VM Networking

[ApothLab]

Hey everyone,

I have been having an immensely difficult time working with some virtual machines I have been setting up to test some firewall rules. I can only use about two machines so I understand it would be far more beneficial to link together 3 machines, however, I cannot do this at the moment due to resource limitations. For prefacing this, here is an example of the infrastructure I am attempting to implement:



Basically, I have multiple "services / hosts" hosted on a single machine (Machine A) and would love for them to go through my second VM which is hosting pfSense firewall (Machine B) and then come back in to the original machine with the firewall filtered traffic to access the server (Machine B again). For example, I have an Apache web server as my "server" listing on the board, It would be nice to have the "Normal" users and "Admin" users traffic to go through pfSense before accessing the server despite all three things being on the same machine.

The problem with it currently is that despite my best efforts, it seems to simply look at the fact that "Admin" and "Normal" are on the same machine as "Server" and thinks it's best to simply jump right to it and ignore going through pfSense. Right now, the traffic "bypasses" the pfSense box and I want to force the traffic through the pfSense firewall.
If I open a web browser on the client/server machine and request a web page from the server, I'll get the web page in the browser with no traffic being sent/received by any of the nics, thus I can't apply firewall rules to the traffic. I want to stop that internal short-circuiting from happening so that I can force traffic from the client to go through the pfSense firewall and apply appropriate rules before the request gets to the server and vice-versa.

[BillG]

It is very difficult to make any useful comment without knowing how you have this set up from a networking point of view. I would think that is possible to do what you have in mind. If it is set up properly there is simply no way that traffic can avoid a firewall because there is no other possible path.

If you are using virtual machines, the fact that they are running on the same host does not make them "the same machine". You can isolate the vms from each other and from the host. I prefer to ignore the host, but if you are pushed for resources you can include the host in your networking scheme.

[ApothLab]

I understand that VM's can be isolated from one another, however, one VM is hosting multiple services as listed above. The main host OS in which the VM's are running is of little concern. Thank you for your response.

[ApothLab]

The idea is that the admin client, user client, and server (apache web, vsFTP) will all run on a single Ubuntu 16.04 desktop VM. Right now, the traffic "bypasses" the pfSense box and I want to force the traffic through the pfSense firewall.
If I open a web browser on the client/server machine and request a web page from the server, I'll get the web page in the browser with no traffic being sent/received by any of the nics, thus I can't apply firewall rules to the traffic. I want to stop that internal short-circuiting from happening so that I can force traffic from the client to go through the pfSense firewall and apply appropriate rules before the request gets to the server and vice-versa.

This is exceedingly simple if the client and server are on separate VMs, but I haven't had time to figure it out when the client app and server reside on the same VM (or physical machine for that matter). Network namespaces seems like a potential option, so does deleting the local routing table and creating a new one with unicast routes. Someone suggested a network proxy, but a proxy depends on the traffic flowing through it so I don't think it would work, but I haven't fully investigated it. PfSense can be a proxy server too, but I can't get the traffic to flow to it. If I could get the traffic to be sent out of the client nic then I wouldn't need a proxy at all. As it is, the web browser and/or ftp client isn't tied to any particular nic so Ubuntu just uses the same nic as the server is running on (essentially). It sees the destination IP in the packet header and says "Oh, That's me!" and sends the request directly to the server internally so no traffic goes out any nic.

[socratis]

I merged your two topics. Please do not open a new thread when it actually involves the same problem.

And honestly, from the problem description, this doesn't sound like a VirtualBox problem, this sounds like a networking problem. Just because a program/application/setup that runs in the context of VirtualBox has a problem, it doesn't make it a VirtualBox problem. You're having an issue that has nothing to do with VirtualBox, so my suggestion would be to treat it as such, as a native problem with the OS or the application of the guest.