Before the holidays, I bought myself an early present: a new quad-core box with 4GB RAM, which I was going to use for a home Hyper-V lab, so that I could run a bunch of 64-bit VMs as well as the 32-bit staples I’ve been using for years (SBS 2003, and a separate ISA Server box).
I’d had Windows Server 2008 installed on my Virtual Server host for a while, and use it with Routing and Remote Access (RRAS)’ NAT to provide a simple internet gateway for a segment of my internal network.
There was a 1300Mhz FSB Q8200 available for the same price as a Q6600, and I figured that I couldn’t go wrong with that. Surely, I thought, all Intel CPUs since the Core2 Duos support Hyper-V?
Well, no, said Intel, and thanks for your money (stupidty tax, I seem to pay a lot of it). The one Quad core chip that doesn’t support Hyper-V is the one I bought. Q8200 is being phased out (I read somewhere), so this mistake should be easily avoidable in the future. Or now, by how-you-say smarter people.
What I mean by this is that when I got the Right CPU and installed Hyper-V, I was without Internets.
To cut a long and boring troubleshooting story short: the physical network adapters I’d configured in RRAS were no longer the Right Network Adapters.
I set up new virtual networks for each physical adapter (one Internet, one Local), and then had to set up RRAS again, because it didn’t think there were any new interfaces to set up – it was quite happy only seeing the old ones, thank you very much.
After checking both virtual adapters were visible in the Network Connections interface, and that they had the right IPs assigned, I rechecked my Windows Firewall settings and ran a port probe to confirm only ports I knew I wanted open were open (RRAS Basic Firewall doesn’t exist any more in 2008, so be careful with dual-homing where the Internet is attached to one of your adapters).
The disconnect here was that I was assuming the parent partition would see the physical hardware – it does, it just doesn’t use it directly any more, it looks like it uses the virtualized setup instead, at least to some extent.
My RRAS server had (to this point) been my DHCP server for the internal network. This was all fine, and seemed to be working okay (or had my lease durations just not expired yet?), except for the new virtual hosts I created today.
There’s some lore floating around on the forums that worked for me – the bit that worked was manually adding a REG_MULTI_SZ called IPAddress to the likeliest-looking adapter interface in the registry, because Hyper-V setup for whatever reason doesn’t do that.
The DHCP server wouldn’t bind to the physical adapters (or even show them in the Bindings interface), presumably because IPv4 and IPv6 was unbound from them (interesting, hey?) and also wouldn’t show me either of the virtual adapters, which I guess is due to the lack of a static IP address on either of them.
Now, though, my setup’s working nicely, everything more or less as it was before, only virtualized. And thus, you know, more sexy.
I had not spotted that registry hack, months ago when I built my hyperV home setup.... therefore I have DHCP installed on the ISA Server virtual machine I always keep turned on, only bound to the "internal" NIC... the HyperV host has two NICs, but effectively communicated to the Internet THRU the virtualized ISA on the one that is "internal"... the other one is used for the ISA to go to the router, but the host does not use it.
Gotcha, good solution. My ISA Server is an optional web proxy, I just point Auto Detect clients at it through WPAD (I have an Xbox 360 on the network, so I don't want any port filtering to happen at the ISA box for that).
That said... I'm thinking I might put Forefront TMG on the host for general filtering and firewalling (or just WS2008 R2), and use the virtualized adapters to provide a dedicated "passthrough" router for the Xbox.
I also use WPAD, and I have an old XBox, and a Nintendo Wii, and a bunch of other devices that might need to go out unfiltered and/or unauthenticated: I just give them always the same IP Address thru RESERVATIONS in DHCP, and I let those IP out. All the rest in the dynamic IP range (=my kids and my wife's PCs) are allowed to go out for a few protocols, and have authenticated/filtered HTTP access (kids only have a whitelist of "allowed" sites... :-))
I am using virtual adapters for a sort of "DMZ", where I keep TEST machines that are in separate domains and don't have anything to do with "production" :-) ... so I can still send them out for WindowsUpdate, but they don't send crap (even just browser elections or any enumeration of stuff) out to my real internal net.
Yup - I found the ISA NAT implementation didn't mix with the 360 too well last time I tried it... I might give it another whirl with TMG.
I love being able to set up purely internal virtual networks where my virtual hosts congregate; I wonder if I could use that to perform a sneaky passthrough for the ISA host (connect the parent to a virtual network, and have ISA downstream of a virtual RRAS box (kinda what I did in the past, though more complicated))... best of both worlds... :)
I just bought a Q8300 as it was on the Intel list posted as having VT.. http://www.intel.com/products/processor_number/chart/core2quad.htm
It did not work, and it appears from the following that it does not have VT! http://ark.intel.com/cpu.aspx?groupId=39107
What a waste of money.. I only bought it to setup a hyper-v test machine!