I'd like to wire up a VM with LAN access but restrict it from accessing the Internet. I've come across a couple of comments—such as this one—indicating that this can be done via two NICs, but the exact configuration details are a bit hazy.
Here's some background on what's driving this effort:
A recent Windows Update (not sure which one) has toppled the mighty QuickBooks. I've been able to set it aright inside a new network-isolated Win10 VM, so as to prevent Windows Updates from shuffling in the door (I'll have to connect it briefly for activation, but oh well). It's presently at a patch level that's lower than the offending update, and I'd like to keep it that way—at least for the near-term future.
But frequent and repeated access via Hyper-V Manager is, well... cumbersome at best. If I were able to RDP into it, that'd also mean I could share local drive resources for manually copying various files back and forth.
For the automated nightly backups I can write a PowerShell script to do something like this:
- Shut down the VM
- Mount the VHDX
- Use RoboCopy to sync a folder
- Dismount the VHDX
- Start the VM
The comment sort of hints that the setup is something easy to put together. Well... easy if you know how!
For example:
one in the isolated test and another in the production network
Is he talking VLANs?
Make sure both nics are set to not register in DNS
How does one accomplish this? Does he mean omit the DNS server entries on the NICs' IPv4 property sheets?
Just set a static record on each sides DNS
See above.
Is this what's called a 'DMZ?'
I know a little bit about DNS, but absolutely nothing about VLANs. Not that I'm against studying up on the wonderful topic, but I'm loathe to chase down rabbit holes to learn about something that may ultimately wind up not contributing to what I'm after. That's why I appreciate you fine folks so much—you actually know how to pull this stuff off, and what parts/pieces it takes to do it.
Shucks, I can't even figure out whether he's talking about standing up another VM in addition to my QuickBooks VM.
I've tried my due diligence, searching for solutions, but I'm afraid I'm not familiar enough with the terminology here to even know what to look for. Search results are coming up with how-tos for everything but. I was lucky to find the one that I did.
There's a ton of stuff out there about Copy-VMFile, but that flows the wrong way. I need guest-to-host, not host-to-guest. The search engines don't seem to be smart enough to figure this out from my keywords (e.g. hyper-v get files from isolated vm or hyper-v internal network access no internet). All links point to Rome, not from it. All links think I'm complaining about no Internet access. I'm not. I want to know how to restrict it ON PURPOSE.
I don't have time to wait for these two behemoths to slug it out. I need to keep moving and slip past the clumsy feet of the lumbering giants. This has already set me behind with my critical accounting work.
What steps (like you're coaching a beginner, please) do I need to take in order to build what he's talking about?
If you use a firewall, you'll likely block all internet traffic from the host. If the goal is to simply prevent Windows updates, there are less severe mechanisms.
I do this with PiHole DNS server. It's pretty simple to set up. Basically, it acts like a DNS blackhole. I use it to blacklist the microsoft update sites. That way, other internet stuff can happen, but Windows updates only happen when I want them to.
When the time comes to allow an update, I simply point my host to my ISP's DNS. When I'm done, I point it back to the PiHole.
If you really just want to block all internet traffic, but still allow local LAN traffic, just don't set a default route on the Windows machine. No need for firewall rules and all of that. When you want to allow updates, set the route and let it go... then delete the route. Easy-peasy.
You can set up a static IP address in your guest VM, and then configure your network firewall to block outside access for that IP address.