How to block VirtualBox guest from accessing my host's LAN?

[mahma90]

Because I am looking for some kind of VirtualBox settings I think my question is not fixed to one host or guest OS.
That is why I am asking in "Using VirtualBox" and not in one of the "VirtualBox on XXX Hosts" or "XXX Guests" subforums.
Nevertheless I want to say that my host is Debian 11 and guest is Windows 10. VirtualBox version is 7.0.6.

The default network setting in my VirtualBox installation is NAT.

When I run ipconfig on a Windows 10 guest I see that the machine has 10.0.2.15 and also an fe80 IPv6 address. No other addresses.

So my guest is in subnet 10.0.2.0/24 (yes, /24) and my host is in 192.168.178.0/24.

I run infected malware inside VM guests and it is very important for me that the guest cannot access my host's LAN to spread viruses. Because the guest is in a different subnet I was sure this was not possible.

I was shocked today when I was told that the guest can access the hosts LAN even with default network setting NAT.

I checked it and it's indeed possible to ping my host LAN's internet router on address 192.168.178.1.

The virtual default gateway 10.0.2.2 seems to forward traffic to my host's LAN.

How to block the guest from accessing my host's LAN?

I want to block the access to the local LAN for one single VM and not for the whole VirtualBox application.

I don't want to apply settings inside the guest OS because my guest is infected and the virus could revert these settings.

It must not be possible for the guest to sniff packets on my host's LAN (using Wireshark for example).

Maybe the routing settings of a VM can be modified to give it the result I want. Maybe by configuring static routes or so (inside the VM configuration file; not on my host OS). I am sure this is possible but I am not very familiar with VirtualBox settings.

I found topic 56083 on this board and 517490 on stack exchange but the solutions do net meet my requirements (I am sorry I can't post the URLs because I am a new user).

Thank you in advance

[scottgus1]

If all you need is to keep the infected VM off the host LAN and do not need internet, then you can just run the VM with no network.

If you also need the internet, please see Virtualbox Networks: In Pictures: "Sandbox".

[mahma90]

Of course I need internet access. This tutorial looks like overkill. It's sad this cannot be achieved easily. I think I will simply pass through an USB wireless LAN dongle and connect it to my guest wireless network. That's easier than configuring routers and firewalls.

[mpack]

I think I will simply pass through an USB wireless LAN dongle

You mean like a USB/Ethernet adapter? I'm not sure what that does for you: unless you have another LAN to connect to, complete with DHCP and Internet router. Otherwise it's no better than using bridged mode.

The only way to avoid using the host network is to have an entirely separate one. E.g. a USB 4G dongle.

[arQon]

I think he's misunderstood Scott's first reply. (Bear in mind, he doesn't know what NAT is, and is new to VBox as well). I'm not sure he got that it means he can isolate the guest and still be able to use a web browser on the host: he seems to have read it as "physically unplug the host's ethernet cable".

[scottgus1]

This tutorial looks like overkill. It's sad this cannot be achieved easily.

'Tis what it is. NAT behaves like a router. It lets internet into the VM. Everything on the WAN side is considered 'internet', and since the host is on the WAN side it's part of the internet to the NAT router and therefore accessible from the VM.

Virtualbox doesn't have an outbound-rule firewall in NAT or any other network type. So if you want to program one into Virtualbox, user-contributed code is considered.

Of course I need internet access.

Then you should have said so in your first post. You didn't. The forum mind-reading API is down at the moment so you are going to have to state project requirements clearly.

"Sandbox" does what you want to do. You just add a pfSense VM between your infected VM and the host, and add the outbound firewall rule. And wham, 'tis done. Don't bother about the double-pfSense part, you don't need that. Only the first half.

[mahma90]

I don't want to create a second VM to get a sandbox network. I think that sucks. There should be a simple option in the VM settings. I love VirtualBox much but I think this i a missing feature.
When the guest tries to talk to devices outside of its IPv4 range 10.0.2.0/24 VirtualBox should simply drop these packages.
For example when the guests sends an IPv4 broadcast to 255.255.255.255 VirtualBox should simply not forward this package to my local LAN.
Same for ethernet packages and IPv6.

I have a FRITZ!Box router and it allows me to create a guest wireless network. Completely seperated from my private network.

I will pass thru an USB wireless dongle to my guest VM to connect to this network. That's easier for me than setting up a second VM.

[scottgus1]

I don't want to create a second VM to get a sandbox network. I think that sucks.

I don't care what you think sucks. Take that to your own blog, it's off topic on this forum. You came to ask how to do something and you were told how it can be done in Virtualbox. Whether you like what you were told is completely irrelevant.

There should be a simple option in the VM settings. I love VirtualBox much but I think this i a missing feature.

You have made that feature request on the Suggestions forum and have received instructions what to do with the request there. Why repeat your impressions here?

When the guest tries to talk to devices outside of its IPv4 range 10.0.2.0/24 VirtualBox should simply drop these packages.

No, this is not what NAT is designed to do. You wouldn't get any internet in the VM.

I have a FRITZ!Box router....

Very good. There's more than one way to skin a cat.