# Virtualbox NAT and host network separation



## Deleted member 45312 (Nov 7, 2015)

Dear FreeBSD users,

I am running FreeBSD 10.1-RELEASE as a host for emulators/virtualbox and created a guest with Kali Linux for security testing purpose. The guest has networking configured with default Virtualbox NAT (IP: 10.0.2.15 GW:10.0.2.2)
My host local network IP is 192.168.0.10 and my internet gateway is 192.168.0.1.
I tried to run a security/nmap scan from the Kali Linux guest on my local network address range 192.168.0.0/24 and the scan is seeing all my local network hosts with their open ports.
Is that normal situation with Virtualbox NAT. I thought that the guest OSs could not see my local network and hosts connected to. I am also running Windows XP as guest OS and this is scaring me.
Is it possible to have guest OS not seeing my local network ?

Help appreciated...


----------



## kpa (Nov 7, 2015)

That's completely normal because from the guest you have unrestricted outgoing connectivity (NAT only hides the guest network from incoming traffic) that includes the next connected network that is your local network 192.168.0.0/24. Tighten up your firewall if you have one running on the system to restrict access.


----------



## Deleted member 45312 (Nov 7, 2015)

> Tighten up your firewall if you have one running on the system to restrict access.


kpa, thank you for this clarification. I haven't got any firewall on the host running emulators/virtualbox, only on my gateway. I will try that.


----------



## Deleted member 45312 (Nov 7, 2015)

I am running PF firewall now, but how could I block traffic coming from virtualbox guests and going out from my host ?


----------



## Deleted member 45312 (Nov 7, 2015)

Perhaps should I use bridged networking on my host running virtualbox ?


----------



## kpa (Nov 7, 2015)

Right, there is a problem and that is that VirtualBox NATs to the external address of the host using some nonstandard methods and the internal guest network addresses are not visible to the packet filter. I think you can solve that by changing the network to a host only network  that will be visible on the host (as vboxnet0 and so on) and then do the usual NAT with PF and also do packet filtering on the host only network addresses. I can't test this myself because I don't have FreeBSD system with VirtualBox installed at the moment.


----------



## Deleted member 45312 (Nov 8, 2015)

kpa said:


> I think you can solve that by changing the network to a host only network  that will be visible on the host (as vboxnet0 and so on) and then do the usual NAT with PF and also do packet filtering on the host only network addresses.


Tried that, but it didn't work out.


----------



## kpa (Nov 8, 2015)

It should work. Make sure you have gateway_enable="YES" in /etc/rc.conf and you're NATing properly in your PF configuration and the filter rules allow traffic from the host only network. The vboxnet interface is just another interface for PF.


----------



## Deleted member 45312 (Nov 9, 2015)

kpa,

Guests can talk between them, but can't see outside world.
Gateway is enable on my host.
The vboxnet0 interface appears only when I start a guest, so I restarts PF after having launched my guest.

Here is my /etc/pf.conf :

```
localnet  = "192.168.0.0/24"
vboxguests = "192.168.56.0/24"
myhost  = "192.168.0.10"
vbox_winxp = "192.168.56.101"

ext_if  = "re0"  # macro for external interface
vbox_vif  = "vboxnet0" # Virtualbox virtual network interface

client_out = "{ ssh, domain, pop3s, imaps, submission, http, https, xmpp-client, 7777, whois, ircd, 11371 }"
guests_client_out = "{ domain, http, https }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"

# Don't send rejections. Just drop.
set block-policy drop

# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0

# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble

# ext_if IP address is (may be) dynamic
nat on $ext_if inet from $vbox_vif:network to any -> ($ext_if)

# set a default deny policy.
block log all

# Enable antispoofing
#antispoof quick for $ext_if inet
#antispoof quick for $vbox_vif inet

# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
#block in from urpf-failed to any

# drop broadcast requests quietly.
#block in quick on $ext_if from any to 255.255.255.255

#
# Allow ALL from me
#
pass inet proto { tcp, udp } from $myhost to any

#
# Allow some traffic from Virtualbox Guests OSs
#
pass inet proto { tcp, udp } from $vbox_vif:network to any

# Allow dhcp traffic on Virtualbox
pass on $vbox_vif inet proto udp to port bootpc
pass on $vbox_vif inet proto udp to port bootps

# Allow ICMP
pass inet proto icmp icmp-type $icmp_types
```

And my ifconfig() output :

```
# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
  ether c8:60:00:58:4b:83
  inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet 1000baseT <full-duplex>
  status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
vboxnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 0a:00:27:00:00:00
  inet 192.168.56.1 netmask 0xffffff00 broadcast 192.168.56.255
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect
  status: active
```

And the routing table :

```
# netstat -nr
Routing tables

Internet:
Destination  Gateway  Flags  Netif Expire
default  192.168.0.1  UGS  re0
127.0.0.1  link#2  UH  lo0
192.168.0.0/24  link#1  U  re0
192.168.0.10  link#1  UHS  lo0
192.168.56.0/24  link#4  U  vboxnet0
192.168.56.1  link#4  UHS  lo0

Internet6:
Destination  Gateway  Flags  Netif Expire
::/96  ::1  UGRS  lo0
::1  link#2  UH  lo0
::ffff:0.0.0.0/96  ::1  UGRS  lo0
fe80::/10  ::1  UGRS  lo0
fe80::%lo0/64  link#2  U  lo0
fe80::1%lo0  link#2  UHS  lo0
ff01::%lo0/32  ::1  U  lo0
ff02::/16  ::1  UGRS  lo0
ff02::%lo0/32  ::1  U  lo0
```


----------

