Isolate a virtualbox vm with its own IP from the rest of the network, it should only have internet access

netzwerkender · March 16, 2021, 2:00pm

Hello, I have little idea about network stuff. I've been using a TL-WR1043N router for many years, it's currently running an OpenWrt 19.07.7. A friend once set up the router for me.

I have a problem, I have to work from home now because of Corona. I have created a virtualbox VM with Windows 10 in "bridged network" mode. So it is for the router a device with its own MAC and IP address. I do not want the VM to access my network, it should only have internet access.

I only ever find instructions on Google to create wireless networks for guests. I'm afraid to do something wrong, and then Internet no longer works.

Can you please help me? Thanks very much!

iplaywithtoys · March 16, 2021, 2:06pm

This is going to be... a challenge, due to the way bridged/NAT/host-only networking works with VirtualBox.

Off the top of my head, one way it might be possible to achieve your intended goal is to stick your VM host behind a separate firewall, segregating it from the rest of your network. Configure that firewall to allow your VM host to access the things it usually accesses, and to allow your Windows VM guest access only to the Internet.

Another way it might be possible is to set up a second VM with OpenWRT (or the firewall of your choice). Configure the Windows guest to use Host-Only networking, and configure the OpenWRT/firewall VM's LAN interface on the same Host-Only network and its WAN interface on the Bridged network. Then configure the firewall in the OpenWRT/firewall VM to allow the Windows guest to talk only to the Internet and not to anything else on the network. Here's a diagram to illustrate the idea:

Bear in mind that, by default, OpenWRT is very permissive outbound. If you want to limit outbound traffic you'll need to write bespoke rules for the LAN->WAN traffic.

netzwerkender · March 16, 2021, 2:16pm

Uhh... I didn't think it would be so complicated. I thought a mac address can be restricted.

By "not accessing my network" I mean it should not be allowed to access e.g. 192.168.1.3.

// Edit: Ok I see the picture... lets see

iplaywithtoys · March 16, 2021, 2:20pm

Depends for what purpose. You want to allow a host to access everything while denying a guest access to anything. The host and the guest share the same physical link. That poses a significant challenge.

netzwerkender · March 16, 2021, 2:22pm

The host and the guest share the same physical link. That poses a significant challenge.

Ok I understand that a bit, I'll try to make a VM with openwrt.

iplaywithtoys · March 16, 2021, 3:09pm

As a quick test, I spun up a set of Windows and OpenWRT VMs to test my idea. I was able to block the Windows VM from talking to my LAN (192.168.69.0/24), and allow the Windows VM access to the Internet (0.0.0.0/0).

For the purpose of this test, the OpenWRT VM was configured with its WAN set to DHCP (bridged network) and the LAN interface (Host only) set to 192.168.43.1/24 (only because 192.168.1.0/24 is used elsewhere here and I wanted to avoid conflicts).

The Windows guest was configured with a single interface (Host only) set to DHCP, so it picked up an IP address in the 192.168.43.0/24 range from the OpenWRT VM. It picked up the address 192.168.43.231.

Here are the entire contents of /etc/config/firewall from the OpenWRT VM:


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        list proto 'all'
        option name 'Deny LAN'
        list src_ip '192.168.43.231'
        option dest 'wan'
        list dest_ip '192.168.69.0/24'
        option src 'lan'
        option target 'REJECT'

config rule
        list proto 'all'
        option name 'Allow Internet'
        list src_ip '192.168.43.231'
        option dest 'wan'
        list dest_ip '0.0.0.0/0'
        option src 'lan'
        option target 'ACCEPT'

netzwerkender · March 16, 2021, 5:47pm

That sounds great. Unfortunately I can't even get openWRT started.

IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link bekomes ready

Nothing more comes. I followed this guide: https://openwrt.org/docs/guide-user/virtualization/virtualbox-vm

Can you upload your exported VM to volafile.org or so? That will be very nice.

iplaywithtoys · March 16, 2021, 6:45pm

Not sure what volafile is, but it's 503 at the moment. Still, I ought to be able to paste the plain-text for the relevant files here, hopefully.

