@opale7000 can I get any contact details. Since i am trying OpenWrt in VM for last 3 weeks not getting any output.please help if you can.
@Prakash_kesharwani - did you follow this guide? It is really useful and works well -- I recently setup a fresh VM with 19.07.2 using this guide. You may need to configure some things in VirtualBox that aren't setup by default -- but it's all in the tutorial.
1 Like
Yeah i tried all those guidelines given tried every section of openwrt. I am running my OpenWRT in a VM trying to communicate to other VM it is not happening.Anybody who has done this before please help.I want at least one small functionality to work as firewall.
What doesn't work? And what have you done so far?
I just did it and can help, but I don't want to recreate the entire tutorial -- that's already there (and well done, too).
Have you managed to get OpenWrt running in general on the VM?
From the host system, can you ping the management address of your OpenWrt VM?
From within OpenWrt, can you ping out to the internet?
1 Like
Yes I am able to ping both vms and I am able to ping internet also.But when i set certains rules in using LUCI/UCI and I tried each and every thing but i can't see any output. For example there a example given in fw3 to block a site/url i tried that but not working.
Start with the basics... then work from there.
Do your other VMs have connectivity through the OpenWrt VM -- and have you confirmed this (possibly with traceroute, or at least by the network/subnet for each system and the definitions of the LAN/WAN/management networks on your OpenWrt VM)?
Do you have the right firewall zone applied to each of the OpenWrt networks?
For example, you should have a WAN (likely either NAT'd from your host and VM manager, or bridged through the host and thus joining the parent network of your host). And you should have a LAN that is used by your other VM(s).
The default forwarding from LAN > WAN should be an easy one to use to verify your firewall is working -- you can disable that rule and all traffic from the other VM should fail to reach the internet. Re-enable and it should work again.
What rules are you trying to implement? And exactly how?
Keep in mind that blocking based on site/url is usually better managed by other methods than just a simple firewall rule (which is generally well geared to specific IP addresses, but not domain names). PiHole and other similar environment/packages are really good at managing this type of filtering.
1 Like
I followed all the steps given in https://openwrt.org/docs/guide-user/virtualization/virtualbox-vm completely.I have also used wireshark and traceroute to see packets.I created one vm (as openWRT) and one to do ssh. Now just i was trying to block traffic from one vm to other.it did not worked. Under firewall section i tried each and every option including zone,rules and NAT but i don't what to do collectively to work(get output).
How were you trying to block access from one vm to the other? Are they on distinct networks? What is the ip address of each vm?
1 Like
There is option of allow ping(in traffic rule of firewall option in LUCI) i was just doing REJECT in that as source as 1st vm and destination as second VM.
They are on same network. The last of IP address is just different.
That is your problem.Traffic between two hosts on the same network never passes through the firewall. Period. It is switched (in software when dealing with VMs), not routed. The same would be true for two physical computers connected to the same network via a hardware switch and/or router with integrated switch.
You must create two different networks for the firewall to have an effect. Or, if the VM host environment allows it, you might be able to block the traffic between hosts -- some managed switches have the ability to configure port isolation which would be the hardware version of the software VM host blocking traffic. But this is distinctly different than the OpenWrt firewall.
2 Likes
So let me clear the picture.
I have installed openWRT in Oracle virtual box followingthis guide.
The adapter settings are done as per the document, however, i am unable to change the IPV4 to due to lack of admin rights due to company's security restrictions. So kept as it is.
Now coming to VM part i have intially created 2 VMS. My openWRT VM's ip address is 192.168.29.249 and my other's VM ip address is 192.168.29.142 and in this i have installed ubuntu16.04. I am doing ssh in this terminal only.
Now when i try to ping from(192.168.29.142) to 192.168.29.249 or vice versa both way communication is happening .Since i have opened two terminals(1.ssh of openWRT 2.Normal terminal of VM).
Now by 192.168.29.249 i am accessing LUCI(web gui) in my browser and I am trying to add rules.
after all this I can't see any rule to give any output.
I want communication from 1st vm(192.168.29.142) to 3rd(192.168.29.160 new VM created ) with some firewall rules by openWRT(192.168.29.249 Vm).
- I didn't think host-only networks exited the machine
- Why are you creating/addressing a host-only network anyway?
What IPv4?
In my setup, I enumerate the network/VLANs on the host (not in VirtualBox); and I use "Bridge Adapter"...and to create a network between guests, I use VirtualBox to create an "Internal Network".
Otherwise, with other settings, you'll have to setup NATs, etc. thru VirtualBox.
EDIT: BTW @Prakash_kesharwani, welcome to the community!
3 Likes
I understood what you were asking from your previous post. And my answer is the same now as it was then. You cannot block communication between VMs that are on *the same network * by using the firewall on OpenWrt (or any other router type os) because the traffic between the vms will never reach the firewall. Your only option is to use the vm host software to either restrict it at the guest level or to setup multiple different networks within the vm software environment. That is just the way it works. Openwrt firewall cannot help you unless you have additional networks for it to route.
2 Likes
The host only network is only so you can log in to OpenWrt using a SSH client or web browser on the host.
To do any serious networking you're going to need to bring up more virtual ports and networks. The "Internal Network" type would link your VMs together like virtual switches and cables, as a closed network. NAT or Bridged networks have access to the hardware ports on the host. An internal network is probably what you want to have OpenWrt route and firewall the connection of the Ubuntu VM. If you have multiple VMs and want OpenWrt to have total access to all traffic between them, use multiple internal networks.
2 Likes
So basically in this guide their is section of Virtual box settings.
we need to add that IPv4 address as mentioned but due to company admin restriction i can't do.
BTW:Thanks @lleachii
I'm totally lost, I guess I never read that...as I don't need such a Host-Only adapter (as I always need my OpenWrt VMs to connect to real networks, or internally to VMs on the host, i.e. "Internal Network" setting).
Again, that doesn't connect to the network...so please explain what you mean by an IP restriction.
You can assign whatever IP you wish to the OpenWrt...and you create the networks it connects to on the host (BTW, you don't have to assign IPs to the host-created interfaces)...so why are you creating/assigning Host-Only networks/IPs in VirtualBox?
What do you intend to reach using a Host-Only Adapter anyways?
Do you have the ability to add network interfaces within the VM settings. If I click on my OpenWrt VM, then click on Settings and click network, I can enable/disable up to 4 network adapters. One of the options is an 'internal network' which is probably what you want -- you'll want 2 internal networks (this may be possible over a single interface with VLANs) if you want to be able to isolate two or more VMs from each other.
Also consider that you can potentially configure the local firewalls on the VMs themselves to drop or reject connections from other devices on the same network (this is not part of the OpenWrt firewall unless you are talking about the ability for one VM to talk to the OpenWrt VM, in which case you can simply drop or reject on the input for that network.
1 Like
I can't assign any ip to the IPv4 address . Since their is already IP mentioned in the adapter I can not change due to admin rights.
In the above picture shown i can't add my desired IP(for adapter ) and same for DHCP server.when i click ok admin page pop up restricting my action.Even i can not change Network mask also.
assigning IP in host only adapter for SSH and configuration are set according to that making my work easier.