Network setup for VirtualBox guest in a mac spoofing protected hosting environment

[masei]

Hi,

Because I want to switch to zimbra 8.0 (and because zimbra support for freebsd is very poor) I want to setp a virtualbox ubuntu guest inside my 1&1 FreeBSD Root Server.

1&1 is not allowing a second MAC come up on a public Interface - so bridged networking does not work as usual and will result in a switch port lock if you do it.

Under Linux I got it working several times by creating a bridge without contact to the outer world (only internal ips) and ip forwarding rules via iptables.

Can anyone suggest me the FreeBSD way for doing that?

I set up the guest with host-only Networking and tried it with pf rules like

nat on vboxnet0  from 192.168.56.101 to any -> ($ext_if)
nat on $ext_if from 192.168.56.101 to any -> ($ext_if)
rdr pass on $ext_if inet proto {udp, tcp} from any to $DEDICATED_PUBLIC_IP -> 192.168.56.101

I have tried several variations but cannot get a working solution.
One problem is, that I have no internet access inside the guest.
If I try to reach the webserver or ssh from the internet connection is timing out, maybe because of the not functional internet acces inside the guest.

Can anyone point me the direction of doing that right?

Regards
Marc Seibert

 

[masei]

Solved

I solved this after one night of try and error and some ugly mistakes which leaded two times to locking the switch port through my providers mac-spoofing protection.

The solution was a variotion of http://forums.freebsd.org/showthread.php?t=7153

% VBoxManage modifyvm WinXP --nic1 bridged --bridgeadapter1 tap0
% su - 
% kldload if_tap if_bridge
% sysctl net.link.tap.user_open=1
% chown root:vboxusers /dev/tap0
% chmod 660 /dev/tap0
% ifconfig bridge0 create 
% # ifconfig bridge0 addm nfe0 # do not bind to nfe0 - leads to switch port locking by some hosteing providers
% ifconfig tap0 192.168.1.111 netmask 255.255.255.0
% ifconfig bridge0 addm tap0
ifconfig inet tap0 192.168.1.111  netmask 255.255.255.255
ifconfig inet 192.168.1.1  netmask 255.255.255.255

set skip on lo
nat on $ext_if from 192.168.1.1/24 to any -> ($ext_if)
rdr pass on $ext_if inet proto {udp, tcp} from any to $public_ip port 2222 -> 192.168.1.112 port 2222
rdr pass on $ext_if inet proto {udp, tcp} from any to $public_ip port 80 -> 192.168.1.112 port 80
rdr pass on $ext_if inet proto {udp, tcp} from any to $public_ip port 7071 -> 192.168.1.112 port 7071
rdr pass on $ext_if inet proto {udp, tcp} from any to $public_ip port 443 -> 192.168.1.112 port 443
pass in on 192.168.1.112 proto {udp, tcp} from any to any port domain keep state
pass quick on $ext_if proto {udp, tcp} from any to any port domain keep state
pass quick on 192.168.1.112 proto {udp, tcp} from any to any port domain keep state

and so on.
Only thing which I haven't figured out yet is how to mask the outgoing ip to the up of my mailserver. Until now it switches to all my public ips, when checking http://whatismyip.net multiple times.

 

[masei]

I have solved the last point.
Masking the internal IP with the mailservers public one was easy at the end.

binat on $ext_if from $web_serv_int to any -> $web_serv_ext

did the trick.

PF seems to be much easier than my iptables setup in earlier days. So one more point for FreeBSD.