When I first setup my server, the best solution I could find to route my Hyper-V guests from the private network out the internet facing IP addresses was ICS (internet connection sharing). It works ok, but after every reboot, I have to disable ICS and then re-enable it again on the host. Otherwise, it simply doesn't work. It's not ideal, but no big deal for a process I'm very hands-on about. I thought Microsoft would fix it one of these years, but no such luck.

Now that I have almost half a million IP addresses in the firewall, turning ICS off and on takes tens of minutes and even throws errors that you wouldn't guess if you didn't know it was still going through the process of handling all those firewall addresses in the background (and then sometimes it doesn't work and I have to do it again). My Hyper-V guests are not mission critical, so I've been fairly reluctant to mess with it too as I'm not near my server's colocation datacenter and always a little scary messing with the NICs remotely. However, the time has come when that solution is just not acceptable any more and it's always haunted the back of my mind a bit as I tend to automate everything possible.

The other reluctance is that I have multiple NICS teamed and then the Microsoft Multiplexor driver on top of that. Therefore, it seems like magic that any of it works. I like simplicity too. The more steps in a process, the more chance of failure. However, that solution provides redundancy, so it's a risk to reward situation.

I still needed a virtual switch to run my guest OSes with ICS so I simply modified that internal virtual switch to have an IP address of Then, executed the following command in powershell:

New-NetNAT -Name “NATNetwork” -InternalIPInterfaceAddressPrefix

You're only allowed to have one NAT Network. I have no idea what happens when you run the previous command multiple times for different subnets. I suppose it's possible you could forget over time and best to look first. There is no GUI for New-NetNAT that I found, so to view your current configuration:



Name                             : NATNetwork

ExternalIPInterfaceAddressPrefix :

InternalIPInterfaceAddressPrefix :

IcmpQueryTimeout                 : 30

TcpEstablishedConnectionTimeout  : 1800

TcpTransientConnectionTimeout    : 120

TcpFilteringBehavior             : AddressDependentFiltering

UdpFilteringBehavior             : AddressDependentFiltering

UdpIdleSessionTimeout            : 120

UdpInboundRefresh                : False

Store                            : Local

Active                           : True

If nothing shows up after typing that command, you have no Natting configured. However, if you need to remove Natting for some reason, type:


You may need (it's recommended) to restart the host after executing the previous remove command.

If you're setting all this up from scratch, you can create a internal switch through the Virtual Switch Manager or type the following commands:

New-VMSwitch -SwitchName “NATSwitch” -SwitchType Internal

New-NetIPAddress -IPAddress -PrefixLength 24 -InterfaceAlias “vEthernet (NATSwitch)”

I found the solution on Petri.com. I haven't been on that site in probably over a decade so it's good to see it still around:


Next project is to manage those firewall IP addresses a little better. Maybe I'll post some IDS/IPS C# code I wrote at some point...


Be the first to post a comment

Post a comment