Page 1 of 2

How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 18:04
by cdg
A Windoze XP machine can be kept off the Internet, but still retain access to other machines on the LAN, by removing the default gateway (i.e. setting it to zero as follows: ROUTE DELETE 0.0.0.0 MASK 0.0.0.0).

For some reason this doesn't work with a Windoze XP guest using "bridged networking" on VirtualBox. The default gateway is removed, but it doesn't prevent Internet access!

Why doesn't it work? Is there another way of accomplishing the same thing?

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 18:09
by scottgus1
I haven't tried your method, though I have heard that not setting a gateway in the network card's ip4 properties does prevent a PC from getting to the internet.

When I want to block a PC, physical or virtual, from the internet I use my router's Parent Controls, or Access Restrictions, or whatever it's called.

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 18:31
by cdg
scottgus1 wrote:I haven't tried your method, though I have heard that not setting a gateway in the network card's ip4 properties does prevent a PC from getting to the internet.
There are several methods for removing the gateway. I just listed the easiest one. Ipconfig verifies that there is no default gateway. As I said, this works with an XP machine, but does NOT work with an XP guest machine.

How do you change the (virtual) network card's ip4 properties? I don't see the option in Device Manager > NIC > Properties.
When I want to block a PC, physical or virtual, from the internet I use my router's Parent Controls, or Access Restrictions, or whatever it's called.
That would require using a fixed IP address for the virtual machine, rather than DHCP, which would create other problems. :(

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 19:01
by mpack
I'm not sure that prevents Internet access, it only means that it doesn't have a default gateway address. If I was writing malicious code I suspect I could discover the gateway address by other means. I don't think you've actually blocked it.

Btw, a network card speaks Ethernet. TCP/IP related stuff is software, so you won't find anything about that in the (virtual) hardware options.

The only way I can think of for a VM to have access to the LAN but not to the Internet is to blacklist the VM at the Router. The Router would have to have an option to blacklist it on the Internet only, but allow LAN traffic. Also the VM would have to be using an identifiable IP, i.e. bridged, not NAT. Another possibility with a cabled LAN if you assume that all PCs converge at a switch then a PC can always communicate with other PCs via the switch, even if blacklisted at the router.

I'm actually trying to think of a way to achieve the opposite on my home network: give a networked device access to the Internet, but don't allow local network access, even though the Router naturally has a connection to my network switch. The device is a set top TV box requiring Internet for catch-up TV, it has a WiFi connection to the router (i.e. it doesn't go via the switch), but it has a nasty habit of flooding my LAN with searches for some secondary box I don't have, and no way to tell it to stop.

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 19:26
by scottgus1
I have a Windows 10 host, Virtualbox 6.0.4
I also have a Windows 7 host, Virtualbox 5.2.28
XP sp3 guests on both hosts.
Also an XP sp3 laptop.

You can get to the network card's ip4 properties in XP by Network Connections > right-click Local Area Connection, Properties, click Internet Protocol (TCP/IP), click Properties button. Also, right-click Local Area Connection, Status, to see stuff similar to 'ipconfig'.

I Bridged an XP guest looking for an automatic IP from the LAN's DHCP, and got an automatic IP & gateway from the LAN. I was able to ping 8.8.8.8 successfully, so able to reach the internet.

Then I tried your command 'ROUTE DELETE 0.0.0.0 MASK 0.0.0.0' in a command prompt, and saw that the gateway had disappeared from the guest network card properties. Pinging 8.8.8.8 now fails with Destination Host Unreachable. But I can ping LAN resources.

Then I shut down and restart the guest. The gateway is back, and I can ping the internet again. Same happens with a reboot rather than shut-down/power-off/restart. The gateway comes back.

I did this experiment on the XP guests on both hosts, and got the same results. I also tried this on an XP laptop: the same results were seen. The ROUTE DELETE command is not persistent across reboots, and XP has internet access after restarting.

The results of my experiment show non-persistent Route Deletes on physical or virtual XP. For me, Virtualbox Bridged does not influence one way or the other.

