This is a precursor of possible a long post about configuring a software firewall using virtualbox together with an open source firewall distribution such as ipcop, pfsense and t1n1wall (one of the successors of m0n0wall).
I will jot down the most important elements here and these are the results of hours of tests on various combination of configurations.
My network settings
- One external IP address directly connected to the outside world.
- One physical network card.
- MS Loopback network card (installed under Windows to function as the Bridged Network interface).
Network properties in the host machine
Instead of keeping just the Bridge Protocal of vmware and Bridged Networking Driver of virtualbox, I ticked another two additional protocols:
- Link-layer Topology Discovery Mapper I/O Driver
- Link-layer Topology Discovery Responder
In particular, Link-layer Topology Discovery Responder is essential for connecting to the wireless network. When it is unticked, the WAN interface under ipcop or pfsense finds it very difficult to connect to the wireless router. As a result, the network property for the physical network interface on the Windows host machine looks as follows:
Network configuration under virtualbox
- The most important thing is the network configuration under virtualbox. Both the adapter 1 and adapter2 need to be attached to Bridged Adapter (see attached pictures).
- I did limited tests and it appeared that selecting the Host-only adapter can also work, since there is a virtualbox bridged network driver ticked for “VirtualBox Host-Only Network”. However, if I choose Host-Only network for adapter2, t1n1wall cannot forward traffic from the host Windows machine to the outside world. For t1n1wall, and maybe other BSD flavored firewalls, it is better to set the adapter2 as bridged — although I assume making adapter2 the Host-Only network will make the host machine safer.
- I also installed Debian+arnos iptables firewall in virtualbox, and the adapter2 can be Host-Only or Bridged, both will work. In arno’s iptables firewall, just enable NAT and the host Windows machine will be able to visit the outside world.
- To easily identify which NIC is designated to WAN or LAN, click on Advanced and manually edit the automatically generated MAC address to something you can identify. I change the last two digits of the WAN MAC address into something like 080027276FAA and the last two digits of the LAN MAC address into something like 080027698CBB.
Do you need to setup VLAN under t1n1 and pfsense?
No. If you use bridged network, there is no need to setup VLAN.
If you choose to attach the network adapter to Internal Network, you may need to setup VLAN for the LAN to access the Internet, however, I didn’t test it. I am not so sure if you can even choose Internal Network when you want the host Windows machine to access the Internet.
I experienced several problems with pfsense and I don’t recommend using it with virtualbox and vmware if your sole purpose is using a firewall to protect your Windows PC with a firewall.
- Time drifts under vmware. pfsense experienced serious time drifts under vmware workstation 9.0. I simply can’t get the accurate time for pfsense under vmware. There is no time-drifting problems for virtualbox and pfsense.
- Port forwarding does not work. after numerous attempts, I still can’t reliably forward the ports to bittorrent clients running on the Windows host machine. I setup both NAT and firewall rules, and set the log to record the hits of the rules, however, it either turns up a few hits or no hits at all — even though the bittorrent client is working heavily with multiple downloads. Port forwarding works well under t1n1wall and ipcop, and the firewall log shows up the hit records with no problems.
- Overkill for the purpose. I run a single Windows PC as a host and I don’t need all the bells and whistles of pfsense, which have numerous configurations and settings I will never use.
ipcop vs ipfire
- Ipcop is simple and elegant. Its settings are easy to understand and intuitive. Just works and serves the purpose as a firewall very well.
- Ipfire has many features and packages. It appears it uses much more resources with my limited tests.
t1n1wall and smallwall
- t1n1 is simple to use and port forwarding for bittorrent clients works well. Its development is more recent than smallwall.
- smallwall should work almost identically with t1n1wall, and I chose t1n1wall simply because its releases are newer.
vmware and its network configuration
- For the LAN interface, I created vmnet2 and designated it as host-only network. There is no problems installing ipcop running on it, although I haven’t tested port forwarding heavily on it.
- You can also install MS Loopback NIC, create a new vmnet interface and designate it as bridged network.
- In virtual machine settings, in the Network Adapter section, click on Advanced, and modify its MAC address so that you will know which interface is assigned to WAN or LAN in the firewall.
questions that remains to be solved
- Linux firewalls appears to be less “secure”, because I don’t have to set port-forwarding rules to make bittorrent clients directly connect to the outside. With BSD flavored firewalls, I will need to specifically configure NAT rules and portforwarding to allow bittorrent work properly. Don’t know why this happens.
- Is for the LAN adapter, is Host-Only network safer than than Bridged network?
- For BSD firewalls, using Host-Only adapter does not seem to work. It has to be bridged network.
These two resources provides very useful information for sett