LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   how to isolate VM in a home network (https://www.linuxquestions.org/questions/linux-networking-3/how-to-isolate-vm-in-a-home-network-4175680251/)

pan64 08-11-2020 08:19 AM

how to isolate VM in a home network
 
Hi all,

I have an asus RT-AC86U router and a lot of devices connected (RPi, printer, laptop, tablet, whatever).
I have a local network 192.168.x.00 and also I have a debian host where virtualbox is installed and there is a lubuntu running in a VM.
What I want to achieve is: this lubuntu should reach the net without any limitation, but should not see any host on the local network. And actually I have no any idea how should I configure and what.
So if you have an idea....

smallpond 08-11-2020 08:28 AM

Configure a guest network for the VM. You should be able to give it its own different subnet and isolate it from your home network.

pan64 08-11-2020 09:18 AM

I think that won't work. My debian host is wired and there is no wifi interface. Additionally the VM need to use the same wire. The router only supports guest network on wifi. (if I understand it well).

smallpond 08-11-2020 10:01 AM

Internal to the debian host you should have a virtual bridge. The debian host has an address on the home subnet, the VM will have an IP on the guest subnet. The bridge carries all traffic. My wi-fi router doesn't care whether hosts are connected to the wired or wi-fi connection, but maybe yours is different.

michaelk 08-11-2020 11:09 AM

NAT network virtual adapter is like a typical SOHO router i.e your LAN can't see the VMs but lets them communicate to the "outside" world which also means they can access the LAN. About the only think I can think of at the moment would be to run an additionl VM as a firewall/router and use internal networking to connect them all together. Specific rules to block all but the gateway address may work.

If that does not work then using a DMZ should work but setup depends on how Asus implements their DMZ. You might have to acquire a USB to ethernet adapter if the router uses a specific physical port assuming you can add a wire to the network which I guess is not an option.

https://www.virtualbox.org/manual/ch06.html

Aeterna 08-11-2020 01:54 PM

Quote:

Originally Posted by pan64 (Post 6154769)
I think that won't work. My debian host is wired and there is no wifi interface. Additionally the VM need to use the same wire. The router only supports guest network on wifi. (if I understand it well).

Actually what smallpond suggests works for me:

host wire connected to LAN with other devices
VM client virtual wire connected to VPN. VM client has only VPN info in resolv.conf
In the end VM client is completely separated from the LAN (including VM host).
I can make VM client to see LAN by adding extra NIC if that is needed.

frankbell 08-11-2020 07:39 PM

VirtualBox defaults to a NAT connection for the VM. With NAT, your VM will not see the local network and the devices on the local network will not see the VM.

With a bridged adapter, the VM will be within your local subnet.

https://www.virtualbox.org/manual/ch06.html#network_nat

pan64 08-12-2020 05:14 AM

unfortunately I cannot associate subnet to guest network, there is no such option on this router.
(Thit is Asus RT-AC68U, not AC86U - mistyped)

michaelk 08-12-2020 05:20 AM

With a NAT adapter the VM can see the LAN but the LAN can not see the VM.

pan64 08-12-2020 05:28 AM

yes, you are right. But I can still (for example) ssh from VM into anywhere which I want to block. Also I want to block any other port/protocol.
The only exception is the router/gateway.

michaelk 08-12-2020 05:40 AM

My test network is all virtual. I have a VM running pfsense and several VMs using host only connecting to it for the LAN side. A bridge adapter for the WAN side connects to my LAN. I don't have access to the computer at the moment to try adding a rule to see it it works...

wpeckham 08-12-2020 05:50 AM

Use bridged network adapter and set up the network manually on your internal network. Do NOT define a default route.
Now the virtual machine can see, and be seen by, your entire internal network but it cannot reach outside of your internal network because it has no route to the rest of the world.
simple.

pan64 08-12-2020 08:19 AM

Quote:

Originally Posted by wpeckham (Post 6155108)
Use bridged network adapter and set up the network manually on your internal network. Do NOT define a default route.
Now the virtual machine can see, and be seen by, your entire internal network but it cannot reach outside of your internal network because it has no route to the rest of the world.
simple.

This is exactly the opposite. I want to hide everything but the router and the outer net/space from the VM.
Imagine, I want to do (examine?) strange things inside this VM, but I want to protect all my home network.

pan64 08-12-2020 08:25 AM

Quote:

Originally Posted by michaelk (Post 6155104)
My test network is all virtual. I have a VM running pfsense and several VMs using host only connecting to it for the LAN side. A bridge adapter for the WAN side connects to my LAN. I don't have access to the computer at the moment to try adding a rule to see it it works...

I'm afraid I do not really understand this. Does it mean a second VM (running pfsense)?
I was thinking about an additional bridge, but I can't really see the full picture.

smallpond 08-12-2020 09:00 AM

I don't think you can do this with the ASUS RT-AC68U. It has a DMZ setup that can put specific device ports on the public internet, but I don't think the rest of your LAN will be hidden from the VM. It doesn't look safe to me.

https://www.asus.com/support/FAQ/1011723/


All times are GMT -5. The time now is 11:19 AM.