Creating a Virtualized Gateway and Routing your traffic through it Peter McEldowney

Needed: Basic Networking Understanding A software based (such as Endian, Pfsense, , Untangle, IPcop, etc) Hyper-V (or equivalent hypervisor) [This means a Virtualization compatible CPU] 2 NICs [3 if you want a separate DMZ with (EFW)]

1. Draw a quick diagram of how you want to organize your network. This will help you understand the flow of traffic in your network and will also simplify future troubleshooting. Example:

In your diagram, be sure to label your inside and outside interfaces Inside (Private IP scheme , NAT local) Outside (Public IP scheme , NAT global) Green Red

Take note that you are not assigning any IP addresses on the physical machine; it is only a vessel for the virtual machine. This means that hardening the network adapter of the physical machine would be a good idea (covered in step 7).

2. Download the Firewall of your choice. Many trials are available online but if you want a fully functional firewall that will not expire, go open source. This lab demonstrates setting up Endian FireWall (EFW), available here: http://www.endian.com/us/community/ In a production environment, many corporations will opt to go with a paid firewall (or firewall specialist) to ensure that product support is available. Open source is an excellent versatile learning experience. 3. [OPTIONAL ] Installing Hyper-V through Powershell Virtualization must be enabled in your BIOS for this part. This can be done through the GUI and is self-explanatory when doing so.

To install Hyper-V through Powershell, open an elevated powershell terminal on use the servermanager module to add the Hyper-V role and the management tools. Another cool feature of Powershell is the get-help cmdlet. Feel free to explore with it. As well, check out the get-windowsfeature to view currently installed and available roles.

Since I already had Hyper-V installed, it says that there is no restart needed. This is never the case when installing Hyper-V as it must make changes to system files currently in use.

4. Create your Virtual Machine. Native support for Hyper- V is included with the Server environment as a role and also Windows 8, which also provides the ability to boot from a VHD (Virtual Hard Disk). New  Virtual Machine… (Creating a New Hard Disk and then using it for your Virtual Machine gives you a higher degree of configurability).

When creating your Virtual Machine, do not connect it to any network adaptors yet. This needs to be done separately for this part to ensure compatibility with your VM

5. Create your Virtual Switches through the Virtual Switch Manager…

In the Virtual Switch Manager, you will need to create 2 Virtual Switches (vSwitch). They are both configured exactly the same. You will want to create External switches.

Create another External vSwitch for your other adapter, name it appropriately, and apply the settings. [NOTE: For a DMZ, you will need to create 3 Virtual Switches]

6. Go into your VM settings and change the following:

a. Add the ISO for the Firewall you chose. b. Add 2 Legacy Network Adapters [3 for a DMZ]

[The next step is optional but recommended. This will minimize the possibility of unused protocols being used maliciously.] 7. To harden your network adapters, run ncpa.cpl (Network Control Panel Applet). This should bring up your network adapters and virtual switches that were previously created.

Right click on the actual Network Adapter and go into the properties (not the vEthernet adapters) (you will be doing this for however many virtual switches that you have).

Disable all Protocols except for the Hyper-V Extensible Virtual Switch .

Only having the Hyper-V protocol enabled means that only traffic from hyper-v will be able to traverse this link. This disallows any traffic that is originated from other machines using this protocol to enumerate information about this virtual switch

For more information about the disabled protocol, check out this article from TechRepublic: http://www.techrepublic.com/blog/networ king/what-do-the-new-windows- networking-protocols-do/2342

Do this for your other network adapter(s) as well. 8. Start your VM and begin your Firewall installation. The screen will guide you through the installation.

Setup will prompt you for GREEN adapter IP addresses. This is where your initial diagram comes in use.

This is the default gateway for your DHCP server (or static addressing).

Setup will then prompt to remove the disk from the drive, accessed from the Media menu.

Your firewall is now installed.

You may want to set your passwords to access the web GUI. Access the GUI through the IP address now listed on the screen. In my case, it is http://10.10.10.1:10443 9. From your web interface, you can now begin configuring your firewall. The first thing you are going to want to do is configure your Network.

For most connections, you will want ETHERNET STATIC or ETHERNET DHCP (i.e. connection to a modem)

On the next screen, you can select DMZ zone or WIFI zone. WIFI is only available in the paid version. On the next screen, you will be prompted to configure you GREEN interface. You can check the MAC addresses of your virtual adapters in your VM Settings.

Note: You can configure multiple IP addresses for your Interfaces.

On the next screen, configure your RED interface. Make sure that you use the proper Gateway address for your RED interface or your internet will not work.

After you have configured your interfaces, you can enter the DNS settings of your choice.

Apply your settings and your gateway should be able to function properly if settings are correct.

10. Your last step is to configure DHCP on your virtual network. This can be done by through the Services menu. Once this is complete, you have a fully functioning network routed through a firewall. Explore settings, configure NAT, and check your logs.