multiple host virtual network
multiple host virtual network
Is there a mechanism to provide a similar functionality to the internal networking settings across multiple host machines? I am attempting to set up a networking simulation and would prefer to enforce a pretty clean separation between my virtual machines and my physical ones. any advice?
Don't take me too seriously, and I'll return the favor. Picklehead.
I would setup Host Interface Networking with a bridge an every host and setup a simple VLAN on top of your physical LAN with fixed IP-adresses for the clients.
Last edited by Ingo on 5. Jan 2008, 04:04, edited 1 time in total.
I am unclear on what that would accomplish- if I am reading this correctly (and there is every possibility I am not) vlan switching is done by port on the switch, right? which would place a given physical machine and its VMs on the same VLAN, which is almost the opposite of what I want. Again, if I'm being stupid here please correct me, but I was hoping for something along the lines of an SSL connection between the virtualboxen that would truly separate the two. Otherwise, I'll just put iptables rules on the physical and virtual interfaces that drop everything from the other's subnets and hope for the best, i guess.
Don't take me too seriously, and I'll return the favor. Picklehead.
Yes, yes you are right.debatem1 wrote:... vlan switching is done by port on the switch, right?
This is the real hardware supported VLAN with packet tagging and so on...
What I mean is to setup a simple "virtual subnet (virtual LAN?)" on top of your physical LAN not crossing any switches.
Suppose you have host0 with br0, guest00 and guest01 and host1 with br1, guest10 and guest11.
Given br0 and br1 an IP address from a DHCP server, range 192.168.1.0/24. Host0 and host1 can communicate on subnet 192.168.1.0.
Statically give guest00 IP 192.168.2.1, guest01 IP 192.168.2.2, guest10 IP 192.168.2.3 and guest11 IP 192.168.2.4. Now all guests will communicate on subnet 192.168.2.0/24 and will not see any machine on 192.168.1.0/24 and vice versa.
Please tell me if it works.
Last edited by Ingo on 5. Jan 2008, 04:03, edited 1 time in total.
I can do that, my concern is that a physical machine could set up a host interface to log in promiscuous mode and observe all traffic. the easiest way I could see to handle that possibility would be to open up a secured tunnel between virtualbox instances and simply have a daemon inject packets PRN. barring that, i suppose I could set up a separate instance to act as a gatekeeper via vtun and set that as a router, but man thatd be slow. the thing is, I'm using this for pentesting and i REALLY dont want people 'accidentally' pentesting my host machines.
One more question, somewhat unrelated (feel free to tell me to post elsewhere if this is the wrong place) : is it possible to set cpu, ram, or bandwidth quotas for virtualbox?
One more question, somewhat unrelated (feel free to tell me to post elsewhere if this is the wrong place) : is it possible to set cpu, ram, or bandwidth quotas for virtualbox?
Don't take me too seriously, and I'll return the favor. Picklehead.
Is there any kind of guide other than the user manual that actually discusses setting up the networking? I find the User manual to be difficult to use at best and utterly useless on average 
They are rebuilding our test lab, so I thought I would try to use VB to setup a network emulation... but I am having a bear of a time getting it to work!!!
First of all, Ubuntu Server does not run correctly (upon install and reboot, it fails to boot with an error that the cpu is too old... I am running on a dual core Intel, so it has to do with how VB is exposing the cpu). But that is beyond the scope of this thread.
What I want, is an internal only network, of which my host is one of the computers on that network. I have found nothing in the user manual or the web site that even begins to discuss this setup! Documentation is definitely one of the downsides of VB.
Just for the record, what I want to set up is this:
3 servers sitting on their own network. One, and only one, has access to the real internet.
1 server acting as a firewall and app server connected to the 3 server network, and also to a second network.
My Linux host connected to the second network.
The goal: to simulate an environment where we use that app server to serve data from the emulated back office network to my laptop, including an Android emulator as well as desktop software. It is to simulate serving data to phones and laptops in the field.
If anyone can show me where this is documented rather than just how to do it, I would be greatly appreciated.
BTW: all guests are Ubuntu Linux Server, Host is Ubuntu Desktop.
They are rebuilding our test lab, so I thought I would try to use VB to setup a network emulation... but I am having a bear of a time getting it to work!!!
