Can a Guest Be Totally Unaware There's a Host? [no]

[scottgus1]

Question: Is there a way to configure the Virtualbox network settings so a VM on a network with internet access can get to the internet but cannot see any other network computers, either the host, other guests, or other real PCs? The VM would then be totally unaware of any other computers on the network?

Story: We have a Windows domain (SBS2003 guest on Win7 host, 192.168.0.### series) and several real and virtual PCs in the network, some are clients of the domain, some just workgroup PCs. We have a new remote employee coming to work soon and we want to set up a VM for him to remote into. I got an XP VM going using bridged networking to set up the system. I was able to get access through the network to all the other PCs and the web. Once I got everything set up I switched the VM's network to NAT, thinking this would sandbox the VM. Not so (at least at my latitude & longitude). The guest IP address changed from one of the 192.168.0.###'s to 10.0.2.15, as expected, and I can't get access to the guest from the host anymore, except thru VB shared folders. But I can still enter host and other LAN IP addresses within the guest and open shared folders on the host and other PCs, provided I have the correct username and password.

I don't want the VM to see there's anything else on the network except itself and the internet. Is this possible? (host is running 4.0.16, btw)

[scottgus1]

Here's an "ipconfig /all" and a log file, in case it might help.



I also found this thread viewtopic.php?f=2&t=50751
I did change the VM to a different workgroup name than our regular non-domain "WORKGROUP", still able to get other PCs thru their IP addresses. I see that thread said that I'd need a second NIC (which the host has) and attach the VM to that. However, I'd still have to attach this second NIC to the switch that the rest of the network is connected to, so the VM would have web access, as we have only one internet connection. Wouldn't the NAT guest still be able to ping & open shared folders on the other PC's, as it's doing now?

[BillG]

Basically, no you can't. The whole point of being on a network is to see other machines on that network. That is what all the network protocols are there for. The fact that it is a virtual machine on a virtual network does not change anything.

Basically what you would need to do is start disabling services from the network card properties (things like Microsoft Client for Networks and File and Printer Sharing. You probably only need TCP/IP). It really makes no difference whether it is a vm or not.

For a vm I would set it up using bridged mode on its own dedicated NIC, then start disabling things in the NIC properties.

[scottgus1]

Thanks, Bill, for the info. I tried turning on the second nic, got some weird pulsing crippling CPU activity across all 24 cores. Driver problems, most likely; there's a new driver available. If I can get it working I'll report back how the sandboxing went.

[scottgus1]

OK, I got the good drivers running and the crippling CPU pulses stopped (Yay!) And I reconfigured the special VM's network. But, the VM is still aware of the other network PCs.

I enabled the second host nic, and set the guest network to "bridged adapter", pointing to the second nic. Then I opened the second nic's properties and disabled everything except the "VirtualBox Bridged Networking Driver" and the "IP Protocol Version 4". "QoS Packet Scheduler", "File & Printer Sharing", "Client for Microsoft Networks" and the Link-Layer plug-ins are disabled. But in my guest I can still open my list of host shared folders and other network PCs' shared folders by \\computername or \\ip.ad.dr.ess.

However, I found that if I uncheck "File & Printer Sharing"and "Client for Microsoft Networks" in the guest, then I don't get acess to any other network PCs through any means I have tried. (I have turned all the settings back on in the second host nic, by the way.) I made the change in an administrator account and made my remote user's account a regular user, not an admin. He'll be able to pull up the guest network card's property sheet, but the checkboxes are all disabled, so he can't turn them back on.

So the sandboxing seems to be a guest-dependent set-up, and the guest user can't be an admin. Something I'm missing? Is there another way to sandbox a guest using only the host settings? Or is this just typical networking stuff, not a Virtualbox-unique capability?

[BillG]

If the guest effectively has its own network connection, how could settings on the host control what it does? The traffic flowing to the guest using bridged mode is never seen by the IP stack in the host (even if TCP/IP is enabled in the host OS for this NIC). The filter driver which separates the host traffic from the guest traffic operates at the hardware (MAC) address level.

Using NAT will affect incoming traffic to the guest, but outgoing traffic should work as usual. That is the whole point of NAT.

[scottgus1]

Thanks, Bill. I had a mistaken impression of what NAT did. I thought it drilled a vpn-like tunnel thru the host to the web, so the guest & host networks were entirely separate. I have to learn more about networks...

But it does make me wonder about the folks who might be using Virtualbox as a sandbox (there's plenty of "Can my host get a virus if my guest gets one?" posts - I think I've asked that myself). NAT still allows the guest's networking capabilities to see the host's network, even though the host can't see the guest. (I do hope I'm understanding this properly ) I wonder if PerryG's "How to set up a Windows domain" (viewtopic.php?f=25&t=36181) might or even should be used for sandboxing...

I have room on the host, I'll try it.

[scottgus1]

Update: I used Perry's suggestion of a pfSense router VM and an internal network, like suggested in his tutorial. The VM on the internal network could access the internet and the pfSense web console, and neither the host nor the other PCs on the host's network can see the guest. However the guest behind the NAT- & intnet-connected pfSense router can see the host's shared folders, as well as other network resources on the host's network. Unless I'm doing something wrong, I don't see complete isolation between guest & host while getting internet access to the guest. Going to ask about the domain-setup instructions in a different thread.