[Ed4: Oh well, NAT does work... then I'll just use that. Will deprave me of a few features, but whatever...]

Hi!

To simulate an ARP Spoofing attack, I'd like to build a virtual network with a route to the internet. However, any way I can come up with leaves the virtual machines isolated, and I'm wondering what is wrong with the virtual router.

Currently, there are three virtual machines, achieved by VirtualBox. The endpoints are a victim and an attacker running #! who are assigned their network data by DHCP. Their default route points to a third virtual machine with two virtual interfaces. On there, I'm running Slax Router, but I have tried with IPFire and pfSense as well and did not have more success. (Just like Slax Router best.)

The virtual interfaces of all the machines that are in the virtual network are created by assinging the adapters to "internal network" in VirtualBox. The interface that is supposed to connect to the world is a Virtualbox Host-Only Adapter that I bridged to my physical NIC. (Doesn't matter if I tell VirtualBox to use any other network mode, results are the same or worse. And this MUST be possible as there are enough tutorials describing that setup.)

The routes on the router are simple: Each local address range (10.169.23.x is virtual, 172.16.24.x is physical) is routed to their interfaces (eth1 and eth0, respectively), and the default route points to the default physical gateway. /proc/sys/net/ipv4/ip_forward is 1, iptables are flushed. Thus, if a packet arrived on eth1, destined for the physical network, it should be routed, right?

However, I can only ping the Host-Only adapter from my clients (so the router routes indeed), but not other physical machines. I'd say there is a problem with the bridge between the physical NIC and the virtual one, but the router can access the web just fine, so there must be something wrong internally that blocks off my clients.

But what?

I've been looking around for a long time, and I have not been able to find anything that'd answer my question. I'd be glad if someone could help me out here. I'm writing an article about the attack to cover for university, it's about due, and without practical evidence I can just as well leave it be.

So, thank you very much for any help.

Best regards,
David

Ed: A traceroute from the clients tells me the adapter that is bridged to the physical NIC is the first hop. Shouldn't that be the NIC that is on the purely virtual network?

Ed2: I cannot ping the virtual router's internal NIC from the host, but I can ping the external one that is bridged to my physical card. The clients can ping both virtual NICs of the virtual router, but not the physical NIC that one of them is bridged to. The router can ping anyone but the physical NIC, including the Internet. WTF?!

Ed3: The packets are just dropped. No complaints about "no route to host" or so.

If you use a bridged adapter, you can make the machines point to your router, thereby getting them in the same subnet and enabling them to communicate with each other.

If you select the bridged adapter, you may have to experiment with the "Advanced" below item to select which type of bridged adapter works with your setup.