"Sandbox"
- pfSense guest network.png (47.52 KiB) Viewed 110451 times
"Sandbox" is not an official Virtualbox networking type and does not appear in the "Attached To:" dropdown. It is a setup using multiple Virtualbox networking types together with a router/firewall guest to make a more private yet internet-connected guest network than other Virtualbox networks can achieve.
Sandbox will let your guests access the host's internet connection without being able to access the host or host LAN. From the network perspective, the guests see the host's internet but they don't know there's a host.
This separation-yet-connection is achieved by using a guest with a router & firewall, which makes a new LAN with a different IP address range than the host's physical LAN, and setting up an outbound firewall rule that blocks the host LAN IP address range. Internet can get through, but nothing from the LAN can be reached.
Sandbox can enable such "labs" as testing internet-connected domain controllers without risking damage to the host LAN and other domain controllers. Sandbox does require the "lab's" LAN IP address range to be different than the "WAN" side of the router/firewall guest. However, one can set up two router/firewall guests, each blocking the next stage's IP range, and then achieve a lab LAN IP range the same as the host's LAN IP range with internet, but the lab still cannot access the host LAN. This "double-NAT-firewall" setup would enable testing changes to copies of production domain controller guests without having to change the domain's IP address in order to bring the guests into the lab or back into production settings. (See below for a double-NAT-firewall setup that worked.)
pfSense is a good, low-impact, free router/firewall operating system that can block host LAN access yet allow internet into the "lab".
The pfSense router guest has two networks. One is used as the "WAN" and connects to the host network via Virtualbox's Bridged. The other is the "LAN" port, and connects to the sandbox guest(s) via Virtualbox's Internal network.
The WAN side will receive an IP address from the host LAN DHCP server. Turn the pfSense router's DHCP on, or have a guest run DHCP, and serve IP addresses in a different IP range than the WAN network. In the pfSense firewall, set an LAN outgoing block rule set to the WAN side's IP address range. Here are example settings, with the host's LAN being 192.168.0.#/24, and the lab's LAN set to 10.#.#.# or 172.16.#.#.
Put the rule as the second rule on the LAN tab, and your sandbox guest will not be able to find the host network on the WAN side, but will access the internet.
Credit goes to
thetrevster, who figured out the correct settings:
Here's the settings to make the rule:
Action: Block
Disabled: not checked
Interface: LAN
TCP/IP Version: IPv4
Protocol: Any
Source: nothing entered, don't change
Destination: Type = "Network"; Address = host LAN IP range & subnet mask bit number
Log: if desired
Name: as desired
**************************
The following "double-NAT-firewall" was used to set up a test lab with an Active Directory domain controller & DHCP server and two clients in the 192.168.0.0/24 IP range, on a Virtualbox host with an existing physical LAN controlled by a DHCP-serving house router using the same 192.168.0.0/24 IP range. Internet was present in the lab, but the host LAN's computers could not be seen or controlled by the domain controller:
Virtualbox host:
IP range 192.168.0.0/24
pfSense VM 1 (default Virtualbox FreeBSD 64-bit settings, one processor, 256MB RAM reported 36% used):
WAN adapter, Bridged to host LAN, IP address served via host LAN's DHCP (192.168.0.0/24 range)
LAN adapter, Internal network "sandbox1", static IP 172.16.0.1
DHCP server enabled, serving 172.16.0.0/24
DNS Resolver disabled, DNS Forwarder enabled, no special settings (
*)
Firewall rule as above, blocking 192.168.0.0/24
pfSense VM 2 (default Virtualbox FreeBSD 64-bit settings, one processor, 256MB RAM reported 38% used):
WAN adapter, Internal network "sandbox1", IP address served via pfSense VM 1's DHCP (172.16.0.0/24 range)
LAN adapter, Internal network "sandbox2", static IP 192.168.0.1
DHCP server disabled
DNS Resolver disabled, DNS Forwarder enabled, no special settings (
*)
Firewall rule as above, blocking 172.16.0.0/24
Domain controller VM (Windows Server 2008 r2)
adapter, Internal network "sandbox2", static IP 192.168.0.2
DHCP server enabled, serving 192.168.0.0/24 & gateway 192.168.0.1
DNS enabled, pointing at 192.168.0.2
&
client VMs (XP)
adapters, Internal network "sandbox2", IP addresses served via Domain controller's DHCP (192.168.0.0/24 range)
attached to the domain
internet available on DC and clients, no pings possible to host LAN PCs
(A standalone VM can be attached to Internal network "sandbox1" to access pfSense VM 1's configurator website.)
* The pfSense Community Edition 2.4.4 I had on hand for this test lab had DNS Resolver enabled, DNS Forwarder disabled by default. A client VM attached to the LAN Internal network "sandbox1" on pfSense VM 1 could not get internet until I disabled Resolver and enabled Forwarder. I don't know why this was necessary. I did the same for pfSense VM 2 and the lab worked.