This article describes how to set up a virtual LAN with a virtual router and virtual computers. It is isolated from your physical LAN and meant to test setups with multiple computers in the same LAN.
This is for everyone who wants to experiment with networked servers isolated from their production network. Some understanding of basic networking is necessary.
One reasonably fast computer and enough storage space.
What is VirtualBox?
VirtualBox is a type 2 hypervisor, which means it is a program installed on an operating system. Type 1’s are installed on the ‘bare metal’, so without an underlying operating system. In that sense VirtualBox is somewhat easier to configure and use. Type 1’s are more suited for *dedicated* virtual hosts although VirtualBox does a very decent job and is certainly capable for servicing smaller environments.
VirtualBox is open source (GPL 2) and free for both personal and commercial use. Note that its Extension is only free for personal and evaluation use.
In particular I find VirtualBox very user friendly and very well documented.
It consists of a server and a user interface, user interface being either the command line (vboxmanage) or a native graphical or web interface. Each user gets their own server, so if you run as administrator in Windows you won’t find your regular user’s VMs if you’re not running as administrator. In Linux I suggest creating a dedicated vbox user to isolate it from other users’ permissions.
This may sound more difficult than it really is ;)
Why should I set up a testlab?
1. Why not?
2. To isolate your network experiments from the rest of your network.
What will I end up with?
You will end up with a LAN complete with DHCP and DNS Server, internet gateway and firewall, optionally isolated from your physical network.
For Windows: head over to VirtualBox.org and download and install VirtualBox. Download the Extension Pack from the same page, then open the File menu, select Extensions and click the ‘Adds new package’ button.
For Linux: follow the instructions from the VirtualBox download page. If you’re running Debian you may want to follow my instructions over here.
If all is well you now have either the full GUI version, the web interface or the command line version (CLI).
I’ll continue with the full GUI version. The command-line interface allows access to more configuration options. It it fully documented on the VirtualBox website and easy to use. Like a lot of things it takes some getting used to.
Create a VM
The first VM we’re going to install is a PfSense installation functioning as (internet) gateway, firewall and DHCP and DNS server. The internet part is optional.
If you have one available, dedicate a separate internet connection to a separate physical network card in your computer to provide your virtual LAN with a public IP address. If you haven’t that’s ok too.
I’m assuming you have a 64 bit machine. If you don’t, substitute accordingly for the rest of this article.
At https://www.pfsense.org/download/ select File Type: Install, Architecture: AMD64 (or whatever), Platform: CD Image (ISO Installer), and a mirror near you. Extract the ISO file.
In VirtualBox click the New button. Name: router; Type: BSD; Version: FreeBSD (64-bit)
Memory size: 512MB is ok. Less is ok too. More makes it a bit smoother.
Select Create a virtual hard disk now
Select VDI if you don’t need compatibility with other virtualization software.
Select Dynamically allocated. Fixed is ok too; it takes up more space and is marginally faster.
Select where to store your virtual hard disk. I strongly suggest you use an SSD for this. If you have the possibility use a dedicated drive to store your VMs on. A dedicated SSD is the best possible location, second best is dedicated non-SSD, however anywhere will work. If you’ve selected to create a dynamic drive just set it to create a 2TB drive.
Your VM is now created! Select it and click the Settings icon.
Under System, disable Floppy. We don’t need it and it’s a good habit to disable anything you don’t need. This is not just paranoid: a few years ago someone discovered a vulnerability in a hypervisor’s floppy disk driver. I then patted myself on the shoulder because noone else would but in any case I was happy I tend to disable options I don’t use.
Under Storage, click the CD icon in the Storage Tree section, then the CD selection icon in the Attributes section. Select Choose Virtual Optical Disk File.
Select the ISO file you downloaded.
Audio: disable. Who needs audio?
Network: now it gets interesting. Since we’re installing a router we’re going to need two network interfaces: one for internet (WAN) and one for the local network (LAN). Adapter 1 will become the internet facing adapter.
