Separating Networks

[h0ward]

Hello all,
I've been working with a fedora VM for quite some time now, and it has quite a bit of advanced networking going on to provide a plethora of networking services to a small network. Recently though, I have run into a small problem. I need to separate the host machine network from the VM network, while still allowing the host machine to talk to the VM network. The setup currently is as so: The host machine has a single physical NIC whose connection is bridged to the VM Virtual NIC. This will allow the VM to talk to the switch that is sitting on the desk next to the machine. Unfortunately this switch is my line out to our corporate network as well, and they get a little angry when my VM starts advertising DHCP addresses to other unsuspecting employees on the network (since they can only talk to me and not the network then haha). So what I would like to do is have my host machine (Windows 7) connected to the corporate network on a connection that is not bridged to the VM network, while also providing a second interface which is bridged to the VM network allowing that network to talk to any of the devices on the switch having the same subnet.

I realize that could be a little confusing so I'll give more insight... The VM network operates on the 192.168.0.X subnet and the host machine (corporate network) operates on the 10.1.X.X subnet. So my thinking is that if I can set up the host machine such that I have an interface for each subnet, and the VM NIC is bridged and in the proper subnet the VM will be cable of talking to the devices on the switch in the 192.168.0.x subnet. Simultaneously, there is another NIC on the host machine in the 10.1.x.x subnet which is not bridged, allowing the host machine to communicate with the devices on the switch having the 10.1.x.x subnet. And the clashing of subnets will keep the two subnets from communicating through one another (unless, I am talking directly to that subnet?).

Through my research I was able to find that it is possible to create a virtual NIC on windows via the Microsoft Loopback Adapter, but so far I have had no luck using it as the host-machine side of the VM Network bridge. Can anyone offer a little insight as to how I might go about doing this?

* Note that the VM network must operate through a bridge due to some of the networking services being offered by the VM.

[noteirak]

Have you considered using a Host-Only interface and putting all your VMs on it? Your host will then become a local switch (via the Host-Only interface) and if you enable IP Routing, you can even turn it into a router for your VM network.

[BillG]

Host Only or the Microsoft Loopback Adapter should both work. They are really very similar.

What sort of problems did you have with the MLA? All you should need to do is to assign each vm to the MLA rather than the physical NIC (from the dropdown list in the network settings).

[h0ward]

The problem is not creating a network for multiple VMs, rather there are devices on my switch which need to be able to talk to only the VM itself. Simultaneously I need the host machine to be able to talk to the corporate network (also attached to the switch). The VM should not be able to talk to the corporate network, only the devices from the same subnet that are attached to the switch. When trying to use the MLA, I was never able to determine an IP address for the interface after bridging it. And it seemed that the VM could still not talk to that adapter when I substituted the Bridge's IP address for it. Furthermore, when the Host only adapter (which is being used by the VM) was bridged to the MLA, the VM could not even talk to the devices on the switch.

The VM itself is using a host only adapter, which is normally bridged to my physical NIC interface allowing it to talk to the switch. The only problem with the normal setup is that the host machine can no longer talk to the corporate network. So what I think I need is a way to create a virtual NIC in windows which is not a loopback device, such that the existing physical interface can be left to the Host machine only, and the virtual NIC could be bridged to the VM Host only Adapter. Unfortunately I don't know of a way to create such a virtual NIC in windows, can anyone see another workaround for this problem?

[noteirak]

A switch is layer 2 device. What you are trying to do is divinding logical networks! That's is a layer 3 hardware (AKA router) job.
You can also go around it with VLANs (layer 2 physical networks).

Either use a router and different subnets, or use VLANs if you can do VLAN tagging on your host & on your VMs.
I can't possibly see any other way.

[Rootman]

This is a cinch with a second NIC in the host and I don't think that the VM will bind to a logical NIC on the host. If you have room for another NIC card in the host that's the way to go, bind all your VMs to the second NIC and plug it in to the private switch. Else it becomes a routing issue that is not that easy to set up but can be done, perhaps with the help of your IT personnel.

I have done this to a host at work as well, I have a mini tower and no room for a second second NIC so I bought a USB NIC, while it limits the throughput by being over the USB subsystem it works for my purposes. All my VMs are bound to this second USB NIC which is connected to an outside line to the internet, my host talks to the corporate LAN and the VMs.

In fact, my VMs have 2 NICs, one on the corp LAN, which I typically have turned off with VBox setting "cable unplugged" in the VMs network configuration. The second NIC is bound through the USB NIC to my private LAN. I can put the machines on either LAN by simply "unplugging" and "plugging in" the appropriate virtual NIC in the VMs.

[BillG]

Both the MLA and the host only adapter are virtual adapters on the host. They allow the virtual machines to communicate with the host machine. They do not allow you to communicate with anything beyond that. Surely the name "host only" makes that clear.

As Rootman points out, to isolate the VPN connection from what happens locally, the best solution is a second physical NIC in the host. You can make sure that the NIC used by the VPN connection is never associated with a virtual network by clearing the box for the VirtualBox Bridged Networking Driver (in the NIC properties viewed from the host OS).

[Rootman]

I also forgot a minor point, be sure to set the binding order in the HOST correctly to grab your WORK LAN first, VPN second. Your HOST (and therefore WORK LAN) should be pretty ignorant of the VPN network as it will always route through the WORK LAN first but the HOST will still be able connect to your guests just fine through the VBox HOST ONLY virtual NIC.

[h0ward]

Both the MLA and the host only adapter are virtual adapters on the host. They allow the virtual machines to communicate with the host machine. They do not allow you to communicate with anything beyond that. Surely the name "host only" makes that clear.

Yes that is made clear by the name, but it does not seem to work in the manner I would think. I can give my VM a second NIC which is defined as a Host Only Adapter and assign to that interface on the host, the address "192.169.0.2". On the VM I can see the newly installed NIC and give it the address "192.169.0.1" and I can ping from the VM to the host. However, when i open a port on the host and attempt to connect to it from the VM, it is a no-go. Times out every time, with no response from the host. Why would I be able to ping it but not connect to it?

[noteirak]

Only possible reasons :
1. There is a firewall, and its blocking that port, but not ping
2. The port is not open in the first place

Host-Only interface behave like a virtual switch connected to the host, even tho the name is a bit missleading

[h0ward]

Only possible reasons :
1. There is a firewall, and its blocking that port, but not ping
2. The port is not open in the first place

Host-Only interface behave like a virtual switch connected to the host, even tho the name is a bit missleading

Ahh, blasted windows turned on the firewall... Thanks for the help

[h0ward]

This solution still leaves the problem that my VM cannot talk to the switch, as the only two adapters it has right now are eth0 (attached to a network bridge which used to bridge the host-only adapter to the physical LAN connection) and eth1 (attached to a loopback adapter). As noted before eth0 can no longer be bridged to the physical LAN adapter because this causes the host machine to lose network access, but provides network access to the VM. So again, I'm a tad confused, is there any way I can set it up such that I get another virtual LAN adapter (not a loopback adapter) something like the equivalent of having eth0:1 and eth0:0 on a linux host?

[noteirak]

I repeat what I said : unless you use VLANs or some routing device, your switch will never prevent your VM network to interfere with the corporate network.
A switch does not care what IP subnet your machines are into. IP subneting is layer 3, whereas your swtic his layer 2. It only cares about finding out what MAC is behind a port, and forward any data to it, regardless of its IP.
It is also a single broadcast domain - only VLANs or Routing can stop broadcast (and your DHCP broadcasting!)

The issue is not located on your host, or on your VMs, but lies in the fact you are using the same LAN