A couple of months ago, I wrote a blog post about how you can create a new Hyper-V NAT Switch. Now, this worked fine in some early Windows 10 builds, but Microsoft removed the parameter for the NAT Switch in some Windows 10 Insider builds. You can find more about the Hyper-V Virtual Switches on Microsoft Docs. In the latest versions in the Windows 10 client operating system, Microsoft already includes a “Default Virtual Switch”, which allows you to use Hyper-V NAT Networking, without doing any configuration changes.
If you want to create an additional VM Switch which uses NAT on Windows 10, or you want to use the Hyper-V NAT VM Switch on Windows Server, you can follow this guide. The NAT VM Switch is especially heady if you use Nested Virtualization.
- Windows 10 and Windows Server 2016 build 14295 or later
- Enabled Hyper-V role
- PowerShell, since this setting is not available in the UI right now
Set up a Hyper-V NAT Switch
Create a new Hyper-V Virtual Switch
New-VMSwitch –SwitchName “NATSwitch” –SwitchType Internal
Configure the NAT Gateway IP Address
This configures the Virtual Network Adapter which was created while creating the Internal Virtual Hyper-V Switch.
New-NetIPAddress –IPAddress 172.21.21.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)"
Now you can configure the NAT rule
New-NetNat –Name MyNATnetwork –InternalIPInterfaceAddressPrefix 172.21.21.0/24
After that, you have finally created your NAT network, and you can now use that network to connect your virtual machines and use IP addresses from 172.21.21.2-172.21.21.254.
Create a new NAT forwarding
To forward specific ports from the Host to the guest VMs, you can use the following commands.
This example creates a mapping between port 80 of the host to port 80 of a Virtual Machine with an IP address of 172.21.21.2.
Add-NetNatStaticMapping -NatName "VMSwitchNat" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 172.21.21.2 -InternalPort 80 -ExternalPort 80
This example creates a mapping between port 82 of the Virtual Machine host to port 80 of a Virtual Machine with an IP address of 172.21.21.3.
Add-NetNatStaticMapping -NatName "VMSwitchNat" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 172.16.0.3 -InternalPort 80 -ExternalPort 82
This also works with Windows and Hyper-V Containers. I hope this gives you a good overview of NAT Networking and the Hyper-V NAT Switch. If you have any questions, feel free to leave a comment.Tags: Container, Containers, Hyper-V, Hyper-V NAT Switch, Hyper-V Virtual Switch, Microsoft, NAT, NAT Switch, PowerShell, Virtual Switch, Windows, Windows 10, Windows Server, Windows Server 2016 Last modified: July 22, 2019
Great article! Thnx!
A few things making this article confusing. 1.) The IP addresses in your screen shot are not what is being used in the article text. 2.) When creatin gthe NAT network, it was named”MyNATnetwork” and then later when creating port forward rules, it is called “VMSwitchNat”. Don’t these two need to be the same or are they referring to different things?
Other than that this was very helpful. Thanks!
while this was working fine after upgrading to the anniversary update, it seems like this is broken again.
I am now on Win10 Build 14393.82 and NAT just stopped working. My plan was to completely remove the nat-configuration and applay it again. Unfortunately i´m stuck while trying to do “Remove-NetNat”, which fail with Windows System Error 50, The Opearation is not supported:
Remove-NetNat : Der angeforderte Vorgang wird nicht unterstützt.
In Zeile:1 Zeichen:1
+ CategoryInfo : InvalidOperation: (MSFT_NetNat (In…yNATnetwork;0″):root/StandardCimv2/MSFT_NetNat) [Remove-NetNat], CimException
+ FullyQualifiedErrorId : Windows System Error 50,Remove-NetNat
Advice is highly appreciated ;-)
i was able to solve the “Invalid Operation”-Error. Actually, the Mircosoft Consultant that i share my office with, was able to track this down ;-)
To remove the NetNat, that i couldn´t remove with the powershell-command, i had to delete the following registry-key:
The key was the same on two different machines, so this might be always the same GUID.
After deletion, the NetNat was gone and i was finally able to create a new one. This then worked as expected.
