[SGVLUG] VirtualBox networking question

Dan Buthusiem dan.buthusiem at gmail.com
Thu Jun 7 06:32:33 PDT 2012 

Got it. I'm still thinking of a way to do it without bothering anyone else,
and without doing anything to cause issues on the network.

With your current scenario, your web server guest, which is bridged, will
get an IP that is on the same subnet as your host, because it is physically
connected to the same network. Your client guest, even though it is NATted,
will always look like it's on the same subnet, because it will use its
gateway's external IP, which is the IP your host uses. That NAT is the same
as your home connection in that internet web servers don't see you as
192.168.1.100, but as your IP that your gateway gets on its WAN side from
your ISP.

If your company is big enough to have more than one subnet for employee
access, you could ask your network admin for access to that second employee
VLAN. There's a way the net admin could trunk you 2 VLANs if you have only
1 port, but I've never actually tested my computer's 801.q vlan tagging
support, which means it might get messy for you to actually use that trunk.

Try this - bridge your client, then assign a manual IP.

Using your earlier example IPs:

192.168.200.1 IP
255.255.255.255 mask
129.1.2.1 gateway, or whatever IP your host gets from DHCP.

This way, your client has a network of itself, but forwards all traffic to
your gateway for internet access. Not sure if the return traffic from your
web server will route back to your rogue IP, though.
On Jun 7, 2012 1:15 AM, "Claude Felizardo" <cafelizardo at gmail.com> wrote:

