Advanced networking
Stuart Burns builds upon the powerful components of advanced VirtualBox networking with this second instalment of stress-saving tips.
Build upon the powerful components of advanced VirtualBox networking with this second installation on virtual networking with Stuart Burns.
Last month we covered how to build an isolated but internet-capable test network for experimentation with no risk of breaking your network. Assuming that everything is working as expected, this month we’ll build on what was created in the last issue (see https://bit.ly/lxf280network). We’ll create a more complex network environment incorporating additional virtual networks and add additional physical hosts within the internal-only environment that comes with VirtualBox.
It can be useful to have more than one test network, given that Linux users like to experiment with multiple technologies or even mimic a larger, more complex network. The networks can either be isolated or joined to the existing infrastructure.
By default, VirtualBox has only one internal-only “intnet” network to select out of the box. For this tutorial’s purposes we require an additional network. Fortunately, it’s straightforward to add additional hostbased virtual networks to the VirtualBox environment.
To add a second internal only network, create a new machine (or open an existing one) and navigate to the
VirtualBox network configuration page for the VM (virtual machine). Select Internal from the Attached to part of the interface type. Where the name field is set to intnet, just use the cursor on the text field and type intnet1 or whatever name is appropriate. This creates a second isolated internal network to use.
That network still has to be added to our new pfSense network and enabled in VirtualBox and the pfSense router. To do this, power down the pfSense router. Do it through the WEB UI, which ensures the shutdown is clean. Click the Diagnostics dropdown and select Halt System. Then edit the pfSense VM in
VirtualBox and navigate to the VM Network tab.
Select the third network adapter (use the PDF above to follow from the previous instalment where we created an upstream network and an isolated network) and enable the network interface using the tick box. Be sure to select Internal network and the select the second intnet network that was created a few moments ago.
At this point the third network is attached and its IP configuration still needs to be enabled and configured.
Boot the pfSense VM up. Using the first VM we created, on the first lab network, open the web browser to log in to the pfSense GUI. Navigate to the Interfaces tab at the top of the GUI webpage. There’ll be a new network listed, called (OPT1). Additional networks are not enabled by default. To enable the new NIC, just tick the Enable Interface box and save the configuration. If you were to save and reboot at this point, the pfSense console would show that third network.
OPT1 (Optional Interface 1) is a rather boring and not particularly useful name. It’s easy enough to change, though. Go to Interfaces, Assignment and click the green add button for OPT1 NIC. This loads a new page with various details. To rename the interface, just click OPT1, then edit the Description file to suit.
A static-state network
There are additional options that need to be configured to make the second network useful. The IPv4 configuration section of the OPT1 network page is important. It’s here that items such as IP address and DNS mask can be edited. It’s possible to use either static or DHCP for IP configurations, but in this example we’re going to have a pure static network. This means that every VM will need a static IPv4 address. From the options on the page, select the Static IP option. Be sure to make sure the interface is enabled too, as shown in the screenshot (above).
Change the “Static IPv4 Configuration” portion. This is as simple as creating a new gateway address that will reside on the pfSense router (192.168.2.1 in our example.) and a subnet from the drop-down menu. (Usually a /24 is most useful). In addition, remember to check that Block private networks and block bogon network options are not ticked (or the traffic will never reach where you intended it to).
If DHCP is desired it can be enabled by going to “Services/DHCP server/Interface name” and select the tick box for the additional DHCP scope for the second network. If you wanted to get a bit fancy, there’s nothing to stopping you from creating a new local-only DNS server to resolve the requests for that network and use another DNS for production networks.
Now you have the opportunity to decide how this second network is to be used. There’s no connectivity out of the box for the new network, so it’s time to correct that.
Set up a firewall
By default the LAN (our first network we used last time) can talk to any other network (as defined in the rules for that interface). Traffic can enter from the LAN. It’s easy to modify the allowed traffic in and out by opening the pfSense GUI, navigate to Firewall/Rules/OPT1 and click Add from the bottom of the page. This opens the firewall rules addition dialog. For example, to allow HTTP traffic in, select Action and set it to Pass, set Interface to OPT1, set source to LAN Net and destination to OPT1 Net. Set the protocol to HTTP. This simple example enables the first network to talk to the second network on port 80, in other words a web server. Obviously, this can be configured as required.
This is all very well, but the one snag is that this second network has no internet or DNS access. Fortunately, this is correctable (if so desired). Repeat the process of changing the network, but select the destination to be Any. You’ll need to set up a route on all the machines that requires access to this second network, via the pfSense router. As an example, to enable a local network to access the new network, use the following command as root:
$ sudo ip route add 192.168.2.0/24 via 10.0.0.241
The first network part of the command is the network to reach and the second is the pfSense router on the “real” local network.
One topic that few people consider is using a second external computer and adding its resources into the VirtualBox infrastructure. Imagine your local desktop has a network with several VMs on it, but has run out of resources. You could create additional capacity by using a physical connection to the second box, but you don’t want them sitting on the main network.
The solution is to add an additional physical host to the infrastructure, as long as you have a spare Ethernet port on the workstation or laptop. If you plug in the second host, the network will be shown in VirtualBox.
This will allow the addition of extra capacity to be added to the virtual environment without it appearing on the main network (unless desired). The interesting thing is that it doesn’t even have to be another VirtualBox host: it could also be ESXi, Hyper-V or whatever is desired.
To add in this capacity, add a fourth and final network interface on the pfSense network. Open the network on the pfSense box, choose networks and from the selection select Bridged adapter. Select the appropriate NIC from the NAME drop-down. This will essentially function as a third lab. To enable access, repeat the process of enabling the fourth network adapter in pfSense and creating appropriate firewall rules. Obviously the IP configuration for the physical host will need to be changed to sit on the correct network range for the new lab network.
At this point you should be able to create a fairly comprehensive test lab including physical and virtual hosts. Note that this internal setup isn’t geared towards security and be cautious about what’s exposed to the greater outside world. Keeping it internal shouldn’t be an issue. Finally, use pfSense’s backup export tool to save a copy of the current configuration.