First of all, Ubuntu Server does not run correctly (upon install and reboot, it fails to boot with an error that the cpu is too old... I am running on a dual core Intel, so it has to do with how VB is exposing the cpu). But that is beyond the scope of this thread.
What I want, is an internal only network, of which my host is one of the computers on that network. I have found nothing in the user manual or the web site that even begins to discuss this setup! Documentation is definitely one of the downsides of VB.
Just for the record, what I want to set up is this:
3 servers sitting on their own network. One, and only one, has access to the real internet.
1 server acting as a firewall and app server connected to the 3 server network, and also to a second network.
My Linux host connected to the second network.
The goal: to simulate an environment where we use that app server to serve data from the emulated back office network to my laptop, including an Android emulator as well as desktop software. It is to simulate serving data to phones and laptops in the field.
If anyone can show me where this is documented rather than just how to do it, I would be greatly appreciated.
BTW: all guests are Ubuntu Linux Server, Host is Ubuntu Desktop.
are you looking to seamlessly serve the android emulator? cause you can do that with ssh since it runs natively in linux.
ssh -Y username @host /path/to/emulator
as far as Ubuntu Server goes, it requires some additional steps to get it to work. try http://ubuntuforums.org/archive/index.php/t-555996.html for that.
as far as setting up a network configuration that your host can connect to, thats called host interface networking. It is thoroughly documented, but I found that for ubuntu there is a better mechanism for setting up HIN than is given in the vbox documentation- look towards the end of this http://ubuntuforums.org/showthread.php?t=346185 for details. it involves modifications to /etc/network/interfaces, so don't screw up or you'll get to use your crash cart.
i assume you're ok with the basic network configuration and firewalling, if not I suggest you read the debian reference here: http://www.debian.org/doc/manuals/refer ... ex.en.html and probably the securing debian manual here: http://www.debian.org/doc/manuals/secur ... ian-howto/ since that deals with a lot of firewalling issues.
ssh -Y username @host /path/to/emulator
as far as Ubuntu Server goes, it requires some additional steps to get it to work. try http://ubuntuforums.org/archive/index.php/t-555996.html for that.
as far as setting up a network configuration that your host can connect to, thats called host interface networking. It is thoroughly documented, but I found that for ubuntu there is a better mechanism for setting up HIN than is given in the vbox documentation- look towards the end of this http://ubuntuforums.org/showthread.php?t=346185 for details. it involves modifications to /etc/network/interfaces, so don't screw up or you'll get to use your crash cart.
i assume you're ok with the basic network configuration and firewalling, if not I suggest you read the debian reference here: http://www.debian.org/doc/manuals/refer ... ex.en.html and probably the securing debian manual here: http://www.debian.org/doc/manuals/secur ... ian-howto/ since that deals with a lot of firewalling issues.
Don't take me too seriously, and I'll return the favor. Picklehead.
edit: no space in the ssh command. it should be:
Code: Select all
ssh -Y username@host /path/to/androidDon't take me too seriously, and I'll return the favor. Picklehead.
No, Android is on my development machine, which is also the host machine. Android is not on any of the guests.
And the documentation does not cover the network I am trying to set up. The documentation assumes every guest has access to the Internet. This is exactly what I don't want. I wish I could upload images to draw it out, but this forum does not have an attachment feature. So, let me try it this way:
The goal we are trying to get to is that neither the laptop, Android, or the XP desktop can see any services via the Back Office Firewall. Instead, all three clients can obtain any required data via the App Server. The idea is to make the same data available via the App Server as is available from the Office Desktop, without opening the firewall.
This is a simulation of a network we currently are trying to work with. Not all elements are represented, so I am not looking for a way of getting my app working around this setup, but with it. The firewall is untouchable. Nothing behind it gets direct Internet Access, period. No inbound connections from the Internet to data services behind the firewall, period.
The only real machine here is the laptop, this is my development machine, and the VB host machine. As you can see, there are three distinct networks here. Each segment has a ton of tests that need run. Each segment needs to run on its own, even when the other VMs are turned off.
Also, this is not about ssh into the network. Thats easy. We need to translate and convert data for different targets. Needless to say, this is a monster app, and I need to mock it up before we can try to build. With my lap in shambles (thanks IT) I am hoping that VirtualBox is up to the task.