> Yes, I'm using VirtualBox and I'm trying to figure out how to configure a
> guest such that it can not see the subnet that my host is on.
>
> My host has a class B IP address.  Let use 129.1.2.3 for example.  Not
> sure of the subnet mask, it might be something like 255.255.255.0.  not
> sure.
>
> Let's also assume there is an internal web server with address 129.1.2.2
> so it's in the same subnet.  This webserver is configured to allow machines
> on the same subnet complete access but if a machine outside tries to
> access, it might be configured to block access or it might prompt the
> browser for a web username/password.
>
> Normally a guest VM will use NAT by default with DHCP so it will have get
> a private IP of like 10.0.0.5 for example.  All connections from the VM
> will go out using my 129.1.2.3 IP so as far as the webserver is concerned,
> it's coming from my host machine so it will allow access.
>
> Now I want to configure a guest VM so that it looks like it's coming from
> another subnet and have the webserver reject the connection.  Again, I
> don't have admin rights on the webserver, routers, nothing.  Only my own
> desktop.
>
> What I was able to do was create yet another guest VM but configure the
> network adapter to use bridge mode.  I'm still using DHCP but I changed the
> MAC address and when it first came up, a DHCP server somewhere gave it an
> address of like 129.1.4.5.  The last two octets were not the same as my
> host so it was on a different subnet and when i tried to access the
> internal webservers, I got no response but I was still able to access
> google.com and I'm pretty sure I tried other external websites.
>
> However when i tried to reproduce the test, every time I try, the VM
> either gets an IP on the same subnet (a local DHCP server perhaps?) or it
> can't get a valid IP.  I've tried this with the VM running WinXP, Win7 and
> Ubuntu.
>
> Now I don't know how the web servers on the same subnet are configured so
> I don't know if they just drop packets from outside the subnet or if they
> are suppose to return some kind of error.  So maybe the routing was broken
> and maybe when I went to google, I was getting a cached result?
>
> The last thing I tried was ubuntu and I was trying to change the default
> gateway to be a node I saw when I ran traceroute that looked like it was a
> border router but i ran out of time and had to leave.
>
> Claude
>
>
>
> On Wed, Jun 6, 2012 at 10:38 PM, Dan Buthusiem <dan.buthusiem at gmail.com>wrote:
>
>> You're using virtualbox, right? Would you be able to draw me a picture? I
>> thought you wanted the guest1 (server) and guest2 (client?) to be
>> completely off in their own little world.
>> On Jun 6, 2012 6:19 PM, "Claude Felizardo" <cafelizardo at gmail.com> wrote:
>>
>>> Hey guys, sorry it took a while to get back to this.  I had to move back
>>> to my cubicle office after temporarily moving to another office with a real
>>> window while they did some minor construction then I had a couple of other
>>> things that took priority for a while...
>>>
>>> Anyway, I finally got a chance to look at this and got it working.  They
>>> key as Matthew pointed out was to set the adapter type to "Bridged" instead
>>> of the default "NAT".  I'm doing this at work so I can't just assign
>>> "random" IPs nor can I muck with the firewall or routers.
>>>
>>> So I've got two virtual machines, both are configured for DHCP and use
>>> the live ethernet device as my desktop.   The difference is the VM with
>>> NAT, even though it has a 10.0.x.x address, it looks like it's coming from
>>> my desktop so it can access machines on the local subnet as my desktop.
>>>  The other VM with the bridged adapter has an IP from a DHCP server from
>>> outside the subnet so it can NOT access things that are restricted to
>>> project internal machines only which is exactly what I wanted.
>>>
>>> I did not have to make any funny cables, use any proxy servers or
>>> external machines nor did I have to create a VM to act as some kind of
>>> server.
>>>
>>>   Not sure if changing the MAC address made a difference.
>>>
>>> Actually, strike that.  I'm having a problem trying to reproduce this.
>>>  Looks like it really depends on which DHCP server responds determine if I
>>> can see the restricted servers or not.  Could be that the DHCP servers are
>>> getting tired of my asking for a new IP over and over?  Or perhaps its the
>>> winxp and win7 machines that are getting tired of being yanked around.  I'm
>>> currently installing ubuntu, we'll see how that goes...
>>>
>>> Nope, I installed the latest ubuntu and it looks like the local DHCP
>>> server gave me an IP on the same subnet.  Rats.
>>>
>>> Claude
>>>
>>>
>>>
>>> On Fri, May 25, 2012 at 9:04 AM, Matthew Campbell <dvdmatt at gmail.com>wrote:
>>>
>>>> Yes, it's fairly easy to set this up in VB.
>>>>
>>>> You can even set it up through DHCP if you are a masochist ;)
>>>>
>>>> Matt
>>>>
>>>> - Put the VB Vnetwork NIC in bridge mode
>>>> - Assign it a unique MAC address
>>>> - Configure DHCP to assign an outside IP address to that MAC (or hard
>>>> code it, much easier)
>>>> - Configure your router to route that 1 address to the big bad world in
>>>> addition to its current nets.
>>>> -easy peasy
>>>> On May 24, 2012 8:13 PM, "nopbin at gmail.com" <nopbin at gmail.com> wrote:
>>>>
>>>>> With constraints as described, Virtualbox is not going to get you an
>>>>> ip address outside your firewall.  Best bet is to use an aws node or
>>>>> something like that if you don't have wired or wireless access to an
>>>>> external network.
>>>>> On May 24, 2012 7:57 PM, "Claude Felizardo" <cafelizardo at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I believe there are a couple of people on this mailing list who are
>>>>>> using VirtualBox or equiv...
>>>>>>
>>>>>> Has anyone setup a VirtualBox guest machine so it can access the
>>>>>> internet but can not access the host's local network?  Basically create a
>>>>>> network sandbox.
>>>>>>
>>>>>> For example, let's say I want to verify that an internal web server
>>>>>> can NOT be accessed from the internet yet I want to be able to access it
>>>>>> from my desktop and I don't have access to a machine outside my network to
>>>>>> test from.  So using VirtualBox, I created a virtual machine running
>>>>>> Ubuntu.  When I bring up a browser, I'm able to access a web server as if I
>>>>>> was connecting directly from my desktop.  I want to configure this virtual
>>>>>> machine so it has an IP address outside my local network.
>>>>>>
>>>>>> Any suggestions?  Tried googling but either it can't do it or I'm
>>>>>> just not using the right keywords.
>>>>>>
>>>>>> Claude
>>>>>>
>>>>>>
>>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20120607/e14dfe4b/attachment-0001.html

More information about the SGVLUG mailing list