Network problem: Accessing though virtual firewall machine

Discussions related to using VirtualBox on Linux hosts.
Post Reply
saeldur
Posts: 8
Joined: 22. Mar 2011, 18:05
Primary OS: Linux other
VBox Version: OSE other
Guest OSses: Linux, Windows

Network problem: Accessing though virtual firewall machine

Post by saeldur »

Hello,

I am having a networking problem with VirtualBox 3.2.12

The scenario is as follows:

I have internet access in my LAN through the router (192.168.5.1).

VirtualBox machine has 2 significant network interfaces:
  • wlan0 (192.168.5.5): This is the real interface
    vboxnet0 (192.168.61.5): This is the host-only interface
This computer holds 2 or more virtual machines:

m0n0wall:
This will be the firewall between the real world and the virtual world
This will have at least 1 interface to the real world and as many host-only interfaces as virtual LANs desired.
  • 1 Bridged interface wlan0 (192.168.5.60)
    1 Host-Only interface vboxnet0 (192.168.61.1)
Ubuntu:
This could be any OS, but I have chosen Ubuntu for simplicity. This guest hosts get their IP address from the m0n0wall pool and have only one Host-only interface.

This map summarizes the above description:

Code: Select all

************                ******************     +---------------------- -+
* Internet *---- router ----* Real LAN       *-----+ Computer (Real)    .5  +    *******************
************            .1  * 192.168.5.0/24 *     + m0n0wall (Virtual) .60 +----* Virtual LAN 1   *---- Ubuntu .199 (DHCP)
                            ******************     +------------------------+    * 192.168.61.0/24 *---- ...
                                                   + VirtualBox -->              *******************
Things to note

A third real machine is considered in this scenario, we well call it Laptop and its IP address is 192.168.5.105. It will be useful in conectivity tests.
A route to 192.168.60.0/22 through 192.168.5.60 has been added in the router
Virtual network interfaces in m0n0wall are PCnet-PCI II (Am79C970A) at the moment, but I have also tried others without success.
Virtual network interface in Ubuntu is Intel PRO/1000 MT Desktop (82540EM)
I cannot remember where but I found googling that someone reported problems depending on the adapter used.

The problem

Laptop cannot ping (nor access in any way) Ubuntu

The facts

Ubuntu is not really "Ubuntu" at this time, but "Xubuntu", this should not make any difference.
Ubuntu can ping (and browse) http://www.fsf.org (including DNS resolution)
Ubuntu can ping Laptop, the Echo request packet looks like:
  • Source MAC: Computer(Real) wlan0 MAC address
    Destination MAC: Laptop MAC address
    Source IP: 192.168.5.60 (Computer, not Ubuntu) I expected to find 192.168.61.199 here
    Destination IP: 192.168.5.105 (Laptop)
Laptop can ping (and configure via web) m0n0wall at 192.168.5.60 (but not at 192.168.61.1 for which it gets a ICMP Redirect Host (New nexthop: 192.168.5.60) from router)
Laptop (and router) cannot ping Ubuntu (Laptop gets the same ICMP Redirect Host because its default gateway is 192.168.5.1 and the route is via 192.168.5.60 which is in the same network, but this behaviour is expected, hosts inside Real LAN do not need to know the path if they can ask the router)

Computer (Real), which holds VirtualBox guests, can ping Ubuntu (via vboxnet0) - it is also inside Virtual LAN 1

m0n0wall is not yet acting as a firewall

Additional considerations

This is not a production environment, it is just aimed to learn and to experiment. I can only work on this during weekends, I apologize if this is a problem.
Upgrading VirtualBox should not be the solution unless this is a known bug and it has been solved. The reason is that the host system is 64-bit only (Gentoo) and this gave me problems when trying to upgrade.
I would like to reference a recent network-related post about problems in port-forwarding in host-only interfaces, it might be helpful too.

Thank you in advance, any help, opinion or personal experience is kindly apreciated.

EDIT1: Corrected a netmask mistake (192.168.60.0/22 instead of 192.168.60.0/23), not important since the IPs involved are 192.168.61.x, but now it is the way it is configured.
Last edited by saeldur on 28. Mar 2011, 11:25, edited 1 time in total.
vbox4me2
Volunteer
Posts: 5218
Joined: 21. Nov 2008, 20:27
Location: Rotterdam
Contact:

Re: Network problem: Accessing though virtual firewall machine

Post by vbox4me2 »

Use 1 bridge and 1 internal for the firewall, internal is for everything behind the firewall.
saeldur
Posts: 8
Joined: 22. Mar 2011, 18:05
Primary OS: Linux other
VBox Version: OSE other
Guest OSses: Linux, Windows

Re: Network problem: Accessing though virtual firewall machine

Post by saeldur »

Thank you for your reply.