Set Attached to to Bridged Adapter. This means that it’s going to hitch a ride on the physical adapter. To your network it will look like just another network interface.
If you have a dedicated network card in your computer with a dedicated internet connection then select it here. If you don’t then your routers WAN interface will get a private LAN address. That’s no problem but you should be aware of because your virtual router’s Adapter 2 must not use the same subnet.
For the purpose of this article I’ll assume you have just one public IP address so we’ll use the LAN trick. At Name select the physical network adapter you want to use.
Expand the Advanced section and set the Adapter Type to Paravirtualized Network (virtio-net). This means your VM can your hardware without much software overhead. Before FreeBSD (on which PfSense is based) supported this the network virtualization used to take up nearly all CPU resources. Paravirtualization fixes that. Make a note of the MAC address along with which interface this is (this is the WAN interface).
Open the second tab. Check Enable Network Adapter and attach it to an Internal Network. You can name this network whatever your like. Internal Networks in VirtualBox are networks only accessible to VM’s connecting to it.
Under Advanced, set Adapter type to Paravirtualized Network (virtio-net) and make a note of the MAC address and the interface (LAN).
PfSense by default does not have VirtualBox Guest Additions installed so there’s no mouse capturing going on. This means you need to press the right Control key on your keyboard (this is VirtualBox’s default ‘Host key’) to release your mouse to your own desktop.
Click Ok and hit the Start button!
Wait until the option to install is presented and press I.
If you don’t press I the installer will be invoked anyway because there’s nothing to recover.
Select Accept these Settings.
Now here’s a tricky part: we need to reboot without the CD but we can’t unmount the ISO when the machine is running and we can’t halt it, only reboot. So get ready and when you see the machine booting again choose Devices > Optical Drives > Remove disk from virtual drive.
If you’re too late just shut the machine off, remove the disk and start it again.
After rebooting PfSense lets you set up your network interfacese. Skip setting up VLANs for now.
PfSense now asks you for the WAN interface. Fortunately you wrote down the WAN interface’s MAC address and now you know which one to choose!
The other interface then is the LAN interface. Undoubtably, Holmes.
Enter nothing for the optional interface. Just press Enter.
Ok, so I set up DHCP for my router in advance so it gets an IP address.
If it doesn’t get an IP address or the WAN and LAN subnets are identical you can set them up by choosing option 2 from the menu: Set interface(s) IP address.
This is pretty much self-explanatory: choose the interface, choose the address, choose the subnet, do you want to use DHCP or static addresses, do you want to enable IPv6, and so on. Your values depend on your networking preferences; just make sure the the WAN address connect to either your physical LAN or an internet connection and the LAN has a different subnet.
There’s more to configure but we can’t use the web GUI just yet because your computer is actually on the virtual router’s WAN side (the internet facing interface) and that’s closed off by default – as well it should be!
So it is time to install a client in the new virtual network!
Set up a LAN client
I’m installing a Xubuntu virtual machine but you can use any platform you’re comfortable with. Download the ISO, create a new VM, set up the virtual drive, etc. Just as with the virtual router. Once the machine is created open its settings.
At the Network segment, attach the network adapter to the Internal Network you created earlier.
Press Ok, start the VM and go through its installation.
If all is well your new VM will receive a DHCP address from your virtual router.
Fire up your browser and enter your virtual router’s LAN IP. Note that any self-respecting browser will alert you to the fact that it is encountering a security issue. That is correct: PfSense is using a pre-installed self-signed certificate. This is normal and you can just carry on. If you use Firefox or one of its derevatives click Advanced > Add Exception > Confirm Security Exception. You can leave it like this, install the self-signed certificate, take out the encryption altogether of install a free or commercial certificate. The choice is yours.
Log in to PfSense’s web GUI for the first time using the username admin and password pfsense.
PfSense will provide a wizard to guide you through some basic configuration. You can stick to all defaults or change what you want here.
After you’re done, you may find it useful to be able to manage the router via its web interface from your physical client rather than a VM. To enable this we need to create a firewall rule.
