Can 'not' block virtualbox traffic with firewall

[deanwarrenuk]

I am trying to configure my Windows system such I can block VirtualBox VM traffic to for example the internet but not the local network. That is I have some services on my local network that my VMs must access but I want to block all traffic outside of the local network e.g. to and from the Internet.

I am using Windows 10 and chose to use the Windows Firewall as the configuration can be added to group policy and enforced for all users. I note VirtualBox has several services and processes, and assume virtualboxvm.exe is the process for the running VM (?). I then configure rules to block all protocols and ports for the virtualboxvm.exe for all networks (domain, private, public) both inbound and outbound. However, when running a simple ping or browser on the VM access to the internet is still possible. My rule works fine when I change it to apply for all executables.

Any ideas why I cannot block VirtualBox network traffic via the Windows Firewall?

[scottgus1]

As far as I know, Virtualbox attaches its networks further down the network stack and is not affected by the Windows Firewall. Virtualbox also does not contain a built-in way to block internet to a particular guest.

To block Internet from a guest, you need to Bridge the guest so it appears in your physical LAN along with all your other devices (yours is probably Bridged anyway so other devices can access the guest services), and so the network router can see the guest directly by IP address, MAC address, or guest OS network name. Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address. (Note that IP addresses can change unless you set up static IP in the guest OS.)

NAT and NAT network also allow internet into guests. I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.

[socratis]

I am trying to configure my Windows system such I can block VirtualBox VM traffic to for example the internet but not the local network

Then you got to block your VM at the router level. No magic on the host will do that for you. Unless if "local network (LAN)"="your host", then you could use a HostOnly network option. But this is not what you want. Once the packet has left your host (to access the LAN), there's nothing you can do about it. Only at the router level that connects LAN to Internet can you block it.

and assume virtualboxvm.exe is the process for the running VM (?)

Correct.

I then configure rules to block all protocols and ports for the virtualboxvm.exe for all networks (domain, private, public) both inbound and outbound

If the block was enforceable, you can forget about talking to the LAN, the packets couldn't leave your host.

My rule works fine when I change it to apply for all executables.

That's interesting... I wonder what could be "THE executable" that's affecting this. If you do block all executables (How?), do you have network traffic from your host?

As far as I know, Virtualbox attaches its networks further down the network stack and is not affected by the Windows Firewall.

I think you're right Scott, since the Bridged filter is inserted at the driver level, way below the firewall has a chance of seeing it.

Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address

Hallelujah! That's what I've been saying ... no, wait... you said it first!

Take a look at the thread "How to keep virtual machine off the Internet?" that was recently discussed...

I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.

I don't think it does. Just like if you have multiple computers in your LAN and you're trying to use a tool like "What's my IP?", they all look the same; the router's IP...