Setting up Hyper-V with NAT

This post was originally posted by me at

I’ve edited out the ServerBeach specific stuff and will post pictures…. soonish.

The following link has some great pictures not included here.¬†…h-hyper-v.aspx

I’ll add some nice little pictures here once I get some screenshots together.


1. Configure an “Internal” HyperV network
2. Set each Virtual Machine to use the Internal network and assign them and your HyperV host on the correct subnet (in this example for the host and for the VM).


1. Click -> Start -> Administrative Tools -> Routing and Remote Access
2. Right Click on Server#### (local) -> Configure & Enable Routing & Remote Access
3. Click -> Next on Welcome Window
4. Select Custom Configuration Click -> Next
5. Select NAT Click -> Next
6. Select your public interface
7. Select your Internal HyperV interface
8. Select “I will set up name and address services later” Click -> Next
9. Click -> Finish


1. Routing and Remote Access should be running on the server now
2. Expand out the Server
3. Expand out IP Routing
4. Select NAT/Basic Firewall
5. Right-click your public interface. Select properties
7. Network Address Translation Properties Window will open
8. Select Radio Button for “Public Interface Connected to the Internet”
9. Select the check box for both “Enable NAT on this interface”
10. Click on the Address Pool Tab
11. Click the Add button and add your secondary IP addresses. The “Start Address” and “End Address” will be the same in most cases.

*NOTE* You do not want the secondary IP address configured in the TCP/IP Properties of the Host machine.

12. Click the Reservations button and enter your static IP mappings. That is, specify that you want traffic on your secondary IP mapped to your VM’s internal IP.
13. In services.msc, make sure that RRAS is set to start automatically and Windows ICS is disabled.


When configuring and experimenting with the RRAS firewall, create a batch file to stop the service in case you forget to allow RDC or otherwise render the system inaccessible.


net stop “remoteaccess”

Then add the batch file to the scheduler and have it run some time after you apply your changes.


RRAS is really finicky about the interfaces installed on the server. If an interface is changed in any significant way, it’ll have to be disabled and reconfigured.

Hyper-V is also similarly finicky about its virtual networks. I can’t count the number of times I had to remove and recreate networks. Thankfully, this was rather painless with only one VM to propagate changes to.

If you should encounter any difficulties with adding your additional VMs to the server, try resetting HyperV networking, individual VM network binding (in the VM’s settings), confirming physical host interfaces, and then reconfiguring RRAS in this order.


Those who have had HyperV configuration problems solved it by disabling TCP/Offload Engine. Symptoms include, RRAS just not working, or working sporadically. If in doubt, disable TCP/Offload Engine…8-d22aca6154ee…b;EN-US;904946

So if this applies to you, run on the host and on any 2008 VMs:

$ netsh int ip set global taskoffload=disabled

and add the following registry key to any 2003 VMs:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\DisableTaskOffload

This is a DWORD entry that should have a value of 1.

Tags: , , , ,


  • Emmanuel says:

    Hi Jim! Is there a way I can map ports of my secondary ip address to different ips on my virtual network?
    I need something like this:

    Primary ip address:
    Secondary ip address: -> -> ->


    BTW I’m a SB-Peer1 customer.

  • jim says:

    Hey Emmanuel!

    Thanks for your patronage! I used to field this particular Hyper-V question a bit when I was with the Support Department, before I switched roles to internal assets. That being said, ServerBeach’s networking structure when it comes to secondary IP’s does require a little bit of extra work to function correctly.

    Let me answer your question with two answers, the first being, yes you can do it. The second being, I recommend not. Let me explain how it can be done first:

    Instead of creating reservations, you can click on the “Services and Ports” tab, and add each individual port that you want mapped to the private IP. Click “Add” give the service a name, select the incoming IP (public) and port, then define the outgoing (private) IP and port. Click OK, and that IP/Port is mapped.

    When you set your reservations, and I can’t believe I didn’t note this above, if you click “allow incoming connections,” then every packet that comes in gets forwarded to the private IP. If you set this, whatever you configure in the “Services and Ports” tab gets overwritten by RRAS, and defaults to whatever is reserved. If you do not check “allow incoming connections,” then the private IP is not remotely accessible regardless of the settings in “Services and Ports.” It’s really a one or the other configuration.

    That being said, I recommend forwarding the whole block using reservations, checking “allow incoming connections,” and performing packet filtering either outside the host (external firewall), or internal to the VM (windows firewall or iptables in the guest). Primarily, the reason I say this is ease of troubleshooting. If firewalling is handled either external to your host, or internal to your VM, then it comes naturally to look there than it would be to troubleshoot issues with RRAS, which IMHO, isn’t very robust. Furthermore, troubleshooting measures that incorrectly configure RRAS can quickly result in more VMs offline than the original outage.

    There is a drawback to reservations in that the more packets that the VM handles rather than the host, there is a greater impact to performance (virtualized hardware translates into greater cpu time per transaction). However, I believe that ease of administration is ultimately more desirable than squeezing a bit of performance out of the VMs in what can quickly turn into a very long list of ports. This becomes very important when problems require urgent work.

    Well, I hope this helps you out with setting up your Hyper-V environment. Please let me know if I can answer any more questions, and also, feel free to hit up our support guys and gals if you need any help with your server specifically.


    EDIT: I just reread your comment, and I see that you have some services sharing IPs. I’d actually recommend getting more IPs in this case and going with a 1 IP per virtual model. They’re $1 per IP per month, so the outlay isn’t really that bad.

  • Works fine for me on a 1and1 rootserver.
    I used the Nat from the wizard and not the custom config.
    Part 11 your Subnet is not it is

  • Christopher Oak says:

    Hi, I stumbled upon your article as i am struggling to get hyper-V with NAT. I tried your instructions but I don’t seem to see what your instructions are asking me to perform. Do you have pictures of your setup? Thanks

  • jim says:

    Hi Christopher,

    Unfortunately, I don’t have a Hyper-V box up right now… There are pictures here:
    and these pictures are pretty handy if you are able to mentally swap out wireless for wired. What sort of issues are you running into? I’m pretty slow to respond to comments ( day job keeps me pretty busy), but I’d be happy to help if I can clarify something…


  • Matt says:

    This will fix the issue of: Guest cannot access the internet when the hosts firewall is on. If the Hosts firewall is on, the Guest can then access the internet.

    Put a Custom rule into the Hosts firewall which allows the whole NAT Range to access the whole NAT Range. Incoming allows all inbound from (Replace NAT ip range with your own).

  • Paul says:

    Can anyone help me to configure 1and1 2008 R2 server. I need to install two virtual machines on 1and1 host server. Only one adapter is available. How can I configure NAT to access both VMs from outside ? Any help will be greatly appreciated.

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>