From the top menu chose Firewall > Rules. Click WAN.
Press the Add button and create a rule that reads:
Interface: WAN net
Destination: This firewall(self)
Destination Port Range: HTTPS(443) (or 80 if you decide not to use SSL)
Description: Allow management from WAN
On the Interfaces > WAN page scroll all the way down and deselect ‘Block private networks and loopback addresses’. If you’re on a dedicated internet connection this is unnecessary but then you’d need to think hard about allowing management from the WAN interface. In that case I suggest fixing SSL and allowing only certain IP addresses or setting up VPN accounts for securre access.
Press Save and don’t forget to click Apply Changes.
Your virtual router should now be accessible from your physical WAN.
If you want to isolate your virtual LAN from your physical LAN even further you can add a firewall rule that blocks traffic from LAN to the WAN network, excepting the internet gateway:
Address Family: IPv4+IPv6
Source: LAN net
Destination: WAN net
Description: Disallow traffic to external WAN
The rule is added to the bottom of the list; drag it up to just under the Anti-Lockout Rule (which can’t be second or lower). Don’t forget to Save etc.
Your virtual machines that are part of the Internal Network you created can now access each other and the internet but not your WAN machines (=the machines on your physical network).
* You could create a second virtual network and experiment with VPNs. The possibilities are endless.
* If you’ve finished working with your virtual router’s console, start it headlessly or detachable. It will then start but not show. You can always have it shown later if necessary.
* When switched off you can group machines and control them together.
* Play around with the Snapshot and Clone functionalities.
If you’ve enjoyed this howto please click some of the ads on this site. It won’t make me rich but I would know I helped someone. If you’re really excited, there is a PayPal donation button on the top of this page :)
Thank you. Well done.
Thank you for the guide!
Not sure I understand where how these objectives were achieved:
“What will I end up with?
You will end up with a LAN complete with DHCP and DNS Server, internet gateway and firewall, optionally isolated from your physical network.
Ok, so I set up DHCP for my router in advance so it gets an IP address.”
When and where did DHCP and DNS get created?
They were created when you set up PfSense. They were not, however, configured so I get your point. Perhaps I’ll add it to the article later on.
I have setup the router, as per the steps provided, and created my virtual winsrvr01 and winsrv02. However, i tried to ping winsrvr01 from winsrv02 and vice versa and got a ‘Request timed out.’.
I am not sure what to do next and not well versed with networking.
The only difference was that the pfsense I downloaded is version 2.4.4 and pretty much went through the install process with default values.
Which ip addresses are you using and did you allow ping through their respective firewalls? Inability to reach a network server can be caused by a large number of things and without more information it is impossible to tell which.
Thanks for the article, very helpful in creating my test lab domain for an online class.
I see you don’t monetize vorkbaard.nl, don’t waste your traffic, you can earn extra cash
every month with new monetization method.
This is the best adsense alternative for any type of website (they approve all websites),
for more details simply search in gooogle: murgrabia’s tools
Thank You Captain !
A virtual router with a 2TB drive. Wow.
I have a problem getting onto the pfsense management site from my Virtualbox host. It doesn’t know the route to 192.168.1.100.
Which address do I have to type into Firefox to access the pfSense website from the host computer?
Thanks in advance,
Thanks for the explanation – very useful indeed. I have a need to host a web server as a VM accessible by the host machine but at least looking like it is on a WAN (its for educational purposes). I had to play around a bit with the settings – started with an internal network so I could access the router through its web UI then once I had turned off the DHCP server for the LAN (I want that served by the VirtualBox host network DHCP server), I then changed the network adapter to one of the host-only networks and it all seems to be working fine.
You don’t need to race to get the CD out of the virtual CD drive – just change the boot order (disable floppy then move hard disk above CD drive) ;-)
Thanks man, this guide reads like I wrote it myself to remind myself how to do something. Worked perfectly for what I was trying to do.
oh que crl ja o pfsense
पीओ crl आदमी से sap