I know this is not a trivial network, and I have spent hours digging through the User manual, and half of what I am trying to do here, I can't find. So if this is there, I would love to find out where.
And the documentation does not cover the network I am trying to set up. The documentation assumes every guest has access to the Internet. This is exactly what I don't want. I wish I could upload images to draw it out, but this forum does not have an attachment feature. So, let me try it this way:
Code: Select all
+--------+ +-------+
| Laptop | | WinXP |
+----+---+ +---+---+
| |
+----------+-------+-->Internet
| |
+----+-------+ +------+---------------+
| App Server +---+ Back Office Firewall |
+------------+ +----------+-----------+
|
| +------------------+
+-| Groupware Server |
+----------------+ | +------------------+
| Office Desktop |-+
+----------------+ | +-----------------+
+-| Database Server |
+-----------------+
This is a simulation of a network we currently are trying to work with. Not all elements are represented, so I am not looking for a way of getting my app working around this setup, but with it. The firewall is untouchable. Nothing behind it gets direct Internet Access, period. No inbound connections from the Internet to data services behind the firewall, period.
The only real machine here is the laptop, this is my development machine, and the VB host machine. As you can see, there are three distinct networks here. Each segment has a ton of tests that need run. Each segment needs to run on its own, even when the other VMs are turned off.
Also, this is not about ssh into the network. Thats easy. We need to translate and convert data for different targets. Needless to say, this is a monster app, and I need to mock it up before we can try to build. With my lap in shambles (thanks IT) I am hoping that VirtualBox is up to the task.
I know this is not a trivial network, and I have spent hours digging through the User manual, and half of what I am trying to do here, I can't find. So if this is there, I would love to find out where.
maybe I am not understanding- you want to run 5 virtual machines on your laptop? That is some very significant overhead. I will admit that with multiple cores it is possible but you will probably not enjoy the experience very much. as far as the documentation presuming internet access, I would check the virtualbox user's manual section 6.6 page 71 for details on internal networking, which is a significant portion of what you are looking at.
now then, to look at what I am probably misunderstanding your problem to be:
you have one laptop, upon which all your other machines will be run. it is connected to the internet.
you have a virtual xp host, also connected to the internet.
you have a virtual application server, and a virtual firewall, ditto.
behind the virtual firewall, you have a virtual groupware server, a virtual desktop, and a virtual database server.
if this is the case, then you are looking at the XP box probably just requiring NAT, since it won't run any servers.
The app server will probably require HIN, but it looks like a textbook example of it.
the virtual firewall will require two virtual interfaces: one HIN to connect to your network, and one intnet to connect to the internal network upon which the other virtual machines should run.
the groupware server, office desktop, and database server should all be placed on an intnet.
you will need to use your standard OS utilities to set the virtual firewall as the default gateway for the groupware server, database server, and desktop. AFAIK, dhcp does not work on intnet so keep that in mind when doing your network config.
if your firewall is not allowing traffic, it is not allowing traffic. IRL, you would be screwed if you needed network access to the desktop. in virtualbox, you could set up a folder to contain a named socket and then set that folder as shared on two virtual machines, which gives you a backdoor in.
I would like to remind you that HIN makes your virtual machine exactly what it seems like it should have: a virtual interface onto your existing network. with the proper network configuration, just about anything that is possible in a real network is possible in a virtual network, because it is a real network from layer 3 up. if you need to block traffic, firewall it, or use arptables, or just give it an address off the subnet. all standard techniques apply.
As things stand, there are obviously some parts of what you are trying to do I do not understand- "translate and convert" confuses me, and I doubt I am properly interpreting your chart, so I will provide some info about other possible interpretations. Feel free to ignore them if I hit the nail on the head, but keep in mind that every mechanism I am describing here is in the user manual.
If by 'app server' you mean a virtual machine on which you will run the entire network simulation, thats overkill. just clone what you need into a vdi and run it locally on an intnet, you'll avoid a lot of headaches.
if the xp machine and the laptop are the same machine, then just do it the same way as above and ignore the bit about it.
