Block Internet, allow LAN access

This is for discussing general topics about how to use VirtualBox.
Post Reply
brvcf
Posts: 11
Joined: 4. Apr 2019, 05:51

Block Internet, allow LAN access

Post by brvcf »

Is there a way to set up the virtual network connection so the guest can access the local LAN but not the Internet? In other words, the virtual equivalent of connecting to a router with no Internet connection.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Block Internet, allow LAN access

Post by mpack »

If the local LAN means a physical local LAN that you bridge to then no, there is nothing you can do in VirtualBox to control what's allowed to happen on the physical network. Any such blocks would have to be configured on that network.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Block Internet, allow LAN access

Post by scottgus1 »

I can block internet to any PC in the house, guest or real, by using the Access Restrictions or Parental Controls or whatever it's called in the network router.
brvcf
Posts: 11
Joined: 4. Apr 2019, 05:51

Re: Block Internet, allow LAN access

Post by brvcf »

What I was thinking is somehow changing the default gateway to something that does not exist. If possible by configuring the Virtualbox DHCP server to tell the guest the wrong address. But I guess that won't work because then the guest can't get out even to the local LAN.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Block Internet, allow LAN access

Post by mpack »

This is why I asked if "local network" meant a physical network, i.e. are you using bridged networking.

If so, then the DHCP function is performed by your router (or at least: by something on your physical network), not by VirtualBox. That means VirtualBox can't control what information is served up by your LAN DHCP server, including gateway address.

p.s. I don't think you need a gateway address to talk to a LAN: you can just send packets to already known addresses. AFAIK you only need a gateway to route packets to non-local destinations. However I took your question to be "what can I do in VirtualBox to override or block the information provided by a local LAN", and the answer is nothing. As Scottgus points out however, it's possible that your physical LAN can provide that functionality, e.g. by blacklisting the VM's MAC address at your router.
brvcf
Posts: 11
Joined: 4. Apr 2019, 05:51

Re: Block Internet, allow LAN access

Post by brvcf »

Actually I was using NAT. So the guest gets 10.x.x.x but the host/physical LAN is 192.x.x.x.
With NAT I can ping a 192.x.x.x from the guest but it doesn't seem I can access a shared folder on another LAN machine.

So I figured out I need to use Bridged networking. Then guest gets IP from actual router and sees workgroup.

Then set guest static IP and no gateway. This works to block Internet. So I can have stable a Win10 guest with no pesky updates and can run some software I can not make work in Linux with WINE.

I was just trying to figure out some clever way of not having to set static IP on guest so one less thing to remember if I change physical router, etc.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Block Internet, allow LAN access

Post by fth0 »

mpack wrote:p.s. I don't think you need a gateway address to talk to a LAN: you can just send packets to already known addresses. AFAIK you only need a gateway to route packets to non-local destinations.
Yes, this is correct, and it works as follows:

An IPv4 network interface is usually configured (either statically or by DHCP) with an IPv4 address (e.g. 192.168.1.42), an IPv4 subnet mask (e.g. 255.255.255.0, /24), an IPv4 gateway/router address (e.g. 192.168.1.1), and optionally IPv4 DNS server addresses (e.g. 192.168.1.1). IPv4 address and subnet mask together define the local IPv4 subnet (e.g. network 192.168.1.0/24, address range from 192.168.1.1 up to 192.168.1.254, broadcast address 192.168.1.255). If a network packet is to be sent, then there are two possibilities:
  • The IPv4 destination address is inside the local IPv4 subnet (including the gateway/router itself, e.g. when configuring it): The ARP protocol (or the ARP cache) is used to obtain the (Ethernet) MAC address corresponding to the IPv4 destination address, and the network packet is sent to this MAC address.
  • The IPv4 destination address is outside the local IPv4 subnet. The ARP protocol (or the ARP cache) is used to obtain the (Ethernet) MAC address of the IPv4 gateway/router, and the network packet is sent to this MAC address.
If there is no IPv4 gateway/router address configured, the second case cannot be handled and the network packet is not sent at all.
Post Reply