Isolating Vbox guest from physical LAN

Hi community!

I have the following task and unfortunately still can’t find a solution.The host system is Debian with 1.19 OMV connected to my home LAN (router). I’m using Virtualbox plugin and have an Ubuntu server as a guest.So what I want is that the Guest machine will have an access to internet (e.g. that I can access it remotely via SSH) but no access to a physical home LAN (to avoid security issues if someone will hack the guest machine from outside).

What I tried so far is:

• My OMV host system is in the LAN with IP: 192.168.172.31
• My guest machine is configured for NAT and has an IP: 10.0.2.15 (mask 255.255.255.0)
• Thanks to ports forwarding I’ve setup a channel to reach the guest machine from internet via SSH: WAN-> router -> host OMV with vbox plugin -> guest OS. It works without issues.

Problem: I still can ping from my guest OS any other computer within the physical LAN, e.g. “ping 192.168.172.25” will successfully ping other computer on physical LAN.

I do not understand why it is happening. According to my understanding there should be somewhere a gateway which is allowing the guest OS to reach another network. But I do not know if this idea is fully correct.

I can’t isolate the whole physical OMV machine into other network (e.g. by using other router) as it is my central NAS system in the LAN. So I want isolate only the guest OS.

Can you please suggest me a solution? I’ve tried to search for it but with no luck. Thanks in advance!

Hi subzero79! Thanks for reply!

Zitat von subzero79

now all of this goes to hell if the attacker gains control of the machine and changes the ip address. In that case my guess would be a better router (something with openwrt or pfsense) an use a vlan to have a separate subnet for the guest.

I read in change log for OMV 2.x that there is now a vlan support there. Though have no idea how it works and what is the scope. Don't you know if it can be useful for my case?

Zitat von subzero79

Just a quick though you might wanna use bridge mode, that would give an IP address in the same subnet of your host machine.
With the appropriate iptables rules in your host rules you can restrict access to that guest since it has a target ip.

When you use NAT all packets will be seen as coming from the host IP, even in the host. An ip address is much easier to identify and isolate if you control the host where that IP address is.

Just wondering how firewall on Host can handle it if in bridged mode the guest if using network adapter directly. To my understanding in this case OMV's firewall settings will not be able affect traffic for guest's IP-address. Or I'm wrong here?

Zitat von subzero79

is bridged to eth0, you'll see the packets in tcpdump using the Ip address. You can put rules in the output chain of the host to restrict the guest.
Do you know how to use iptables?

No, I never used it. But I think it is used by OMV's firewall (with GUI), isn't it?

But I think that your other comment makes all these efforts with IP tables useles if an attacker will be able to change IP address of the guest. Sure, on my route's DHCP I can set a permanent IP for the guest's MAC, but I do not know if guest machine then force to use any other IP-address. Or I'm wrong here?

Zitat von subzero79

The firewall of omv is only capable of adding rules to the input and output chains in the filter table only, which I think it should work in this case.

Thanks!

Can you then suggest me a fitting setup of OMV firewall for this case?
The guest machine should be able to:

• have ssh access from internet (lets say on guest SSH is configured for port 9955)
• be able handle http traffic in/out (to call some web pages and save them)

The physical schema looks then like this:
Intenet <> router host machine 192.168.178.1 <> [host machine 192.168.178.31 + bridged guest 192.168.178.32]

Port forwarding from router to guest's 9955 is not an issue.