Hi, if this has been answered elsewhere I apologize, but all the information I'm finding is for the opposite of my question.
If I'm running various guests on a host, set up the dhcp server in virtual box, and have the guests all connect via Internal Networking; should any of the guests OS's be visible to the host LAN or external connections by default? Would enabling the dhcp server be visible on the host LAN?
Ideally what I'm looking for is to be able to have guests see each other, and see the outside world (i.e. download updates, etc), but be (for lack of a better word) "unavailable" to the hosts LAN, the outside world and even the host itself. For example, I'd like to set up a Windows server without the network admins flipping out because they see an unauthorized server install pop up.
Restricting incoming network access to guests
-
BillG
- Volunteer
- Posts: 5106
- Joined: 19. Sep 2009, 04:44
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows 10,7 and earlier
- Location: Sydney, Australia
Re: Restricting incoming network access to guests
If vms are on an internal network they are not visible from the host or from any LAN machines. DHCP traffic will not be seen either.
You would need to install a virtual router to connect an internal network to the physical LAN (and it would still be hidden from the LAN if you ran the router as a NAT). It is very similar to running devices on a switch which is not connected to any other device (which is what it is emulating).
You would need to install a virtual router to connect an internal network to the physical LAN (and it would still be hidden from the LAN if you ran the router as a NAT). It is very similar to running devices on a switch which is not connected to any other device (which is what it is emulating).
Bill
-
scottgus1
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows, Linux
Re: Restricting incoming network access to guests
Keep in mind that even if you add a virtual NAT router to block access to your Virtualbox network from your LAN while allowing internet, your Virtualbox network will still be able to access your LAN. NAT blocks incoming network requests but not outgoing.
If your virtual router has a decent firewall, and you set the internal network to be a different IP address range from your LAN, you can put in a rule in the firewall to block access to the LAN's IP address range(s), then you'll be completely blocked off. See viewtopic.php?f=1&t=76667 for how to do this with pfSense as the router/firewall.
If your virtual router has a decent firewall, and you set the internal network to be a different IP address range from your LAN, you can put in a rule in the firewall to block access to the LAN's IP address range(s), then you'll be completely blocked off. See viewtopic.php?f=1&t=76667 for how to do this with pfSense as the router/firewall.
-
TheBenR
- Posts: 2
- Joined: 29. Mar 2016, 00:53
- Primary OS: Mac OS X other
- VBox Version: OSE other
- Guest OSses: Ubuntu, Windows, others I'm sure
Re: Restricting incoming network access to guests
Thank you both for your replies.
This is fine since I'd rather guests be able to download updates, patches, etc. So, what I'm going to be looking at with pfsense is basically setting up a pfsense guest to do the NAT that VirtualBox isn't doing since the guests are all connected via Internal Network.scottgus1 wrote:Keep in mind that even if you add a virtual NAT router to block access to your Virtualbox network from your LAN while allowing internet, your Virtualbox network will still be able to access your LAN. NAT blocks incoming network requests but not outgoing.
-
BillG
- Volunteer
- Posts: 5106
- Joined: 19. Sep 2009, 04:44
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows 10,7 and earlier
- Location: Sydney, Australia
Re: Restricting incoming network access to guests
That should be fine. I have run a system like that with no problems.
Bill