Separating Guest VM from Linux Host While Keeping Internet

This is for discussing general topics about how to use VirtualBox.
Post Reply
mitchong
Posts: 4
Joined: 15. May 2018, 02:15

Separating Guest VM from Linux Host While Keeping Internet

Post by mitchong »

Hi, so I'm trying to set up a guest Linux VM running on a Linux host such that the guest can surf the Internet securely but can't connect or see the host or other machines on the LAN. This is to prevent any malware from reaching the host or the LAN and infecting it.

I have found a few post on the subject on this board such as viewtopic.php?f=6&t=69554, viewtopic.php?f=2&t=53175, viewtopic.php?f=1&t=76667 and viewtopic.php?f=6&t=56083&p=420918#p420918.

I wanted to know what would be the best way to go about doing this? One suggestions I'm considering is using a 2nd NIC card and using a bridged adapter on VirtualBox Network Settings so that it is on a completely separate network or VLAN than the host. The host would be on an ethernet connection and the guest would be on a wireless connection. Then firewall settings could be setup for the access point to prevent the guest from doing anything to it. Would this work?
Can you see any possible way using this setup for the malware on the VM guest to connect to or reach the host and infect it? Any input or suggestions would be greatly appreciated. Thanks and I apologize for posting in old threads. I'm new to this forum and I just didn't want to create similar topics to threads that already existed before.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Separating Guest VM from Linux Host While Keeping Internet

Post by socratis »

Unelss you have two routers that are independent of each other, with the second one dedicated to your VM only, and you do not use DHCP, but a direct IP from the 2nd router, and you have a 2nd external IP... I don't see how this could be done.

As I told you before... draw it. If you can manage to find no intersections, then it's doable.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
BillG
Volunteer
Posts: 5102
Joined: 19. Sep 2009, 04:44
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10,7 and earlier
Location: Sydney, Australia

Re: Separating Guest VM from Linux Host While Keeping Internet

Post by BillG »

I can't think of any way to do that unless you have two physical NICs in the host machine. Even then you would need to go to a lot of trouble to keep the host and guest in different IP subnets, as socratis outlined in his post.
Bill
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Separating Guest VM from Linux Host While Keeping Internet

Post by socratis »

The following (what you have right now) will not work, your PCs are on the same subnet:
  • PC 1 ---
             \
              --- Router --- PublicIP
             /
    PC 2 ---
What you need is something like that:
  • PC 1 --- Router 1 --- PublicIP 1
    
    PC 2 --- Router 2 --- PublicIP 2
or
  • PC 1 --- VLAN 1 ---
                        \
                         --- Router --- PublicIP
                        /
    PC 2 --- VLAN 2 ---
*if* your router supports it. I know mine doesn't...

And BTW, that's only the beginning, you got a lot more configuration to do. For example, you'll need two NICs (as already mentioned), NIC 1 tied to either Router1 or VLAN1, and NIC2 tied to either Router2 or VLAN2, and having all its bindings removed, except the ones for VirtualBox Bridging.

More of a networking problem rather than a VirtualBox one, if you ask me, that's why I put PC1 and PC2. Treat is as such...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
mitchong
Posts: 4
Joined: 15. May 2018, 02:15

Re: Separating Guest VM from Linux Host While Keeping Internet

Post by mitchong »

Thanks BillG and socratis for your detailed response. I really appreciate it. I was trying to envision the 2nd diagram you put up socratis for an access point that was capable of creating two separate VLANs but instead of 2 PCs, have it be on them be the same PC just with separate NICs connected to two different VLANs.

I was trying to use this post viewtopic.php?f=6&t=60778 to start where the host was using the ethernet adapter as the first NIC for the host and the wifi adapter for the second NIC for the guest using a bridged virtual adapter. I seemed to have problems getting the guest virtualbox to pick up the wifi resulting in no connection to the Internet, while the host had Internet just fine on the wired connection. However, when I specified the ethernet for the guest adapter and wifi for the host, it seemed to work as both the host and guest can both connect to the Internet with different IPs. Don't quite understand why that's the case and if you happen to know a way to fix that?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Separating Guest VM from Linux Host While Keeping Internet

Post by socratis »

Bridged over wireless don't always play nice. Bridged networking is outside the WLAN specification. Bridging to wireless is not really bridging. The guest shares the MAC of the host and the host does a sort of MAC-NAT translation based on IP addresses. Promiscuous mode doesn't exist in the official WLAN specifications. It may or may not work. Some combinations of Routers/Access Points, WLAN cards and drivers work, some don't. See: Bridging & Wifi - Supported hardware and add your experience. For example, it works fine in my home, but not in my office. Same laptop, same VM. Try to see if it works either with wired bridged or with NAT.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Post Reply