Network config for running like a DMZ

Discussions related to using VirtualBox on Windows hosts.
Post Reply
BoomSchtick
Posts: 3
Joined: 21. Feb 2018, 03:36

Network config for running like a DMZ

Post by BoomSchtick »

Hey all,

I have a Win 10 machine with two nics. One NIC is plugged into the corporate network so that I can RDP into it. The other will be plugging straight into a port on my pfSense firewall.

I want to have the Virtualbox VM's run exclusively from that second NIC. I will configure that NIC with a public static IP. I know that Virtualbox will be able to do the NATing.

I'll take care that the physical port is firewalled off in pfSense from crossing over to the LAN. I'm just wondering how I can configure VirtualBox so that it will use exclusivly the NIC that is plugged into the pfSense and NOT the nic that is plugged into the LAN.

Any help would be greatly appreciated.

Thanks!
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Network config for running like a DMZ

Post by socratis »

Use Bridged mode, bridging the card to the NIC that goes to the pfSense.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
BoomSchtick
Posts: 3
Joined: 21. Feb 2018, 03:36

Re: Network config for running like a DMZ

Post by BoomSchtick »

Will VirtualBox still do a NAT translation with bridged mode? I thought that it would be bridged or NAT (not both), or does the pfSense need to do the NATing in that case?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Network config for running like a DMZ

Post by socratis »

BoomSchtick wrote:Will VirtualBox still do a NAT translation with bridged mode?
Bridged is Bridged. NAT is NAT. Two different things. See ch. 6.2 onward from the User Manual for details.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Network config for running like a DMZ

Post by mpack »

BoomSchtick wrote:Will VirtualBox still do a NAT translation with bridged mode?
I'm not entirely sure what kind of "translation" would be useful anyway. Passing through the router translates network addresses, and port forwarding is redundant in bridged mode, since the VM already receives everything.
BoomSchtick
Posts: 3
Joined: 21. Feb 2018, 03:36

Re: Network config for running like a DMZ

Post by BoomSchtick »

The idea is to have a DMZ like environment where the VM's will get a private NATed IP but use the public IP to get to the internet. At the same time they will have no access to the rest of the network due to being firewalled off. If one of the devices gets pwned then that VM gets deleted and replaced with a clean one. I can see how bridging could work, but only if I can get the pfSense to do DHCP, NATing and firewalling to the VM's.
Last edited by socratis on 22. Feb 2018, 01:49, edited 1 time in total.
Reason: Removed unnecessary verbatim quote of the whole previous message.
BillG
Volunteer
Posts: 5102
Joined: 19. Sep 2009, 04:44
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10,7 and earlier
Location: Sydney, Australia

Re: Network config for running like a DMZ

Post by BillG »

I think there is a bit of confusion going on here. The normal setup we see is a user using pfSense to give the vms on an internal network Internet access. In that case the pfSense does NAT for the internal network and the public NIC of the router is bridged to the physical network.

Your situation is different. Your host is on a corporate LAN and you want the vms to be in their own network behind a pfSense router firewall. If this is a physical device with actual ports that is not going to work. The vms are on the wrong side of the firewall.

The vms will be in a virtual network and to connect to any other network, they must be bridged to a NIC in the host. If the pfSense is a vm, you could bridge the vms to the "private" side of the firewall and bridge the "public" side of the firewall to NIC2 of the host. If it is a physical device and you bridge your vms to NIC2 of the host they are on the "public" side of the firewall.
Bill
Post Reply