as I'm not able to physically attach that VM via ethernet cable to a different X# port/zone.


Thanks for your time and patience.

Category: Entry Level Firewalls
Reply

Answers

  • NatNat Newbie

    Take a look on Router on a stick & virtual interface.

    you can create different zone/IP subnet on a virtual interface under same physical interface.

    then the leftover is hypervisor V-switch configuration.

  • OracleOracle Newbie ✭

    If I understood your question correctly, you want to "attach" a VM in Hyper-V to the DMZ zone in your Sonicwall device, right?

    That is possible, but you have to configure stuff on different places. To put it short, you'll have to use VLANs from the VM all the way up to the Sonicwall device. Follow these steps:

    1. In Hyper-V, open the VM settings. Under the configuration for the virtual ethernet adapter, check the box that enables VLAN tagging, and enter an arbitrary number on the VLAN ID box. (Remember to be sure to use an unused VLAN tag, to avoid misconfiguring the network devices on the next step. Overlapping VLANs on switches can be messy as hell...). Let's use VLAN 10 for example.
    2. The Hyper-V server that the VM runs in is probably physically connected to a switch. (This should be a managed switch, as an unmanaged one will have different behaviours depending on the manufacturer, and so this may not work.) If this is not the case, then jump in to step 3. Else, let's say the Hyper-V server connects to port 3 of this switch.
      1. Open the switch configuration and configure port 3 to accept frames tagged with the VLAN ID 10.
      2. Now you need to configure the uplinks. Check the network path from the Hyper-V server to the Sonicwall device, and identifies which ports on which switches will data go through. Configure all those ports to accept VLAN ID 10.
    3. On the Sonicwall, identify which port will be receiving the connection from the Hyper-V server where your VM is in. Then you can open the configuration for its interfaces, and under the identified interface, you'll create a virtual interface, where you'll configure VLAN ID 10.
      1. If you already have a physical/virtual DMZ interface with an assigned IP address you want to use, then configure this new virtual interface with a NativeBridge to this already configured DMZ port, and you'll be set.
      2. Otherwise, assign this new port to the DMZ zone, and configure an IP address to it (according to your available network setup).
    4. Don't forget the most important part: do a ping test from the VM to the Sonicwall DMZ IP address (assuming your Sonicwall device is configured to accept and respond to ping tests). If it doesn't work, carefully redo all the steps above to check if anything is misconfigured.

    You could make the configurations in reverse order (Sonicwall, switches, VM), or in any other order you'd like, but following a path (in either direction) is the best way to not get lost in the configurations.

    Hope this helps.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    If you have an available NIC on the server and on the Sonicwall you can physically separate it out. This would skip all the VLAN stuff.

Sign In or Register to comment.