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 19:30
by scottgus1
mpack wrote:give a networked device access to the Internet, but don't allow local network access
<Off-topic>
I would try putting a pfSense device between it and the network. :lol:

Edit: Come to think of it, a regular router might work, if it has some semblence of a firewall in it. That's all pfSense is really doing to sandbox something, just stop any traffic to the WAN side that happens to fall in the firewall-blocked LANs IP range.
Edit 2, not many routers have a lot of block-outward-traffic firewall capabilities like pfSense does, a router might not work...
</Off-topic>

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 20:20
by cdg
mpack wrote:I'm not sure that prevents Internet access, it only means that it doesn't have a default gateway address. If I was writing malicious code I suspect I could discover the gateway address by other means. I don't think you've actually blocked it.
Possibly, but that assumes the malicious code already resides on the computer or virtual machine. If that were the case, there are many paths for sabotage.
Btw, a network card speaks Ethernet. TCP/IP related stuff is software, so you won't anything about that in the (virtual) hardware options.
So, how would you accomplish your earlier suggestion (to remove the gateway from the NIC's ipv4]?
The only way I can think of for a VM to have access to the LAN but not to the Internet is to blacklist the VM at the Router. The Router would have to have an option to blacklist it on the Internet only, but allow LAN traffic. Also the VM would have to be using an identifiable IP, i.e. bridged, not NAT. Another possibility with a cabled LAN if you assume that all PCs converge at a switch then a PC can always communicate with other PCs via the switch, even if blacklisted at the router.
As stated earlier, a fixed IP would cause more problems than it would solve. :( I do like the idea of communicating via the switch instead of the router. I didn't realize that would work. :)
I'm actually trying to think of a way to achieve the opposite on my home network: give a networked device access to the Internet, but don't allow local network access...
If your router has a "guest network" feature, set up the guest network without LAN access, and connect your wireless TV device to that network. This is what I do with my Roku streaming device, and it works well. :)

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 20:47
by cdg
scottgus1 wrote:You can get to the network card's ip4 properties in XP by Network Connections > right-click Local Area Connection, Properties, click Internet Protocol (TCP/IP), click Properties button. Also, right-click Local Area Connection, Status, to see stuff similar to 'ipconfig'.
Yes, that's what I did, and there is NO IP4 properties. There is IP address (automatic or manual), DNS address (automatic or manual)", Alternate configuration, DHCP enabled, NO default gateway (even though ipconfig shows the router's address), DNS and WINS settings, and TCP/IP filtering. No "Ip4 properties.
I Bridged an XP guest looking for an automatic IP from the LAN's DHCP, and got an automatic IP & gateway from the LAN. I was able to ping 8.8.8.8 successfully, so able to reach the internet. Then I tried your command 'ROUTE DELETE 0.0.0.0 MASK 0.0.0.0' in a command prompt, and saw that the gateway had disappeared from the guest network card properties. Pinging 8.8.8.8 now fails with Destination Host Unreachable. But I can ping LAN resources.
You are correct. It works (now). I don't know why it didn't work before. :o
The ROUTE DELETE command is not persistent across reboots, and XP has internet access after restarting.
I didn't know this, but the command can be put in a batch file that is executed upon startup. Maybe that's why I thought it didn't work before?

Perhaps it's just as easy to NOT do anything that uses the Internet (from the VM) and rely on the Firewall to prevent inbound malware?

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 21:00
by scottgus1
cdg wrote:there is NOT IP4 properties
Careful how much you yell, puts people off. Especially, when you're wrong, and that the thing you're editing when you're in that "Obtain IP address automatically or manually" and "Obtain DNS address automatically or manually" is the ip4 properties of the network card. Sure ain't ip6, and sure ain't accessible through Device Manager. Haven't you ever told somebody about something without remembering the exact name the something is called? You did ask how to get there and I did show you...
cdg wrote:Perhaps it's just as easy to NOT do anything that uses the Internet (from the VM)
That may work, though XP by default tries to access the MS update servers, which may or may not be working now, and who knows what else other software may also try internet access. Practically anything that checks for updates would be pinging out there somewhere. Whether that software's activity might alert malware to your PC? I might have the ol' tin-foil hat on too tight over that question. Don't know about that one. Probably best to not let XP access the internet at all, I'd say.