I'm sorry I forgot to tell that, my first approach was that way, using internal networking for all the adapters inside the (same) Virtual LAN. I think it is less intuitive with host-only adapters and, in addition, virtual machines are more exposed, so internal networking is better.

I have changed that now again and there are only 1 bridged interface and 1 internal interface per virtual LAN. However, the behavior remains the same, and ICMPs (Echoes) from Ubuntu to the outside world still look like from 192.168.5.60 as if they were from Computer (Real). I am unable to explain this situation.
vbox4me2
Volunteer
Posts: 5218
Joined: 21. Nov 2008, 20:27
Location: Rotterdam
Contact:

Re: Network problem: Accessing though virtual firewall machine

Post by vbox4me2 »

Your getting the concept wrong, when using a firewall you do NOT attach the firewalled machines to the wan side do you?

Firewall: 1 VBox bridge and 1 internal (bridge (not a vbox bridge) them inside the VM or use something like squid)
VM's: only the internal lan
Sasquatch
Volunteer
Posts: 17798
Joined: 17. Mar 2008, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux
Location: /dev/random

Re: Network problem: Accessing though virtual firewall machine

Post by Sasquatch »

Your information is a bit hard to read, because you refer to the Guest with Computer and M0n0wall sometimes, and even ditch in Ubuntu a couple of times. This makes it very hard to pinpoint which machine you're actually referring to. Is it your Host, is it Ubuntu, or is it the M0n0wall VM?
Your attempt to create an ascii drawing also failed, it's unreadable. Please fix that. If it is what you wanted, I don't understand it.

Now, what I would like to see is the following:
- Router IP (this is apparently 192.168.5.1)
- Host IP
- Ubuntu VM IP
- M0n0wall VM IP
- VM configs (interfaces)
- Route that data needs to go according to your idea, source IP and destination IP, using which gateway if required.
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
saeldur
Posts: 8
Joined: 22. Mar 2011, 18:05
Primary OS: Linux other
VBox Version: OSE other
Guest OSses: Linux, Windows

Re: Network problem: Accessing though virtual firewall machine

Post by saeldur »

vbox4me2 wrote:Your getting the concept wrong, when using a firewall you do NOT attach the firewalled machines to the wan side do you?

Firewall: 1 VBox bridge and 1 internal (bridge (not a vbox bridge) them inside the VM or use something like squid)
VM's: only the internal lan
Right, the host should not be attached to the same network. It is no longer attached. The firewall has now 1 VBox bridge and 1 internal LAN.
The point is that I expected the ICMP Echo coming from 192.168.61.199 instead of 192.168.5.60 (the WAN interface in the firewall, the bridged one).

This is what I expected:

(ICMP Echo request from VM to Laptop)
MAC src = Firewall VBox bridged interface
MAC dst = Laptop's MAC
IP src = 192.168.61.199 (no NAT)
IP dst = Laptop's IP

Please tell me if I'm wrong and this should be in another way.
saeldur
Posts: 8
Joined: 22. Mar 2011, 18:05
Primary OS: Linux other
VBox Version: OSE other
Guest OSses: Linux, Windows

Re: Network problem: Accessing though virtual firewall machine

Post by saeldur »

Sasquatch wrote:Your information is a bit hard to read, because you refer to the Guest with Computer and M0n0wall sometimes, and even ditch in Ubuntu a couple of times. This makes it very hard to pinpoint which machine you're actually referring to. Is it your Host, is it Ubuntu, or is it the M0n0wall VM?
Your attempt to create an ascii drawing also failed, it's unreadable. Please fix that. If it is what you wanted, I don't understand it.

