Secure my private LAN from guest OS'

[thetrevster]

Hello community. I'm new here but I had a question about networking in Virtualbox. I have Virtualbox running as a host on my Windows Server 2003 server. My router gives out my private IP range of 10.0.0.0/24, DHCP server address 10.0.0.254, with my server having an IP address of 10.0.0.200. I have a Windows XP guest OS installed inside of Virtualbox. My question is, is there any way that I can setup networking just like bridged mode in a guest but not have the guest OS be able to communicate with my private LAN? Basically, I will have a client remotely dialing into the XP guest. I want that client to be able to have web access, but I don't want that client to be able to browse any of my private lan (10.0.0.0/24). Is there any way to do this? I've heard of creating another guest with a firewall such as pfSense and using that for the routing functions and blocking outgoing 10.0.0.0/24 while binding the XP to another interface on that guest VM.

Much appreciated,
Trevor.

[BillG]

No matter how you fiddle with the adapters in the host and/or the guest, If your vm connects to the Internet through the same gateway router it is going to be in the same network and the same IP subnet as the host (10.0.0.0/24).

By default two machines in the same subnet have network access to each other. If you want to prevent that you have to do it through the network settings and/or the firewall settings of the machine. This applies whether the machine is physical or virtual - the networking is just the same.

If you put the vm in some different subnet behind an internal router you will not be able to connect to it from the Internet, which rather defeats what you are trying to achieve. From the Internet you must connect to the Internet router's public IP. You can forward traffic to a machine on the LAN, but you can't forward again through a second router.

[thetrevster]

I see. Well how about setting up a pfSense firewall as a VM, then having a virtual WAN interface accept traffic from my router, then having a separate virtual LAN interface for traffic from PfSense. Then on my router, setup up the pfSense WAN IP as the DMZ. At this point, I will setup the XP VM to route through the pfSense virtual LAN interface and use pfSense for all port forwarding. I then could add 10.0.0.0/24 into the outgoing firewall within pfSense to block that range. Basically, I just don't want my XP client to be able to tweak the network settings inside their VM to be able to see my router LAN network (10.0.0.0/24).

It basically would be like this:

Router (10.0.0.0/24) ---> pfSense Virtual WAN NIC (ex. 10.0.0.22 static DMZ host from router) ---> pfSense VM ---> pfSense Virtual LAN NIC (whatever IP scheme may be) ---> XP virtual NIC

Any idea if that would work? Or am I a bit crazy?

[scottgus1]

I just tried the same thing with a pfSense router VM and some guest XP's and found my guest XP's could still access the host and host LAN PCs' shared network resources. See viewtopic.php?f=1&t=51720&p=236874 and viewtopic.php?f=1&t=51495, and my feature request, viewtopic.php?f=9&t=51729
It is possible to turn off the lan-browsing features ("Client for Microsoft Networks" and "File and Printer Sharing") in the guest's nic settings, then the guest couldn't see the host's lan resources, but the guest has to be logged on as "user" not "admin" to keep the guest user from simply turning those settings back on again. And if you wanted to run multiple guests behind the pfSense in such a way, there'd be no way to allow the guests to share files between each other using just the built-in XP file-sharing capabilities, because they're the ones you turn off to block the access to the host's LAN.
Such a guest arrangement can still access the internet, and if you install a screen-sharing program like LogMeIn, you'd be able to get into the guest remotely without having to do any port forwarding. I did this successfully; I just couldn't block access to the host without turning off the guest XP's lan-browsing settings. There may be a way within pfSense to use its firewall settings to block local-lan requests beyond the wan nic in pfSense, but I haven't figured it out yet.

[thetrevster]

Woo! I seem to have gotten mine working perfectly. Here are the steps I have completed:

In pfSense, set the WAN nic to the bridged adapter (for me, I set a static IP of 10.0.0.248, which is in my private FiOS lan). Then set the pfSense LAN (for me, 172.16.11.0/24) to the host-only adapter in Virtualbox. Now create a rule in pfSense to block outgoing traffic to your private LAN (mine, 10.0.0.0/24). I attached a picture of my rule. Now, on your host operating system, go into network connections, select your host-only network adapter. Assign it a static IP that is NOT in the subnet of your pfSense LAN output (I entered 1.1.1.1). Now any other guests using that host-only adapter will get an IP via DHCP from pfSense although I disabled DHCP and assigned the IPs to my guests manually but made sure they were in the pfSense LAN subnet. All is well now. If I try and ping 10.0.0.254 (which is my FiOS DHCP server) or 10.0.0.200 (my host, server 2003), I get timeouts. Perfect. If I try and ping google.com, I get replies. Perfect! If your other guests OS' are already using the host-only adapter for another reason, just create a new one called "host-only 2" or something and use that. I made a few other tweaks like enabling remote administration of pfSense on the WAN side so I could manage it from my FiOS network, etc.

My rule:

Screen Shot 2012-10-16 at 2.23.18 PM.png (25.79 KiB) Viewed 8498 times