Set Up Windows Domain (PerryG)-Complete isolation of guests?

[scottgus1]

In this thread (viewtopic.php?f=1&t=51495) I reported that when I used the Setting Up a Windows Domain instructions: (viewtopic.php?f=25&t=36181) to try to completely sandbox a guest from the entire host network while still getting internet access I was not completely successful. The host and other host-network PCs could not see the guest behind the pfSense router VM, but the guest, which did have internet access (good), also was able to access the host network's resources (not good).

The setup on my network & host is as follows:
The host (running VBox version 4.0.16) has several guests, including a SBS2003 guest acting as domain controller & DHCP server aand all the rest, as well as some domain client VMs and some non-domain VMs. All these VMs are bridged to one NIC in the host, which is physically wired to an unmanaged switch, to which all the real PCs on the office network and the fios router (DHCP disabled, btw) are connected. Most of the real PCs are domain clients, some are not. All of these real and virtual PCs are in the 192.168.0.1/24 range. (Meaning the network's ip's range from 192.168.0.1 to 192.168.0.254, if I understand that /24 properly. The subnet is 255.255.255.0)

My pfSense VM is attached thru NAT in the Vbox GUI, and it gets a 10.0.2.15 ip address on the NAT-ted nic. The pfSense VM also has a nic attached to a Vbox internal network called "RemoteInIntNet". I set this second nic in pfSense to have an ip of 192.168.1.1/24 and enabled the DHCP server for that nic's network. I made an XP guest, with its nic attached to "RemoteInIntNet". The guest got an ip of 192.168.1.2. It has internet access. But if I ping the host's ip, 192.168.0.201, the pings get through fine. If I type in my personal PC's ip in the guest XP Run... box (\\192.168.0.240) I see my shared folders, and can open the files therein. If I enter the SBS VM's ip in the guest Run... box I get the Enter Password box for the domain. The guest can see everything.

Am I still missing something? I assumed (and yes I know what assuming does )that the purpose of the whole intnet-and-pfSense-based domain setup was to keep the test domain from interfering with the production domain, since one can't have, for example, 2 SBS computers on the same domain without damage happening. To test a new domain, I would think one would want complete isolation. I'd be worried the test domain could find the production domain. Or worse, a virus in the guest, if coded to look for common network ip's, could get out of the test network, because it could see and access the host's network.

[BillG]

No, I don't think that is necessary. There is no problem with having one domain access another domain through a routed network (Microsoft even gives you a trust system so that the trust is between domains, not machines. If your credentials are valid on one domain, they will be accepted by the other). Many companies have more than one domain and have then all linked through their local network. The problems arise if they are in the same network and the same IP subnet.

Most of the problems are caused by LAN broadcasts, and they are blocked by routers. For instance you cannot have two DHCP servers in the same segment because they will both broadcast on the segment, but it works if they are in different segments.

[DNS]

Bridge the gateway router.

[BillG]

I have never had a problem running a domain behind a double NAT connection (although I am running a fully routed system at the moment). NAT works fine.

Running the link to the physical network as bridged rather than NAT would not prevent the guest from seeing the machines on the physical LAN through NAT (including the host). That is how NAT works. The machines on the physical LAN are on the public side of the PFSense NAT so they are reachable. The important thing is that a machine from the public side cannot connect to the guest. NAT is a one-way address translation. The machines on the private side can see out by sharing its "public" IP address for network operations on the LAN.

[scottgus1]

Thanks, Bill, for that very interesting info on domains. So it sounds like having the guest be able to see the host should be OK, for domain testing.

But it sounds like there is no way as yet to truly sandbox a guest while still allowing it internet access, at least just using Virtualbox. Sounds like VB needs a new network mode. Off to the Suggestions forum!