Hope this helps. if it doesn't, let me know- I'm not official but i am intrigued.
now then, to look at what I am probably misunderstanding your problem to be:
you have one laptop, upon which all your other machines will be run. it is connected to the internet.
you have a virtual xp host, also connected to the internet.
you have a virtual application server, and a virtual firewall, ditto.
behind the virtual firewall, you have a virtual groupware server, a virtual desktop, and a virtual database server.
if this is the case, then you are looking at the XP box probably just requiring NAT, since it won't run any servers.
The app server will probably require HIN, but it looks like a textbook example of it.
the virtual firewall will require two virtual interfaces: one HIN to connect to your network, and one intnet to connect to the internal network upon which the other virtual machines should run.
the groupware server, office desktop, and database server should all be placed on an intnet.
you will need to use your standard OS utilities to set the virtual firewall as the default gateway for the groupware server, database server, and desktop. AFAIK, dhcp does not work on intnet so keep that in mind when doing your network config.
if your firewall is not allowing traffic, it is not allowing traffic. IRL, you would be screwed if you needed network access to the desktop. in virtualbox, you could set up a folder to contain a named socket and then set that folder as shared on two virtual machines, which gives you a backdoor in.
I would like to remind you that HIN makes your virtual machine exactly what it seems like it should have: a virtual interface onto your existing network. with the proper network configuration, just about anything that is possible in a real network is possible in a virtual network, because it is a real network from layer 3 up. if you need to block traffic, firewall it, or use arptables, or just give it an address off the subnet. all standard techniques apply.
As things stand, there are obviously some parts of what you are trying to do I do not understand- "translate and convert" confuses me, and I doubt I am properly interpreting your chart, so I will provide some info about other possible interpretations. Feel free to ignore them if I hit the nail on the head, but keep in mind that every mechanism I am describing here is in the user manual.
If by 'app server' you mean a virtual machine on which you will run the entire network simulation, thats overkill. just clone what you need into a vdi and run it locally on an intnet, you'll avoid a lot of headaches.
if the xp machine and the laptop are the same machine, then just do it the same way as above and ignore the bit about it.
Hope this helps. if it doesn't, let me know- I'm not official but i am intrigued.
Don't take me too seriously, and I'll return the favor. Picklehead.
Hi kfries6,
your problem is very interesting but you will need a powerful laptop, at least 2GB RAM if you only use 256 MB for each guest.
B.t.w. does App Server has two interfaces?
Hello debatem1,
your analysis is very helpful for understanding kfries6 problem.
But back to your requirements, only for disscussion.
Taking my example above:will set br0 into promiscuous mode and log any packets from 192.168.1.0/24 and from 192.168.2.0/24 (any packets going through br0 to the local subnet).
your problem is very interesting but you will need a powerful laptop, at least 2GB RAM if you only use 256 MB for each guest.
Sometimes we use imageshack for images:kfries6 wrote:I wish I could upload images to draw it out, but this forum does not have an attachment feature.
B.t.w. does App Server has two interfaces?
Hello debatem1,
your analysis is very helpful for understanding kfries6 problem.
But back to your requirements, only for disscussion.
Why?debatem1 wrote:I can do that, my concern is that a physical machine could set up a host interface to log in promiscuous mode and observe all traffic. the easiest way I could see to handle that possibility would be to open up a secured tunnel between virtualbox instances and simply have a daemon inject packets PRN.
Taking my example above:
Code: Select all
~$ sudo tcpdump -i br0The simplest way to a complex system is to start with a simple system.
'cause anybody with sufficient privs can change the ip and subnet on the if and peek into traffic. I can deal with things as they stand- but it would really, really, really be better for me if everything was transparently encrypted and routed. BTW, do you happen to know if removing CAP_NET_ADMIN will remove the capability for the guest to modify its network configuration? i would assume so, but have no way to test ATM
Don't take me too seriously, and I'll return the favor. Picklehead.
sweet. problem solved: you can remove CAP_NET_ADMIN and still modify the guest states. that makes me VERY happy. combined with good firewall techniques, I'm all good. Thank you very much for your help!
as far as the other problem goes, if the app server has an additional interface thats private to the firewall, just use a VPN from the one to the other.
as far as the other problem goes, if the app server has an additional interface thats private to the firewall, just use a VPN from the one to the other.
Don't take me too seriously, and I'll return the favor. Picklehead.