OpenWRT vbox (MAC addresses redacted):

<?xml version="1.0"?>
<!--
** DO NOT EDIT THIS FILE.
** If you make changes to this file while any VirtualBox related application
** is running, your changes will be overwritten later, without taking effect.
** Use VBoxManage or the VirtualBox Manager GUI to make changes.
-->
<VirtualBox xmlns="http://www.virtualbox.org/" version="1.16-windows">
  <Machine uuid="{c2421ca9-1bd4-45cd-874f-98fab7800612}" name="OpenWRT 19.07.7" OSType="Linux26_64" snapshotFolder="Snapshots" lastStateChange="2021-03-16T18:43:53Z">
    <MediaRegistry>
      <HardDisks>
        <HardDisk uuid="{a60d762b-bf8f-4c31-9d4c-4463f4fee025}" location="openwrt_19.07.7.vdi" format="VDI" type="Normal"/>
      </HardDisks>
    </MediaRegistry>
    <ExtraData>
      <ExtraDataItem name="GUI/LastCloseAction" value="PowerOff"/>
      <ExtraDataItem name="GUI/LastNormalWindowPosition" value="1013,94,720,443"/>
      <ExtraDataItem name="GUI/ScaleFactor" value="2"/>
    </ExtraData>
    <Hardware>
      <CPU>
        <PAE enabled="false"/>
        <LongMode enabled="true"/>
        <X2APIC enabled="true"/>
        <HardwareVirtExLargePages enabled="true"/>
      </CPU>
      <Memory RAMSize="256"/>
      <HID Pointing="USBTablet"/>
      <Display controller="VMSVGA" VRAMSize="16"/>
      <VideoCapture screens="1" file="." fps="25"/>
      <BIOS>
        <IOAPIC enabled="true"/>
        <SmbiosUuidLittleEndian enabled="true"/>
      </BIOS>
      <USB>
        <Controllers>
          <Controller name="OHCI" type="OHCI"/>
          <Controller name="EHCI" type="EHCI"/>
        </Controllers>
      </USB>
      <Network>
        <Adapter slot="0" enabled="true" MACAddress="001122334455" type="82540EM">
          <DisabledModes>
            <InternalNetwork name="intnet"/>
            <NATNetwork name="NatNetwork"/>
          </DisabledModes>
          <HostOnlyInterface name="VirtualBox Host-Only Ethernet Adapter"/>
        </Adapter>
        <Adapter slot="1" enabled="true" MACAddress="001122334455" type="82540EM">
          <DisabledModes>
            <InternalNetwork name="intnet"/>
            <NATNetwork name="NatNetwork"/>
          </DisabledModes>
          <BridgedInterface name="Realtek USB GbE Family Controller"/>
        </Adapter>
        <Adapter slot="2" MACAddress="001122334455" type="82540EM">
          <DisabledModes>
            <InternalNetwork name="intnet"/>
            <NATNetwork name="NatNetwork"/>
          </DisabledModes>
          <HostOnlyInterface name="VirtualBox Host-Only Ethernet Adapter"/>
        </Adapter>
      </Network>
      <AudioAdapter codec="AD1980" driver="DirectSound" enabledIn="false"/>
      <RTC localOrUTC="UTC"/>
      <Clipboard/>
      <GuestProperties>
        <GuestProperty name="/VirtualBox/HostInfo/GUI/LanguageID" value="en_US" timestamp="1615918823316975400" flags=""/>
      </GuestProperties>
    </Hardware>
    <StorageControllers>
      <StorageController name="SATA" type="AHCI" PortCount="1" useHostIOCache="false" Bootable="true" IDE0MasterEmulationPort="0" IDE0SlaveEmulationPort="1" IDE1MasterEmulationPort="2" IDE1SlaveEmulationPort="3">
        <AttachedDevice type="HardDisk" hotpluggable="false" port="0" device="0">
          <Image uuid="{a60d762b-bf8f-4c31-9d4c-4463f4fee025}"/>
        </AttachedDevice>
      </StorageController>
    </StorageControllers>
  </Machine>
</VirtualBox>

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.43.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

/etc/config/firewall:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
        option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config rule
        list proto 'all'
        option name 'Deny LAN'
        list src_ip '192.168.43.0/24'
        option dest 'wan'
        list dest_ip '192.168.69.0/24'
        option src 'lan'
        option target 'REJECT'

config rule
        list proto 'all'
        option name 'Allow Internet'
        list src_ip '192.168.43.0/24'
        option dest 'wan'
        list dest_ip '0.0.0.0/0'
        option src 'lan'
        option target 'ACCEPT'

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

iplaywithtoys · March 16, 2021, 7:08pm

Did you press Enter or Return at that point, to display the console prompt?

slh · March 16, 2021, 11:54pm

Just to emphasize what iplaywithtoys has raised, your problems are more related to configuring the hypervisor's (virtualbox) networking than with OpenWrt itself.

In theory, the situation could be rather simple - segregate a dedicated VLAN on your TL-WR1043ND (which probably is a bit marginal and could profit from an upgrade), pass only this VLAN through to your VM - but I don't know if virtualbox offers this (with qemu-kvm, I'd create a tap interface, with the VM's WAN as bridge member of this interface).