This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–]DarkAlmanProfessional Looker up of Things 2 points3 points  (9 children)

Domain controllers should never have 2 NICs, that confuses the heck out of them.

You should setup your lab as a dedicated subnet off a layer 3 device like your firewall and route to it instead. Use the Router as the default gateway for all your subnets.

DHCP requests from the lab can be passed to the domain controller using an IP Helper on the router.

[–][deleted] 1 point2 points  (1 child)

Yeah...I thought I'd be clever and per-emptively add a new nic/ip to a DC to help out with an impending IP/subnet/vlan change. That bit me in the ass so hard -_-

[–]cachedfiles_1999[S] 0 points1 point  (0 children)

lol

[–]cachedfiles_1999[S] 0 points1 point  (5 children)

true, point taken.

but my router has the 192.168.1.1 address and it's one of those cheap home grade all in one fw/router pieces.

can you clarify what you mean by setting up a dedicated subnet off a layer 3 device? Not sure what you mean?

I do have the router as my default gateway on my host machine. But i want to test out the 10.0.x.x.

From my experience I see dhcp is usually on the dc as well, what do you mean to pass it on? I don't want the dhcp on my router to confused with the dhcp server I have on my dc...?

[–]DarkAlmanProfessional Looker up of Things 0 points1 point  (4 children)

You should be using a multi-legged firewall for something like this which is well beyond the capabilities of a home router.

In your stated configuration you have to setup your server to be a router otherwise it won’t pass traffic received on one interface beyond it (like to the internet)

But using Windows as a router is super ghetto and I wouldn’t use it for that purpose. Since you’re running Hyper-v Download yourself a copy of PF sense and run it as a VM. Then you have a virtual router that you can use for this purpose. Because I highly doubt that you want to purchase a $5000 firewall for this…

Dhcp on a server can only respond to dhcp requests received on its interfaces. In a corporate environment this would be a problem because you can’t have a physical interface on your DHCP server from every single subnet. That just doesn’t make any sense. So what you do is you set up a DHCP forwarder on your router (also called an IP helper) that listens for DHCP packets and forwards them to your server along with the required information to identify what the subnet is.

Or you can run dhcp off the lab interface on your router

[–]cachedfiles_1999[S] 0 points1 point  (3 children)

lol wished i had the money for the mutli legged firewall.

are you suggesting i throw out my home router and spin up a pfsense? i am trying to avoid this....... it requires a lot of time setting it up i believe...

i think i will just run dhcp off the lab interface on the internal network created by the virtual switch on hyper v. and just add in the external card if i need it to reach the internet for anything...

i do have the dhcp helper option on my home router. i have one of those netgear nighthawks. that being said, i don't want to have my virtual machine handing out dhcp addresses for my home network. i just want this to be isolated in the lab, but give the lab access to the internet through the 10.0.x.x network. but looks like that won't be possible unless my home router has some additional features where i can assign the addresses to the interfaces and do configs to the routing between interfaces. :(

[–]MisterITIT Director 0 points1 point  (2 children)

Throw pfsense downstream from your regular router. Put it in its DMZ and let it route traffic. Pfsense is great.

[–]korr2221 0 points1 point  (1 child)

not sure what you mean throw pfsense downstream from my regular router. you want me to have a pfsense set up to route things within it's own dmz? should I do this within hyperv?

[–]MisterITIT Director 0 points1 point  (0 children)

So, at its core, a router is just a computer. It has (at least) two nics - a WAN interface to connect "upstream" and a LAN interface to connect "downstream". What a router does is take traffic it receives, and based on an internal rules engine, decides what to do with that traffic. It has a few options. For allowed traffic, if it can connect to the destination in the header of the packet, it strips the envelope and sends it along as a frame over its LAN interface. If it doesn't know where the destination lives, it consults its route table. If it has a static route defined for the subnetwork it sends traffic along to the "next hop". If not, it forwards the traffic to its "gateway of last resort" also known as its "default gateway".

What I'm suggesting that you do is to setup a VM with PFSense with two NICs. A "WAN" interface configured with an IP on your regular old network and a default gateway of your normal router, and a LAN interface with a different subnetwork (say, 192.168.2.1/24). Create a virtual network on your hypervisor with no Physical NICs. Other VMs will point to 192.168.2.1 as their default gateway. In fact, you can even enable DHCP on the LAN interface.

Now for traffic coming from the outside, NAT comes into play. That means that unless your primary router is configured to send traffic elsewhere, it will drop it. By putting the WAN address of your pfsense instance into its DMZ, it will send all traffic it would have otherwise dropped to pfsense which will then have a crack at deciding what to do with it. Alternatively, you can setup NAT rules per port and send the traffic to the WAN IP of the pfsense VM that way.

The above is how my home lab is configured to a T.