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 21:50
by cdg
scottgus1 wrote:Careful how much you yell, puts people off.
I'm not yelling. The use of upper case letters for required emphasis has been standard office practice for centuries, long before the PC and the Internet. In this case, I was emphasizing "no IP4".
the thing you're editing ... is the ip4 properties of the network card.
And how would I know that? All of the settings shown are TCP/IP settings, not hardware settings, and there is no mention of IP4 by name. I do remember, years ago, some actual IP4 settings via Device Manager, so that is why I looked there as well as in the TCP/IP properties. Furthermore, on my system, there is no "default gateway" set in the TCP/IP settings. It is apparently set elsewhere (probably in the router). My knowledge of this aspect of networking is very limited.
That [just not using the Internet] may work, though XP by default tries to access the MS update servers, which may or may not be working now, and who knows what else other software may also try internet access. Practically anything that checks for updates would be pinging out there somewhere. Whether that software's activity might alert malware to your PC? I might have the ol' tin-foil hat on too tight over that question. Don't know about that one. Probably best to not let XP access the internet at all, I'd say.
I agree, which is why I am looking for a method to prevent it, without disconnecting it from the LAN.

(I'm actually biting the bullet and migrating to W10, but I need to run XP in a VM in order to run a few essential programs that will not run on W10.) :(

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 22:10
by scottgus1
Use of uppercase is yelling on the internet. The meaning of things changes.
My knowledge of this aspect of networking is very limited.
Which is why one should not split hairs but try to learn when they ask other folks for help, and others volunteer their knowledge out of a desire to help their fellow humans. But all this is beside the point.

My house router is able to block internet to a PC based on the name of the PC, as well as the ip address. This would make it possible to keep the XP pc or guest using dynamic IP instead of static, but still be blocked. That said, it is not a hard thing to have a static IP-addressed device on the network. I have several such devices on my home network and on the office network I used to IT, and there were never problems.

Your best bet at blocking internet from XP is to block it in the router's firewall / parental controls / access restrictions, whatever the router calls it.

Re: How to keep virtual machine off the Internet?

Posted: 24. Jul 2019, 23:10
by cdg
I'm not splitting hairs, and I'm not arguing with you (except about the meaning of upper-case letters, and whether or not I'm arguing :-) ). You originally said "...not setting a gateway in the network card's ip4 properties". I logically assumed that "network card" refers to hardware. Then you switched (from my perspective) to discussing TCP/IP properties, so I was understandably confused, and simply wanted additional information for clarification.

I _do_ (is that better than uppercase?) appreciate your assistance, and thank you for your help. If it weren't for your 24. Jul 2019, 19:26 post, I wouldn't have tried again what I thought had failed, and I wouldn't have a solution.

My router has "parental controls" by mac address, so I might be able to accomplish it there.

Thank you again.

Re: How to keep virtual machine off the Internet?

Posted: 25. Jul 2019, 00:07
by fth0
Just in case you have not found out for yourselves by now: :)

1. If a network device uses DHCP to request an IPv4 address, and the DHCP server is part of the router, then the router will usually deliver it's own IPv4 address as the gateway address (besides the requested IPv4 address and other optional information like DNS server addresses). In consequence, every time Windows is (re-)started, it will learn the gateway address again during the DHCP negotiation.

2. Additionally, the DHCP negotiation will automatically be repeated after some time (DHCP renew, DHCP rebind), depending on the configuration of the DHCP client and the DHCP server, the timeouts typically being in the range of some hours. So possibly the Windows OS will learn the gateway address again, although you have issued the route delete command before.

3. I would address the topic of this thread inside the router, by using either it's firewall configuration, or it's guest network feature, or it's VLAN capabilities, depending on their availability.

Re: How to keep virtual machine off the Internet?

Posted: 25. Jul 2019, 00:15
by cdg
Thank you.

Re: How to keep virtual machine off the Internet?

Posted: 25. Jul 2019, 01:03
by socratis
cdg wrote:My router has "parental controls" by mac address, so I might be able to accomplish it there.
That might actually be your best option. Mine (basic, no brains one, supplied by the ISP) has an option like that, but it works with IP address, way less useful. You would have to assign your VM a static IP address before achieving the desired result.