Reading Time: 4 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

In this post, I am going to show you how to create NAT (network address translation) rules for Hyper-V Virtual Switch on Windows 10 or Windows Server 2016. A NAT rule is used to open inbound communication to your VM’s behind a NAT Switch. The most common use for NAT Rules is containers.

Before you read this post I highly recommend you read this article first:
https://pixelrobots.co.uk/2017/06/create-a-hyper-v-nat-virtual-switch/

NAT Rules?

Hyper-V NAT switches do not come with any NAT rules by default. This means no traffic can route from inside the NAT IP range to an outside IP range and vice versa. This basically means any VM on the NAT IP range is unable to communicate with any VM, Server, or network device outside of the NAT IP range. They even are unable to communicate on the internet. That is where NAT rules come into play. With NAT rules we are able to open up routes through the NAT switch to allow communication on different ports.

The following parameters are able to be used when creating NAT rules.

-Protocol: This is easy to explain. You only have to options either TCP or UDP. (if you want to use both protocols, you will have to create two rules.)

-ExternalIPAddress: This will be the IP address of the NIC you want to be able to use this NAT Rule. If you have multiple Addresses on the Hyper-V host you can use 0.0.0.0/0.

-InternalIPAddress: This will be the address of the VM running on your NAT IP Range that you want to send the traffic to.

-ExternalPort: For this parameter, we have to use the Port number the incoming traffic is sent to. This can be any port you want to use.

-InternalPort: The internal port is basically the listening port on the VM. So if you were to create a NAT rule for RDP you would use port 3389 as that is the port the VM will be listening on by default for RDP connections.

Create a NAT Rule

Now let’s create a NAT rule to allow RDP (-InternalPort and –Protocol) access to 1 VM on our NAT IP range. I have a VM running on my NAT IP range with the following IP Address 10.10.10.200 (-InternalIPAddress). I also have a Jump server that I want to use to remote on to the VM. Its IP Address is 192.168.86.210 (-ExternalIPAddress).

Now we have all of the information we need we can use the following PowerShell code to create the rule.

Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 3389 -Protocol TCP -InternalIPAddress "10.10.10.200" -InternalPort 3389 -NatName NATVNetwork
view raw NetNatRules.ps1 hosted with ❤ by GitHub

You may notice the –NATName parameter. This is the name of your NAT Switch. You can easily find this by using the following PowerShell Command

Get-NetNAT
view raw NetNatRules.ps1 hosted with ❤ by GitHub

So we now have a nice NAT Rule that allows us RDP to our VM from the Hyper-V host.

What happens when you have several VM’s and you want to be able to RDP to all of them from outside of your Hyper-V host. You are unable to create multiple NAT Rules on the same port.

To get around this we have to pick an unused port on our NAT switch. So let’s say I have 3 VM’s what I can do is use different ports for the –ExternalPort parameter. This will look like the following:

Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 50200 -Protocol TCP -InternalIPAddress "10.10.10.200" -InternalPort 3389 -NatName NATVNetwork
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 50201 -Protocol TCP -InternalIPAddress "10.10.10.201" -InternalPort 3389 -NatName NATVNetwork
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 50202 -Protocol TCP -InternalIPAddress "10.10.10.202" -InternalPort 3389 -NatName NATVNetwork
view raw NetNatRules.ps1 hosted with ❤ by GitHub

What I like to do is try and match the last three digits of the port number to the last octet in the VM’s IP address.

Now we are able to RDP to multiple VM’s inside our NAT from any server. We just have to use the port.

Remove a NAT Rule

To remove a NAT rule we first need to find out what the Static Mapping ID is. To do this we use the following PowerShell command.

Get-NetNatStaticMapping
view raw NetNatRules.ps1 hosted with ❤ by GitHub

Now if we wanted to remove the NAT rule with ID of 6 we would use the following PowerShell command.

Remove-NetNatStaticMapping -StaticMappingID 6
view raw NetNatRules.ps1 hosted with ❤ by GitHub

So there we have it we have created a NAT rule. Microsoft has made this cool feature really easy for us to use with PowerShell. What I really love about this is how easy it is translated into Azure.

I am already using it in my LABS and I hope that you guys will be going forward. If you have any questions or comments please leave them below.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

3 Comments

Eugene van der Merwe · March 7, 2019 at 2:15 am

Is there a way to send *all* ports from the outside to a specific IP address on the side?

Are rules order specific?

How To Setup Nested Virtualization In Microsoft Azure - Pixel Robots. · January 2, 2018 at 3:47 pm

[…] You can also create NAT rules for include servers and ports. You can read more about this here. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree