Block communication between some VMs

[LeeEll]

I have a Win7 host with a number of Win7 guests in VBox 4.2.12 VMs. I have setup VBox networking with bridged adapters. Guests should be able to communicate with each other, and this is working OK. But some guests should not be able to communicate with some of the other guests, and this is my problem. Some of the guests also need internet access.

For various reasons I cannot use firewalls in the VMs to stop communication. If I could set rules in the firewall running on the host to block communication between certain VMs, then my problem would be solved. But setting rules in the Norton Internet Security firewall that is running on the host does not block communication between VMs. It seems VBox connects bridged adapters together on a very low level in the IP-stack so that the packets between VMs does not even reach the NIS firewall on the host.

How can I block a VM from communicating with one VM, while it is still able to communicate with another VM?

[mpack]

If the guests are using bridged networking then you configure them for networking like any other PCs that you have placed on the same physical network. E.g. put them on different logical networks if you don't want them to communicate with each other.

[LeeEll]

Well, I can't get it to work, so I am obviously not doing something right here.

I went into windows adapter settings and changed IPv4 from 'Obtain an IP address automatically' to fixed IP on two VMs so they both are on another new subnet:
VM-1: 10.0.1.8 mask 255.255.255.0
VM-2: 10.0.1.17 mask 255.255.255.0

Now these two VMs can not ping each other and the host can not ping any of them.

How do i get these two to communicate now and the host to communicate with both?
The host should also be able to communicate with a number of other such subnets.

[mpack]

Do the guests need internet access? If not then you might find it easier to set up a bunch of host only networks. See chapter 6 of the user manual. Remember to re-enable dynamic IP assignment in the guests.

[LeeEll]

Yes, at least one guest on each subnet will need internet access.

[noteirak]

For the VM that need regular browsing internet, add another adapter in NAT mode. If you need advanced network config, set it to Bridged mode.
For all the VMs, create as many host-only adapater in the host as you need logical networks, and bind the VMs to these networks.

[LeeEll]

It seems there is an issue with host-only networking on Windows 7 that causes the host-only connection to be identified as an 'unidentified network'. This sets the windows firewall to public network mode, which blocks communication making it necessary to disable the firewall in the guest. Not good!

There is a bug ticket on this (#5061) which still hasn't been addressed after 4 years! According to this post viewtopic.php?f=6&t=39066&start=15, the cause is that the host-only adapter does not have a default gateway, which makes windows go gaga. Why hasn't this been fixed one way or the other?

To get around this bug, I would have to set a registry DWORD on each host (yes, there will be more than one) and on each guest system (there will be many). This has to be repeated after each VBox update, at least on the hosts, don't know about the guests. This does not appeal to me.

Is there any other alternative than host-only networking to make it work the way I want?
If not, how should i handle the unidentified network issue?

[noteirak]

According to this post viewtopic.php?f=6&t=39066&start=15, the cause is that the host-only adapter does not have a default gateway, which makes windows go gaga. Why hasn't this been fixed one way or the other?

The whole concept of Host-Only is to have a Host - Only communication. How could you possibly set a gateway on that interface? What would be the gateway?
A gateway is used to give the computer an exit point to the "world". A Host-Only is pretty much the oposite, it's a stub network (from the Host PoV).

Blame Microsoft for not thinking this throught - blocking the edit of networks without gateway.

[BillG]

As noteirak stated, this is a Microsoft problem and has nothing to do with VirtualBox. If you really want to know more about it you will find heaps in the Windows forums. Google "unidentified networks Windows 7".

[LeeEll]

Easy now noteirak (and BillG), no need to go into deep defense here.

Now, let's move on, shall we?

I still need to block one VM from seeing another on the same host.

How can this be done?

The block has to be impossible to get around for an app running under administrator on the guest Win7 (and I am now beginning to wonder if host-only is really this untamperable, what if the app changes IP on it's connection, could it not see another subnet then?).

If every packet sent or received by certain VMs was filtered by a firewall on the host, I think there would be no way around this for an app in the VM. Right?

Can this be done?
If not, what is the best possible solution?

[noteirak]

I still need to block one VM from seeing another on the same host.
The block has to be impossible to get around for an app running under administrator on the guest Win7 (and I am now beginning to wonder if host-only is really this untamperable, what if the app changes IP on it's connection, could it not see another subnet then?).
Can this be done?

Oh yes, totally, that's what we keep telling you

If every packet sent or received by certain VMs was filtered by a firewall on the host, I think there would be no way around this for an app in the VM. Right?

Correct.

How can this be done?

Two principle ways :
Host-Only networks with Host routering + firewalling
2 Internal/host-only network + Firewall/Router VM in each

In both case, you want to speratate the neworks and put a router with firewalling in between, but you told in your first post that firewalling is impossible, hence my advicing on extra NIC with NAT for the guest needing internet. But if you can go with firewalling now, your host can be turned into the router, or have the dedicted VM for it.

[LeeEll]

Great, sounds promising!

This is an attempt to show you more precisely what I need:

For software acceptance testing I need VM pairs (VM type A & B) running on several hosts. More than one pair on each host.

VM-1A:
This type of VM should as far as possible be isolated from the rest of the system, except for a limited connection with VM-1B.
Runs an app that can't be trusted and that has to run as admin.
Can not run firewall on this VM, because the untrusted app might tamper with FW-settings to 'break out of the box'.
Needs to communicate with VM-1B.
Does not need to communicate with host and should not see host or any other VM except for VM-1B.
Needs internet connection and for this it should use an internet connection provided by OpenVPN running in VM-1B.
It should not see VM-2A, VM-2B or host.
It must be able to communicate with VM-1B, but then VM-1B should if possible look like a router or some other general networking device.

VM-1B:
Manages VM-1A.
No special restrictions for this VM.
Communicates with host and other VMs, except for the VMs of type A belonging to other pairs (xA-xB).
Runs OpenVPN to provide internet connection for VM-1A.

VM-2A:
Similar to VM-1A, but belongs to pair #2 and therefore should not see VM-1A or any other VM except for VM-2B.

VM-2B:
Similar to VM-1B.
Runs it's own instance of OpenVPN to provide separate VPN tunnel for VM-2A.
Manages VM-2A.


I hope this is clear enough.
I would really appreciate your help on this since networking as a new art to me.

[noteirak]

Networks :
VM1A ---- internal --- VM1B --- NAT or Bridged
VM2A ---- internal --- VM2B --- NAT or Bridged

Config :
Enable routing on VM1B & VM2B
Enable NAT (masquerade) on VM1B & VM2B

[LeeEll]

Enable routing on VM1B & VM2B

OK, I know how to do that on Win7 (you set a DWORD in the registry to 1)

Enable NAT (masquerade) on VM1B & VM2B

Don't know how to do this, but I can find out. But could you please tell me why this is actually needed if the internet connection for VM1A is provided by a OpenVPN TAP interface on VM1B? Isn't routing on VM1B and setting the OpenVPN interface IP as default gateway enough?

If I understand this correctly, there is no way for VM1A to break out of internal networking. I. e. no matter what is done in VM1A, the only thing it can directly communicate with is VM1B if those are the only two VMs on that particular internal net. Right?

Is there any way for the app that can't be trusted on VM1A to sniff traffic on the internal net to/from other applications running on VM1A?
Also, is there any way for this app to discover that it is on an internal VBox network and to find the name of this net?

Were does a firewall filter traffic to/from VM1A?

Hmmmm, wait a minut, let me think... Correct me if I am wrong. When routing is enabled on VM1B, packets get filtered by the FW on VM1B before they are sent to/from the bridged adapter (or OpenVPN interface) on VM1B. So all I have to do for firewalling is to define rules in the type-B VMs. Right?

[noteirak]

I think that kind of questions are networking only and advanced at that, and should be taken to a networking forum, since it's out of scope of this forum.
Keep in mind that the networking modes given out by Virtualbox can be translated to physical network setup, and the same config apply to them.
So if you're not knowledgeable about networking, you should first work on that before even trying this.