VMs and Firewalls

VMs and Firewalls

I’m often asked by fellow engineers why they can’t seem to communicate or even ping their newly created VM lab on their personal workstation or laptop. There are few MS caveats that play into the problem and a few easy steps to make everything work. For my demonstration, this BLOG is going to be catering to a user who is leveraging VMWare Workstation and created a host-only virtual network for the purpose of having a private lab. The common issue people run into would be making any network connections to their VM’s because the native Windows Firewall is enabled and partially enforced by GPO.1). Create 2 firewall rules, 1 for TCP and one for UDP that allows all traffic in from the remote IP range you have specified for you private VM. This will ensure your host can talk to your VM’s without the default firewall policies blocking the traffic.Inbound Rules

TCP Rule Explained:

Enable all TCP traffic to the remote IP subnet that you created for your VM Lab, in my case I use the subnet “192.168.64.0/24”

VM Network Editor, this blog is referring to Host-only networking issues.

Virtual Network Editor

Firewall rule properties…

VM TCP

VM TCP All

Remote IP needs to match your VM Host-Only Range.

Scope

Protocols

Advanced

Do the same exact thing for UDP…

2). Make sure Ping is enabled for troubleshooting. Windows by default does not necessarily allow ping responses to be received. These default rules need to be turned on to allow Ping across the board. Notice how public is disabled by default here. This is for security and why you want your VM NICS to be recognized as a WORK/Private interface.

Inbound Rules

3). Make sure your VM NICs are not set to public. If so you need to modify your local GPO settings so you can make them a Work/Private Nic.

Firewall Network Status

Using the Gpedit.msc command…

The issue I have seen is that VMWare Workstation will get detected as an unknown network and you will not be able to change its settings. By changing this setting you will be able to detect the NIC as Private and or manually change it. This, of course, can differ from product to product and the way the Domains GPO’s are configured.

4). For further troubleshooting, I always turn on dropped packet logging on my windows firewall across all 3 profiles. There should never be the need to disable the firewall completely if traffic is getting dropped you should see it here in the log.

Firewall Advanced Security

Example of dropped packets…

Firewall Packet Loss

Summary:

If you have a basic understanding of networking this guide should be able to help you get any network connection going on a Windows machine where the native firewall is being leveraged.

Bonus:

I highly recommend this small windows plugin called Window Firewall Control. It gives you the power to leverage the outbound firewall and application inspection features of the very powerful windows firewall with a more 3rd party popup look and feel. By using a strict default set of firewall settings any new apps that request internet access get notified to my screen where I can approve or deny their access. This is all supported by windows out of the box they just never made an interface to leverage these powerful features. Maybe next week I will create a blog on how I leverage this product to fully lock down the windows firewall to the fullest extent possible.

Firewall Control

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.