How do I limit network for Windows VM?

chimerahitman · March 10, 2019, 2:58am

Hello,

TL;DR: I want to stop windows VM from talking to the internet, limiting it to only host-guest smb shares. How to do this?

I have been tinkering with running windows 10 in a VM for a while now, and I am partially happy with the results.

MCAD and ECAD software run like crap but for the casual load it’s passable. The issue really is that windows still talks to the internet. The machine is only used to run the CAD software and I don’t care for security updates, patches, or anything other than being able to run the programs.

I’ve tried changing the interface but it escapes my capabilities on how to set it up such that I get network between host and guest, but not onto the main network that goes to the router.

If anyone has suggestions that could be useful, please help.
Thank you

2bitmarksman · March 10, 2019, 4:46am

How are you virtualizing the WIndows 10 VM? You ussing QEMU, ESXi, VirtualBox, Workstation Pro, Hyper-v ???

thro · March 10, 2019, 6:36am

Best way to do it?

Spin up a copy of pfsense in another VM, then put it between Windows and the internet.

e.g., pfsense gets two nics:

“wan” - shared with host via either bridge/nat/whatever
“lan” - a network segment local to the machine / shared with other VMs

Windows gets its network adapter put on the same segment as pfsense “lan”

easily done in VM workstation, not so sure on KVM, but sure it can probably be done.

That way you can permit selective access to other things via pfsense rules.

chimerahitman · March 10, 2019, 1:02pm

I am doing it with qemu/kvm via virt-manager.

chimerahitman · March 10, 2019, 1:05pm

That seems overly complicated for something that doesn’t seem that should be so complicated.

I used to remember that on Win XP setting up the ethernet interface the wrong way could block network sharing completely but still allow for internet or viceversa.

2bitmarksman · March 10, 2019, 5:32pm

Change the VM’s network adapter to have no gateway/DNS entries and be on the same subnet as the SMB network share. It cannot do any routing so it essentially is a peer-to-peer connection at that point

thro · March 11, 2019, 1:24am

It depends on the level of control you want.

If you simply want on/off, simply “disconnect” the virtual network adapter in your hypervisor.

But you said “limit” which in my book is somewhere between “fully enabled” and “fully disabled”. Which is all on/off will give you.

If you only want interaction between the host and guest, just give it a host-only network adapter in the VM settings. But then, if any of your applications need to talk to the internet for licensing/activation/updates/etc. you’re boned because as soon as you enable internet for the adapter by changing its virtual network, windows has it as well.

chimerahitman · March 11, 2019, 1:15pm

Thank you!

I finally figured it out and makes me feel dumb that I couldn’t find it myself.

The options for isolated host-guest only networking was obtained by: Virt-Manager->Edit->Connection Details->Virtual Networks and then creating a new one. Eventually it will ask for Isolated or NAT networking. I chose isolated.

Later on I will report back and see if this achieves my requirements.

EDIT: I have tried it and using the Isolated method works. In this case the ip of the host is the gateway which was specified on the virtual network creation window. No more random updates or strange internet usage.

gamer8493 · March 11, 2019, 6:34pm

Group policy rules/configurations is how windows IT’s manage systems

https://www.microsoft.com/en-us/download/details.aspx?id=25250