# isolate virtualmachine on the network with internet access



## besta (May 17, 2014)

Hi devils,

I have a network like the one below.
The gateway is inside a common router, nothing fancy. It can forward incoming requests to the FreeBSD box which will then forward into a virtual machine (virtualbox running on FreeBSD). The FreeBSD is a fresh install, has no firewall installed yet. The virtual machine is a webserver, or some server that "could" get compromised. This is what I am trying to solve, I need to isolate that VM so shall it get compromised the hacker can destroy it but cannot affect any other machine on the network.


```
192.168.1.1            192.168.1.2
   __________             _________       
   |gateway |-------------|  PC1  |       
   |________|             |_______|         
       |                      
       |                      
       |                      
       |                      
       |                  192.168.1.3
       |                  _________       
       |------------------|  PC2  |       
       |                  |_______|
       |
       |
       |
       |
       |                  192.168.1.4
       |                  _________       ______________
       |------------------|  FBSD |-------|isolated vm1|
                          |_______|       | 10.1.1.0   |
                              |           --------------
                              |             with internet
                              |                         
                              |                         
                              |                         
                              |           ______________
                              ------------|isolated vm2|
                                          | 10.2.2.0   |
                                          --------------
                                            with internet
```


I am allowed to use any configuration needed on the FreeBSD box in order to achieve this. 

PS: the virtual machines must be able to access the internet.
PS: the FreeBSD must be able to forward incoming requests into the VM

The FreeBSD has 1 NIC: re0 192.168.1.4

Maybe the use of VLAN is necessary? Or what is necessary? And how to implement the configuration of it on the FreeBSD?


----------



## SirDice (May 19, 2014)

*Re: isolate virtualmachine on the network with internet acce*

VLANs are not a security measure, they're used to optimise the network's performance. Set the correct firewall settings on the FreeBSD host and the jail can't connect to any other machines.


----------



## besta (May 25, 2014)

*Re: isolate virtualmachine on the network with internet acce*

What would those firewall settings be like ?


----------