Thank you very much， it’s very helpful for me
Has anyone been able to get this to work work with a VPN on the host machine? I’ve tried different combinations of “add route” on the VM but nothing seem to work :(
This is a really interesting article for someone looking to get VPN to work:
I was able to install Juniper Pulse (Pulse secure) in basic mode, which then worked in Enchanced mode and with Remote Desktop. Installing it via Remote Desktop directly though did not work.
Tried it with an MSDN
ProductName : Windows Server 2016 Datacenter
ReleaseId : 1607
BuildLab : 14393.rs1_release.161110-2025
BuildLabEx : 14393.479.amd64fre.rs1_release.161110-2025
PS C:\Users\Administrator> New-NetNat –Name MyNATnetwork –InternalIPInterfaceAddressPrefix 172.21.21.0/24
New-NetNat : Invalid property “InternalIPInterfaceAddressPrefix”
At line:1 char:1
+ New-NetNat –Name MyNATnetwork –InternalIPInterfaceAddressPrefix 172.2 …
+ CategoryInfo : ObjectNotFound: (MSFT_NetNat:root/StandardCimv2/MSFT_NetNat) [New-NetNat], CimException
+ FullyQualifiedErrorId : HRESULT 0x80041002,New-NetNat
well seems i found a solution for the above error since it lead to WMI, and i couldn´t find anything missing with WMIExplorer from codeplex. i tried to recreate the wbem
net stop winmgmt
Using Windows Explorer, rename the folder %windir%\System32\Wbem\Repository. (For example, %windir%\System32\Wbem\Repository_bad)
net start winmgmt
My Virtual machine wont connect to internet and i have tried everything. Have any of you any ideas on what may be wrong?
Thank you very much Sebastian, deleting the registry keys solved my problem, nothing else seemed to help.
Thanks, you are amazing
@Sebastian: Thank you very much for your help!
Had exactely the same problem: The NAT GW worked, but stopped working after two days. remove-netnat didn’t work, Error 50. But deleting the Registry Key that you mentioned, deleting the Hyper-V Virtual Switch, and recreating everything according this blog solved the problem.
Followed steps as in the article, but there is no internet in the VM. 184.108.40.206 pings though from the VM, but pages doesnt load. Running Hyper-V on Windows 10 Build 1703 and VM runs Windows Server 2012 R2. Any suggestions please !
If the Ping in the VM is working, it looks like you only need to set a DNS server on the NIC inside the VM :)
Thank you for your reply. Didnt quite understand what you meant by only setting a DNS server on the NIC. Not setting a IP address, subnet mask and Gateway assigns a default IP not in the range of the host IP. Could you please elaborate !
@Praful, I think Thomas meant that the because the VM is behind a NAT switch, it will not get DHCP advertisements by default (where most devices get their DNS server), so you need to make sure that is configured in the VM. Your IPv4 settings in the VM need to include IP Address, Subnet Mask, Gateway, and DNS.
@Thomas, the link referencing a post by Sarah Cooley, returns 404. Looks like changing msdn.microsoft.com to docs.microsoft.com should resolve the issue.
@Tony, Thank you for the suggestion. I had already set a static IP in the range of the host IP for the NAT switch and also the things like the subnet mask, gateway n DNS, similar to the screenshot in the post. That was when I was able to ping 220.127.116.11 but not navigate to google.com in a webbrowser. I have turned off firewall temporarily too. Any other suggestions which I could try ?
I think we are still missing the DNS Server configured in the VM. You should login into the Virtual Machine. Go to network settings, and where you can enter the IP address you can also configure the DNS Sevrer for example 18.104.22.168.
@Thomas, Thank you for the reply. Below is what i have added to the host adapter as well as on the VM.
Host Machine, running Windows 10 1703 build
IP Address – 172.21.21.1
Subnet Mask – 255.255.255.0
VM, running Windows Server 2012 R2
IP Address – 172.21.21.2
Subnet Mask – 255.255.255.0
Default Gateway – 172.21.21.1
Preferred DNS Server – 22.214.171.124
Still the same, ping to 126.96.36.199 works, page cant be browsed. Tried with DNS Server set to 188.8.131.52 on Host VM as well, same result.