Now, what I would like to see is the following:
- Router IP (this is apparently 192.168.5.1)
- Host IP
- Ubuntu VM IP
- M0n0wall VM IP
- VM configs (interfaces)
- Route that data needs to go according to your idea, source IP and destination IP, using which gateway if required.
I'm sorry, I didn't think about different screen widths. Here is the information:

- Router IP: 192.168.5.1/24
- Host IP: 192.168.5.5/24
- m0n0wall VM IP (WAN - bridged to wlan0 in Host): 192.168.5.60/24 (DHCP - static, managed by Router)
- m0n0wall VM IP (LAN1 - internal): 192.168.61.1/24
- Ubuntu VM IP (internal): 192.168.61.199/24 (DHCP - dynamic, managed by m0n0wall)
- Route rule in the Router: 192.168.60.0/22 via gateway 192.168.5.60

- Laptop IP (inside my home LAN but inside m0n0wall's WAN): 192.168.5.105/24
- Traffic flow from Laptop to Ubuntu VM:

1. Laptop is not in the same network as Ubuntu VM so it sends the packet to the default gateway: Router
2. Router gets the packet and finds out that Laptop and gateway 192.168.5.60 are in the same network, so it sends a ICMP Redirect to Laptop
3. Laptop now knows that any data to 192.168.61.199 goes through (reachable) 192.168.5.60
4. Laptop sends all data now through 192.168.5.60
5. m0n0wall analyzes the packet and sends it to its destination at 192.168.61.199
6. Ubuntu VM recieves the packet

Somewhere in 5 is broken, since the firewall is configured to let all packets pass (and without NAT), I've thought it's a VBox problem, maybe I should redo the test with a, say, IP Cop firewall. Since (as previously stated) NAT is not configured, the ping described in the previous post from Ubuntu VM to Laptop with source IP = m0n0wall WAN instead of Ubuntu VM has stumbled me.

Maybe my foundations are wrong :?

EDIT1: I forgot to add VM configs. Added DHCP information (irrelevant, but more complete now)
vbox4me2
Volunteer
Posts: 5218
Joined: 21. Nov 2008, 20:27
Location: Rotterdam
Contact:

Re: Network problem: Accessing though virtual firewall machine

Post by vbox4me2 »

A firewall by definition should route traffic and sometimes mask traffic as to where its coming from, what you see might be entirely correct behavior.
Sasquatch
Volunteer
Posts: 17798
Joined: 17. Mar 2008, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux
Location: /dev/random

Re: Network problem: Accessing though virtual firewall machine

Post by Sasquatch »

Vbox4me2 is correct. Because you have not configured NAT, your traffic gets 'masked' differently. This means that your M0n0wall acts as the mediator in all communications and puts its own stamp on the traffic. What's good to do is run tcpdump on the M0n0wall VM to see what is really happening when you ping the Ubuntu VM from the laptop. Also run it on the Ubuntu VM to see who actually sends the ICMP echo request: M0n0wall or laptop IP.

As you say, this is not a VB problem, it's all networking and the way it works. Your setup is fine, nothing wrong with it, but it's the implementation and routing that's making you think otherwise.
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
saeldur
Posts: 8
Joined: 22. Mar 2011, 18:05
Primary OS: Linux other
VBox Version: OSE other
Guest OSses: Linux, Windows

Re: Network problem: Accessing though virtual firewall machine

Post by saeldur »

I'm feeling a bit ashamed right now :oops:

Yes, you are right, and my assumptions were wrong. Here is the reason of my trouble: 6.3 Outbound NAT
By default, m0n0wall automatically adds NAT rules to all interfaces to NAT your internal hosts to your WAN IP address for outbound traffic.
I was assuming that, by default, no action was being taken.

But this is half of the problem.

This reveals the reason why Laptop sees that ping from Ubuntu VM as coming from m0n0wall VM (WAN). However, I don't catch why the problem about being or not able to ping from Laptop to 192.168.61.x is still present.

In addition, I've tried to set NAT (not outbound NAT) and it is working. I can connect to Ubuntu VM SSH though 192.168.5.60:natted_port but not to 192.168.61.199 directly (which is the behavior I'd like to reach). This is a bit strange for me (but again, I should check the firewall twice).

Definitely this is a m0n0wall related problem. Thank you both vbox4me2 and Sasquatch for opening my eyes, and sorry about the inconvenience. VirtualBox was working nice (both with Host-only and internal), but the firewall was misconfigured.

PS: I'd like to try a bit more in depth before marking this thread as solved.
saeldur
Posts: 8
Joined: 22. Mar 2011, 18:05
Primary OS: Linux other
VBox Version: OSE other
Guest OSses: Linux, Windows

Re: Network problem: Accessing though virtual firewall machine

Post by saeldur »

It's working everything fine now. Misconfigured NAT and routes = broken firewall.

Next time I'll check thrice my configuration.

Thank you again for your patience :-)

PS: I had not enough characters left to add a "Solved" tag in the thread so I've left it unchanged, but feel free to change it the way you like if you prefer.
Post Reply