nolehce 3 Posted ... I thought I would pose this question here as I cannot find a clean answer searching online. I run AirVPN via my Tomato router and it works great. I have a computer on my LAN that serves as a host for a VirtualBox guest VM that runs my torrent client. Both the host computer and guest VM run Windows 7. I would like to allow the guest VM to only have Internet access and have no access at all to either the host computer or the rest of the LAN. Does anyone know how I would do that? Much thanks! Quote Share this post Link to post
OpenSourcerer 1435 Posted ... Which virtualization software do you use? Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
zentec 0 Posted ... Your question seems ambiguous as to what you mean by "internet access". Is that via the Openvpn connection to Airvpn.org, or is that via your ISP? I will make the assumption that you want to limit to access via Airvpn because I do something similar. My virtual machine is limited in its ability to connect to the local network (it can only accept connections from certain machines in the network) and it can only access the internet to AirVPN. All of these restrictions are set in place not in the VM, but the router. If Airvpn drops, the VM has no access to the internet. How? I would use your router that runs Tomato. You will have to divide your network so that the VM has to route everything through your router to get anywhere. Once it can't get anywhere without having its packets routed, then you can use your router to set rules. Allow and block based upon MAC address and IP address and you should be able to isolate your VM to your desires. The whole concept is that your VM is on a network that *has* to have the router make the decisions on what to do with the traffic. That means if your router address is 192.168.1.1 with a netmask of 255.255.255.0, your VM can not have a 192.168.1.X address with a netmask of 255.255.255.0. If this is a new concept for you, start reading on basic routing, subnetting and perhaps 802.11q vlans. Your Tomato router does vlans, it could also be helpful. Quote Share this post Link to post
nolehce 3 Posted ... VirtualBox. But I am open to using whatever will accomplish the goal. Quote Share this post Link to post
nolehce 3 Posted ... Yes I already have that setup. Tomato router is locked down to AirVPN using iptables rules. Once the connection to AirVPN terminates so does Internet access. That applies to all the machines on the network since all are behind the router. What I would like to do differently on the VM is prevent the VM from accessing the local network. The VM has Internet access (AirVPN via Tomato router) I just want to prevent the VM from accessing other computers on the LAN. I'm looking for the most secure, expedient way of doing that. Quote Share this post Link to post
Staff 9973 Posted ... Yes I already have that setup. Tomato router is locked down to AirVPN using iptables rules. Once the connection to AirVPN terminates so does Internet access. That applies to all the machines on the network since all are behind the router. What I would like to do differently on the VM is prevent the VM from accessing the local network. The VM has Internet access (AirVPN via Tomato router) I just want to prevent the VM from accessing other computers on the LAN. I'm looking for the most secure, expedient way of doing that. Hello, if the VM is attached to the host in "bridge mode", you can run a firewall in the VM dropping outgoing packets to any local address except your router address and (if you need DHCP) 255.255.255.255. If the VM is attached to the host via NAT, in addition to the above option you can alternatively run a firewall on the host dropping packets from the VM to any local address except the router and the host machine address. Kind regards Quote Share this post Link to post
nolehce 3 Posted ... Yes I already have that setup. Tomato router is locked down to AirVPN using iptables rules. Once the connection to AirVPN terminates so does Internet access. That applies to all the machines on the network since all are behind the router. What I would like to do differently on the VM is prevent the VM from accessing the local network. The VM has Internet access (AirVPN via Tomato router) I just want to prevent the VM from accessing other computers on the LAN. I'm looking for the most secure, expedient way of doing that. Hello, if the VM is attached to the host in "bridge mode", you can run a firewall in the VM dropping outgoing packets to any local address except your router address and (if you need DHCP) 255.255.255.255. If the VM is attached to the host via NAT, in addition to the above option you can alternatively run a firewall on the host dropping packets from the VM to any local address except the router and the host machine address. Kind regards Excellent, thank you for the reply! I did not want to control this via a firewall within the VM itself, as the reason why I want to secure the VM from the local network is in case the VM gets hacked. I will be using the VM to test suspect programs, the VM needs Internet access but needs to be barred from accessing either the Host PC or the LAN. So I guess that leaves me with attaching the VM as NAT and using Comodo firewall on the host as you indicated above. I was hoping to somehow do this on the Tomato router with iptables, but this should work just fine. I will muck around with Comodo and figure that part out, and report back once I know it is working or not. Quote Share this post Link to post
Staff 9973 Posted ... So I guess that leaves me with attaching the VM as NAT and using Comodo firewall on the host as you indicated above. I was hoping to somehow do this on the Tomato router with iptables, but this should work just fine. I will muck around with Comodo and figure that part out, and report back once I know it is working or not. Hello! With the VM attached to the host via NAT and the host machine running Comodo and OpenVPN running on the Tomato router there's an ultra-fast solution (with a side effect, though). You can just use Application Rules for the virtualization software process (for example virtualbox.exe) to block any packet to devices in your local network (except the router, of course). The side effect is that this block will affect all the VMs you run in the host through the same virtualization software process. Kind regards Quote Share this post Link to post
nolehce 3 Posted ... That works for me! I only use this one VM anyhow. If I ever needed to use another VM I could disable the rule, as I would never run this VM at the same time anyway. I have set this up as suggested and it works fine, access to the LAN is now denied on the VM and Internet access works normally. The only thing is, the VM can still ping devices on the LAN. It cannot view their file shares, but it can ping them. If I also block the router address, no more pinging machines on the LAN but of course no more Internet access either. Is there some way to also block pings? Quote Share this post Link to post
nolehce 3 Posted ... Also before when I attached the VM as "bridged mode" my AirVPN port forwarding worked fine. But now that I have it attached as "NAT" I get this error when running the AirVPN forwarded port check "Error : 113 - No route to host". But when I check the active connections in Comodo firewall inside the VM I see connections to Vuze peers on that same forwarded port so it definitely appears to be working.... the VM traffic is across AirVPN, and drops when AirVPN drops per iptables, so I know it is not going to the Internet directly. Quote Share this post Link to post
Staff 9973 Posted ... Hello! About the ping, probably you have blocked only TCP and/or UDP in the Application Rules. To solve the issue please either block IP, which includes ICMP, or add rules to block ICMP. In order to forward a port to the VM you need to build a DNAT on the router AND forward the port(s) on the host machine virtualization software NAT to the guest. On the host machine just forward the appropriate ports through the relevant virtualization software options, while on Tomato have a look at our guide in the "How-To" section https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables Kind regards Quote Share this post Link to post