I have tried the above as specified however, when I try to create the Add-NetNatStaticMapping for either the current NetNat “MyNATNetwork” or as the instructions above specify “VMSwitchNat” i receive the following error:
Add-NetNatStaticMapping : Instance Nat VMSwitchNat not found
for “MyNATnetwork i recieve:
Add-NetNatStaticMapping : The process cannot access the file because it is being used by another process.
Has anyone seen this or resolved this. Currently I am unable to do any port fowarding.
Hey, I had the same problem. Port 80 was in use by SYSTEM, so probably some Windows service. Since there was no need for that service as far as I could tell, I could stop this with command “net stop http”. Afterwards I was able to add the NetNatStaticMapping
[…] followed the steps as explained here and here. So in PowerShell on my Windows 10 desktop with Hyper-V installed I executed these […]
@Thomas Maurer golden tip about the DNS server setting on the NIC of the Virtual Machine. Was searching for weeks for this to work!
I have a small lab set up with a domain controller and a workstation domain joined. When I set 184.108.40.206 as the DNS server on my doman controller’s NIC, I immediately got internet access.
[…] you want more info, please visit Thomas Maurer’s blog, it’s very […]
[…] To allow the nested virtual machine to access the internet, we need to setup Hyper-V networking in the right why. For this we use the Hyper-V internal VM Switch and NAT networking. I described this here: Set up a Hyper-V Virtual Switch using a NAT Network […]
Thank you Thomas!
Can i add more than one NAT switch?
see the error below when i add New-NetNat to second NAT switch:
New-VMSwitch –SwitchName “L91natSwitch” –SwitchType Internal
New-NetIPAddress –IPAddress 220.127.116.11 -PrefixLength 24 -InterfaceAlias “vEthernet (L91natSwitch)”
New-NetNat –Name L91natNetwork –InternalIPInterfaceAddressPrefix 18.104.22.168/24
New-VMSwitch –SwitchName “L92natSwitch” –SwitchType Internal
New-NetIPAddress –IPAddress 22.214.171.124 -PrefixLength 24 -InterfaceAlias “vEthernet (L92natSwitch)”
New-NetNat –Name L92natNetwork –InternalIPInterfaceAddressPrefix 126.96.36.199/24
New-NetNat : The parameter is incorrect.
At line:1 char:1
+ New-NetNat –Name L92natNetwork –InternalIPInterfaceAddressPrefix 192. …
+ CategoryInfo : InvalidArgument: (MSFT_NetNat:root/StandardCimv2/MSFT_NetNat) [New-NetNat], CimException
+ FullyQualifiedErrorId : Windows System Error 87,New-NetNat
did the steps (unfortunately, your Add-NetNatStaticMapping command name must match the name given for New-NetNat command. Please fix)…
you did show some windows panels dealing with the network but of course you did not really show what you were doing (why the 188.8.131.52 address as the static address?)
do you have to configure the static address on the vm side as well? (I would think, but you really don’t show that)
so you show commands to get to partway of using the vm with NAT but don’t follow through to a complete installation for use…
thanks for teasing me.
Strange behavior of NAT network…
Evaluation editions of windows (both 10 and server 2016/2019) won’t activate
Connecting to windows updates fails as well.
Other then that, it’s working normally (VM’s can browse the web and ping each other and remote addresses)
If I use the classic Internet Connection Sharing method, everything works 100%
Strange I never had these issues at all, I run a couple of machines with the NAT switch without any issues. Maybe some DNS issue?
I don’t think it’s a DNS issue because apart from WSUS/Activation/Updates everything else is a-ok, for example:
activation via KMS, downloading and installing docker along with containers, downloading files from websites, etc.
Were you able to install an evaluation version of windows and activate it on a VM connected to a NAT enabled switch?
it’s windows10 build 2021H2, i fully follow your steps. vm can ping vm gateway, but cant ping google. it’s same like the below link mession:
This is very useful. But i have multiple VMs behind my NATswitch and i want to create static maps for each f these for all TCP/UDP ports. Can this be done?
Hi @Thomas, do you know how should be To forward specific ports from the Host to the guest VMs into vlan, (Set-NetNatStaticMapping with vlan) thank you.