[SOLVED] How to configure VLAN or similar to isolate VMs?

[JChris]

I have a small lab at my home with Windows and Linux guests, running on top of a powerful Windows 10 Enterprise system. Currently I use Hyper-V (Type-1) virtualization, but I'm fed up with the Linux compatibility issues on that thing (not even the mouse movement is fluid, even after I install the so called "integration services"), so I'm migrating to Virtualbox. To isolate my Home network from the various VM labs I have the following structure: Home network (192.168.x.x) > pfSense VM working as a router/switch > VM network (172.16.x.x). I use VLAN support built-in Hyper-V to separate the various VM labs, so that for example when I'm testing a malware that infects via network it only affects the VMs I want, not the entire VM network. How can achieve something like that in Virtualbox?

I would have something like this regarding VM labs:

LAB01: 2x Windows, 1x Linux
LAB02: 4x Windows
LAB03: 1x Windows, 3x Linux
LAB04: 3x Linux
LAB05: 2x Windows, 2x Linux
and so on...

Sadly, I can't post pictures showing the configuration I have in place inside Hyper-V to handle VLANs, due to forums policies...

--------------

SOLVED: Use NATService (viewtopic.php?f=1&t=83509&p=395641#p395642)

[socratis]

These are the possible modes in VirtualBox:

• +-----------+-------------+-------------+----------------+----------------+
  |           | VM <-> Host | VM1 <-> VM2 | VM -> Internet | VM <- Internet |
  +-----------+-------------+-------------+----------------+----------------+
  | HostOnly  |     Yes     |     Yes     |      No        |       No       |
  | Internal  |     No      |     Yes     |      No        |       No       |
  | Bridged   |     Yes     |     Yes     |      Yes       |       Yes      |
  | NAT       |     No      |     No      |      Yes       |  Port forward  |
  | NATService|     No      |     Yes     |      Yes       |  Port forward  |
  +-----------+-------------+-------------+----------------+----------------+

For more information, take a look at ch. 6. Virtual networking. And remember, you can always have more than one network card in your guest to cover multiple scenarios.

[BillG]

VLANs built into Hyper-V? Where did you find them?

As far as I know, Hyper-V is VLAN aware - that is it will handle VLAN tags if you use them on your physical network. It is not VLAN capable - that is it cannot implement VLANs itself.

I have never seen any reason to use VLANs in virtual networks. You can create as many internal networks as you like.

[scottgus1]

Sadly, I can't post pictures

Yes you can. See the Upload Attachment tab below where you type posts. File size is limited, but reasonable screenshots are possible. Always available even to first posters on the first day.

Socratis's very-well-laid-out table shows a quick layout of the networking types in Virtualbox. As a clue, you can make independent private networks between guests using Virtualbox's Internal network type. To make a new Internal network, set more than one guest to Internal, and use a unique name for that network on all the attached guests. All you'd need to do is set your first two Windows and one Linux guests to an Internal network called "LAB01", the next 4 Windows guests to an internal network called "LAB02" etc. They'll all be independent and private.

[JChris]

VLANs built into Hyper-V? Where did you find them?

As far as I know, Hyper-V is VLAN aware - that is it will handle VLAN tags if you use them on your physical network. It is not VLAN capable - that is it cannot implement VLANs itself.

I have never seen any reason to use VLANs in virtual networks. You can create as many internal networks as you like.

053110hypervguestvlan.jpg (63.03 KiB) Viewed 36271 times

Inside Hyper-V, no need for special hardware.

[BillG]

Yes, I know about that. That is what I described - it is VLAN aware. It will recognise VLAN tags, so it can use VLANs which are controlled by some other device, such as a switch. pfSense can do that too. That is quite different from being VLAN capable - ie able to create its own VLAN system.

The point is, does checking that box actually do anything in a virtual network which has no direct connection to a physical network?

[JChris]

A-M-A-Z-I-N-G. I don't even need pfSense or any other "router OS". The NATService is exactly what I need. I can create as many subnets as I want for each LAB and they are all isolated from each other and from my home network. This is amazing. I with I had dropped Hyper-V for VBox sooner!

Thanks @socratis for the info!

[BillG]

I think I will restrict myself to "no comment".

[scottgus1]

NATService . . . isolated . . . from my home network

Not quite, unfortunately. Try accessing your host PC by its LAN IP address from within the NAT network. And you can still access the internet, too - not a safe place to test malware.

NAT can get outside its IP address space - that's how computers behind a house router can get outside to the internet. Depending on the malware you try to test it could look out to other network IP ranges and have some fun there too.

[socratis]

Actually, looking at it again, I believe the table in my previous post to be half-baked. The "VM <-> Host" should be separated into two columns, "VM -> Host" and "Host -> VM", as in both NAT and NATService you can reach the host from the VM, and the VM from the host with port forwarding. A job for the afternoon, after my "siesta"...

[JChris]

Damn, ok

[scottgus1]

Bummer, huh? If you want to isolate completely, just use "Internal" networks - probably safest anyway. You can use ISO files to get the malware into the isolated guests.

[JChris]

Bummer, huh? If you want to isolate completely, just use "Internal" networks - probably safest anyway. You can use ISO files to get the malware into the isolated guests.

Sadly I can't simply use Internal Network as I need active Internet connection in some of those labs

[scottgus1]

I'd really think about that need for the internet VVEEEERRRRRYYYY carefully, you wouldn't want to be the source for the next big headlines. If you need internet to get the viruses into the guests your could get a copy of said viruses and pass them in through a read-only ISO file attached to the guest's virtual CD drive.

However, I don't know your project, so here's how to get internet into an internal network without compromising your host's LAN: use a pfSense guest with appropriate firewall rules as a router for your internal network.

[JChris]

I'd really think about that need for the internet VVEEEERRRRRYYYY carefully, you wouldn't want to be the source for the next big headlines. If you need internet to get the viruses into the guests your could get a copy of said viruses and pass them in through a read-only ISO file attached to the guest's virtual CD drive.

However, I don't know your project, so here's how to get internet into an internal network without compromising your host's LAN: use a pfSense guest with appropriate firewall rules as a router for your internal network.

It's not for virus download, it's for C2 connection. I need the viruses to be able to connect to their C2. Yes, pfSense is what I had with Hyper-V, it seems that's the only way.