LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-11-2020, 08:19 AM   #1
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,435

Rep: Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066
how to isolate VM in a home network


Hi all,

I have an asus RT-AC86U router and a lot of devices connected (RPi, printer, laptop, tablet, whatever).
I have a local network 192.168.x.00 and also I have a debian host where virtualbox is installed and there is a lubuntu running in a VM.
What I want to achieve is: this lubuntu should reach the net without any limitation, but should not see any host on the local network. And actually I have no any idea how should I configure and what.
So if you have an idea....
 
Old 08-11-2020, 08:28 AM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,435

Rep: Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922
Configure a guest network for the VM. You should be able to give it its own different subnet and isolate it from your home network.
 
Old 08-11-2020, 09:18 AM   #3
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,435

Original Poster
Rep: Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066
I think that won't work. My debian host is wired and there is no wifi interface. Additionally the VM need to use the same wire. The router only supports guest network on wifi. (if I understand it well).
 
Old 08-11-2020, 10:01 AM   #4
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,435

Rep: Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922
Internal to the debian host you should have a virtual bridge. The debian host has an address on the home subnet, the VM will have an IP on the guest subnet. The bridge carries all traffic. My wi-fi router doesn't care whether hosts are connected to the wired or wi-fi connection, but maybe yours is different.
 
Old 08-11-2020, 11:09 AM   #5
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,555

Rep: Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598
NAT network virtual adapter is like a typical SOHO router i.e your LAN can't see the VMs but lets them communicate to the "outside" world which also means they can access the LAN. About the only think I can think of at the moment would be to run an additionl VM as a firewall/router and use internal networking to connect them all together. Specific rules to block all but the gateway address may work.

If that does not work then using a DMZ should work but setup depends on how Asus implements their DMZ. You might have to acquire a USB to ethernet adapter if the router uses a specific physical port assuming you can add a wire to the network which I guess is not an option.

https://www.virtualbox.org/manual/ch06.html

Last edited by michaelk; 08-11-2020 at 11:11 AM.
 
Old 08-11-2020, 01:54 PM   #6
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 364

Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
I think that won't work. My debian host is wired and there is no wifi interface. Additionally the VM need to use the same wire. The router only supports guest network on wifi. (if I understand it well).
Actually what smallpond suggests works for me:

host wire connected to LAN with other devices
VM client virtual wire connected to VPN. VM client has only VPN info in resolv.conf
In the end VM client is completely separated from the LAN (including VM host).
I can make VM client to see LAN by adding extra NIC if that is needed.
 
Old 08-11-2020, 07:39 PM   #7
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 16,685
Blog Entries: 27

Rep: Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065Reputation: 5065
VirtualBox defaults to a NAT connection for the VM. With NAT, your VM will not see the local network and the devices on the local network will not see the VM.

With a bridged adapter, the VM will be within your local subnet.

https://www.virtualbox.org/manual/ch06.html#network_nat
 
Old 08-12-2020, 05:14 AM   #8
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,435

Original Poster
Rep: Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066
unfortunately I cannot associate subnet to guest network, there is no such option on this router.
(Thit is Asus RT-AC68U, not AC86U - mistyped)
 
Old 08-12-2020, 05:20 AM   #9
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,555

Rep: Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598
With a NAT adapter the VM can see the LAN but the LAN can not see the VM.
 
Old 08-12-2020, 05:28 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,435

Original Poster
Rep: Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066
yes, you are right. But I can still (for example) ssh from VM into anywhere which I want to block. Also I want to block any other port/protocol.
The only exception is the router/gateway.
 
Old 08-12-2020, 05:40 AM   #11
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,555

Rep: Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598
My test network is all virtual. I have a VM running pfsense and several VMs using host only connecting to it for the LAN side. A bridge adapter for the WAN side connects to my LAN. I don't have access to the computer at the moment to try adding a rule to see it it works...
 
Old 08-12-2020, 05:50 AM   #12
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,470

Rep: Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510Reputation: 1510
Use bridged network adapter and set up the network manually on your internal network. Do NOT define a default route.
Now the virtual machine can see, and be seen by, your entire internal network but it cannot reach outside of your internal network because it has no route to the rest of the world.
simple.
 
Old 08-12-2020, 08:19 AM   #13
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,435

Original Poster
Rep: Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066
Quote:
Originally Posted by wpeckham View Post
Use bridged network adapter and set up the network manually on your internal network. Do NOT define a default route.
Now the virtual machine can see, and be seen by, your entire internal network but it cannot reach outside of your internal network because it has no route to the rest of the world.
simple.
This is exactly the opposite. I want to hide everything but the router and the outer net/space from the VM.
Imagine, I want to do (examine?) strange things inside this VM, but I want to protect all my home network.

Last edited by pan64; 08-12-2020 at 08:27 AM.
 
Old 08-12-2020, 08:25 AM   #14
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,435

Original Poster
Rep: Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066Reputation: 5066
Quote:
Originally Posted by michaelk View Post
My test network is all virtual. I have a VM running pfsense and several VMs using host only connecting to it for the LAN side. A bridge adapter for the WAN side connects to my LAN. I don't have access to the computer at the moment to try adding a rule to see it it works...
I'm afraid I do not really understand this. Does it mean a second VM (running pfsense)?
I was thinking about an additional bridge, but I can't really see the full picture.
 
Old 08-12-2020, 09:00 AM   #15
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,435

Rep: Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922Reputation: 922
I don't think you can do this with the ASUS RT-AC68U. It has a DMZ setup that can put specific device ports on the public internet, but I don't think the rest of your LAN will be hidden from the VM. It doesn't look safe to me.

https://www.asus.com/support/FAQ/1011723/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
isolate libvirt / kvm guests in virtual network tux111 Linux - Virtualization and Cloud 3 12-22-2019 07:31 AM
how to isolate redundent libraries? dejavu_01 Slackware 3 08-24-2005 01:28 AM
How do I isolate a piece of string? vous Programming 4 03-16-2005 01:43 PM
911 Dispatch PC Security :: Isolate Internet Viruses danfig General 2 01-05-2005 08:30 PM
Elderly PC may have a HW fault - how to isolate/fix? CestusGW Linux - Hardware 3 03-24-2004 04:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration