How to isolate the guest VM

[ccampbell15]

I have created a VM on a windows 2008 R2 host. Set the guest up with the default NAT network I/O and then issued
VBoxManage modifyvm "VM!-server" --natdnshostresolver1 on.

This changed the DNS server from my routers IP to 10.0.2.3 and I thought I had it isolated. Well not so. Not only can I ping the router and all other workstations on the LAN I can actually enter in the IP with IE and access the router. Is there some way to isolate the guest?

The guest needs to accessed from an external location and needs internet access. I just want to isolate it from my real LAN and any other VM's

Thanks
Lee

[BillG]

How will the vm access the Internet without having access to your LAN? The only way it can connect to any network it through a physical NIC in the host.

If you want the vm to be isolated from the host and its network, you will need to install an additional NIC in the host, then dedicate one NIC to the host and one to the vm (through the network settings in the host OS).

[noteirak]

On top of what BillG said, If your router/switch supports it, you can always use VLANs if you do not have another physical NIC.

[ccampbell15]

Hi Guys,

I did add an addition NIC but I'm confused on the setup. From what I can gather I supposed to setup the guest in bridged mode and then diable tcpp on the host nic which I did. For some reason the guest has an ip address of my lan and has access to my router. Ooops! I was going to attach a pdf of the nic settings and what I see from the guest but PDF is not allowed as an attachment for some reason.

It's at https://www.yousendit.com/dl?phi_action ... NUpBSXNUQw

Thanks
Lee

[noteirak]

From what I can gather I supposed to setup the guest in bridged mode and then diable tcpp on the host nic which I did.

That is correct.

For some reason the guest has an ip address of my lan

That is normal if you make your guest gets its IP via DHCP. This is how it is supposed to work.

and has access to my router.

Also normal, since you're into the DHCP range.

I think you are confusing some things here, few pointers for you :
1. This is purely a networking issue, and has nothing to do with Virtualbox, except for the first quote which you successfully completed.
2. There is only two way to really separate things in your case : a VLAN, or another router
3. What is it that you want exactly - do you want to prohibit any status/management access to the router? if yes, use iptables

I think the best way to get a real help would be to explain what you want, but most importantly, why
This way, we can actually see what are your requirements and point you towards the best direction, instead of giving you advice on a maybe false assumption

[ccampbell15]

Well here’s what I’m trying to do:

1: Create 4 VM’s using Virtualbox running on a Server2008 R2 or Win 7 host.
2: Allow incoming RDP connections to each VM and also allow Internet access.
3: Isolate the VM’s from one another and from the host; eg can’t ping anything on my real Lan or see the other 3 VM’s

I am using my Win 7 box atm and have a separate router for one Nic on a subnet of 10.10.200
Since both adapters are on the same hardware they are bridged and can see each other. That bridge seems to be my problem. It propagates over to the VMs

So when I open one of the VMs I get
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4546:a765:c4e0:9cdd%12
IPv4 Address. . . . . . . . . . . : 10.10.200.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.200.1

But I can still open 192.168.1.1 That’s what I’m trying avoid.

[ccampbell15]

This may be a bit more clear:


1: Create 4 VM’s using Virtualbox running on a Server2008 R2 or Win 7 host.
2: Allow incoming RDP connections to each VM and also allow Internet access.
3: Isolate the VM’s from one another and from the host; eg can’t ping anything on my real Lan or see the other 3 VM’s

I placed a second router behind the first one so now it looks like:

Cable modem --- 192.168.1 ----- VMs and Server
|
|
|---- 10.10.200 ---- My Lan

So now 10.10.200 can see 192.168.1 but not the other way. I can isolate my Lan but not the main router from the VMs. It’s opposite from what I’m trying to do. I’d like to put the VM’s on 10.10.200 and have the isolation go the other way but still somehow maintain internet access. I was hoping that VirtualBox would handle the isolation (I think VMware does) but may just need to sleep on this.

TY

[noteirak]

Ok I now understand what you are trying to do. There are several steps to setup what you like. but since this is not part of Virtualbox, I will keep it short:

1. Each VM has to be on a seperate subnet
2. Your router must have an IP on each of the subnet
3. Router's firewall must block all FORWARD traffic to each subnet (using iptables)
3. Router's firewall must block all INCOMING requests to its management ports on each VM subnet
4. Make sure promiscious mode is disabled on each VM adapter

This way there is only one VM and the router in the subnet, so the VM can go outside, you can provide access to the remote desktop, but there is no way to see any information about your router.
Since each VM is in its subnet, it must send any request to the router to try to check anything outside its netwrok, which won't happen thanks to the firewall rules.

There you go.

[ccampbell15]

Thanks!

Thanks!

In the meantime I took a look at iptables for DD-wrt and that firmware has much more capability than I realized. I blocked access to the GUI and Telnet for everyone except for my main workstation. I also blocked ping.

Wrong forum I guess. I was just look for the quick/EZ solution that I never manage to find. – lol

-Lee