Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Discussions about using Linux guests in VirtualBox.
Post Reply
Krafty
Posts: 4
Joined: 30. May 2019, 07:20

Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Post by Krafty »

Hello experts, how are you? I was lurking in freenode and someone told me to ask this specific question in here.
It happens that we were given a proposal no one is seeming to figure out (or care) to do.

The initial exercise comprises of:

Create two Virtual Machines:
• Ubuntu 19.04 - as a Server
• Windows 10 - as a Client

Server will have the first NIC as NAT, and it is being assigned an IP number 10.0.2.15. (I will call this NIC1)
Server will also have a secondary NIC as Internal Network and the IPs will be manually configured. (I will call this NIC2)
This setup is to simulate a server that has access to the WAN from NIC/NAT (NIC1), and handle DHCP to clients through NIC/Internal (NIC2).

Client will have only one NIC as Internal Network and all the IP configuration will be fetched from the Server.

So, on Server, the /etc/network/interfaces look like this:

Code: Select all

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet dhcp

auto enp0s8
iface enp0s8 inet static
    network 172.16.0.0
    address 172.16.0.1
    netmask 255.255.0.0
    broadcast 172.16.255.255
The DHCP service was successfully configured through /etc/dhcp/dhcpd.conf, reserving IPs of this Internal Network which is handling to Client.
The file /etc/default/isc-dhcp-server has the statement: INTERFACESv4=enp0s8, so that this NIC2 will handle it all.
Remember that our enp0s3 is the NAT (NIC1).

OK. So everything is doing as it is supposed to do. The Windows Client is getting 172.16.0.10 as its IP.
But there is no Internet access in Windows client.

Then it came the part where we were supposed to configure BIND to give Windows a DNS so that it can ping domains.
But this somehow is not working using Internal Adapters.
It works just with the two VMs in Bridge Mode, which is a bit of a hack, considering that we were supposed to follow up the exercise from DHCP.
So, some people just called it a day and changed the two VMs to bridge mode and did the BIND exercise.
But I'm left as the only one trying to figure out how to deliver this, following it up.

On the Client side, the firewall has been disabled.
On the Server side, the file /proc/sys/net/ipv4/ip_forward had its content set from 0 to 1.

Addionally, someone told me to use iptables to "enable the communication" between the machines, but I found it a bit weird since we are talking about two different networks.
The commands here listed were used to set up some rules on Server. The following commands to clean all the rules.

Code: Select all

# iptables -F
# iptables -X
# iptables -t nat -X
# iptables -t nat -F
Then, I established the said rules:

Code: Select all

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
These iptables commands were supposed to route the packets from the NIC/NAT.
Doing those, won't allow Windows to get Internet Connection. It simply doesn't work.

NOW TO THE ISSUE.

Since BIND is listening on enp0s3 (NIC1/NAT) and Windows is living by internal network 172.16.0.0 (enp0s8)- there is no way to tell Windows to listen to 10.0.2.15 for DNS.
Nothing happens if you tell Windows to do it.

SO WHAT TO DO NOW? HOW TO FEED THE INTERNET from enp0s3 to enp0s8, so it will deliver to Windows Client?
I basically need that enp0s3 will communicate to enp0s8. In other words, I need one internal VM to communicate with another internal VM in this setup, if it's possible.

Something tells me that all is lacking is some more configuration to the Linux Server.
At this point, BIND matters no more, because I feel something elemental here is being ignored.

Someone help me to get this Windows machine with DHCP to get the access to the internet from the Linux Server. If it's possible.
No alterations in configurations like "set in bridge mode" or what have you. If it's not possible, with VirtualBox, in the proposed way, just say it.

Thank you for any replies that will lead to a solution.
All credits will be given.
Last edited by Krafty on 8. Nov 2019, 02:10, edited 1 time in total.
Krafty
Posts: 4
Joined: 30. May 2019, 07:20

Re: Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Post by Krafty »

Ok, I was reading some concepts and I think I was overseeing a standard networking thing:
For two different networks to communicate, they need to have a default gateway -- or -- a router.
This can be a virtual or physical machine acting as a router, or a layer 3 hardware device.
So this is my first hint.

I have seen examples of making one NIC routing to another secondary NIC in a Linux system and also have seen examples that they work flawlessly using iptables, but with physical machines. The big question is... why am I not able to do this in VirtualBox? Is there is something wrong with the software? I don't think so. I tried the same with VMware Wkstation Pro and internal cards did not communicate as well. What am I exactly missing?

Well thanks for stopping by and reading this again.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Post by scottgus1 »

I have had a pfSense guest act as a router between Windows guests and the office network the host was connected to. I Bridged on the WAN side of the pfSense router and internal-networked on the LAN side to the Windows guests, and had full communication. With a pfSense firewall rule I was able to get the entire office private network blocked from the guests while allowing internet through, too.

I didn't try it with NAT on the WAN side, I do remember trying it with NAT on the WAN side once, to see if the internal-networked LAN side could see the office network with no firewall rule, and it could. I never found anything screwy with Internal on the LAN side, communication was good between all the guests and the pfSense guest's web interface.

Unless a glitch has cropped into Virtualbox, which occasionally does happen, I'm going to shoot from the hip and say that if you can ping through the internal network, and get an IP address, and even see a shared folder between the two VMs, then Virtualbox's Internal is working and the issue is the settings in the server guest's OS. At which point you would solve this as if the two guests were real PCs networked together through an unmanaged switch, try hitting the Ubuntu forums, etc.

One thing I do remember is that since the NAT virtual network is on 10.0.2.# IP range and the internal is on 172.16.0.#, you have to bridge the two networks in the server VM's OS somehow to get Internet through the server to the client. How to do so, I haven't the foggiest, sorry, Windows guy here. I have done it in Windows with the Internet Connection Sharing wizard. I don't know if this is where the iptables or the Bind thing comes in...
Krafty
Posts: 4
Joined: 30. May 2019, 07:20

Re: Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Post by Krafty »

Dear scottgus1,

Thanks for your input.
Well, with the two VMs on bridge mode, it works. Needs DHCP and DNS from Linux Guest.
I believe you are a right about something wrong with the Linux Guest.
However, I haven't seen a configuration that is able to route the Linux Guest NIC1 to Linux Guest NIC 2, so that it can feed the internet on the 172.16.0.# network.

I have done this same thing on VMware Pro and it did not work.
Krafty
Posts: 4
Joined: 30. May 2019, 07:20

Re: Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Post by Krafty »

Resolution:
  • iptables must be configured to forward traffic from NIC1 to NIC2.
  • DHCP must lease the addresses to NIC2.
  • DHCP configuration must have the DNS server IP that is the IP of NIC1.
  • BIND must be configured with an ACL permitting the NIC1 network, localhosts and localnets.
  • BIND also must be configured to allow-queries, recursion, safeguard forwarders, and it should be only forwarding.
  • VM2 needs no additional configuration.
The common terminology for this setup is BIND as a DNS Caching and Forwarding setup.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Two VMs - DHCP + Internet, using NAT+INT on server - INT only on client

Post by socratis »

So, 'Krafty', correct me if I'm wrong, but this has nothing to do with VirtualBox, right? This is simply a matter of configuring the Guests appropriately, no?
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Post Reply