This article describes how to set up a virtual LAN with a virtual router and virtual computers. It is isolated from your physical LAN and meant to test setups with multiple computers in the same LAN.
This is for everyone who wants to experiment with networked servers isolated from their production network. Some understanding of basic networking is necessary.
One reasonably fast computer and enough storage space.
What is VirtualBox?
VirtualBox is a type 2 hypervisor, which means it is a program installed on an operating system. Type 1’s are installed on the ‘bare metal’, so without an underlying operating system. In that sense VirtualBox is somewhat easier to configure and use. Type 1’s are more suited for *dedicated* virtual hosts although VirtualBox does a very decent job and is certainly capable for servicing smaller environments.
VirtualBox is open source (GPL 2) and free for both personal and commercial use. Note that its Extension is only free for personal and evaluation use.
In particular I find VirtualBox very user friendly and very well documented.
It consists of a server and a user interface, user interface being either the command line (vboxmanage) or a native graphical or web interface. Each user gets their own server, so if you run as administrator in Windows you won’t find your regular user’s VMs if you’re not running as administrator. In Linux I suggest creating a dedicated vbox user to isolate it from other users’ permissions.
This may sound more difficult than it really is ;)
Why should I set up a testlab?
1. Why not?
2. To isolate your network experiments from the rest of your network.
What will I end up with?
You will end up with a LAN complete with DHCP and DNS Server, internet gateway and firewall, optionally isolated from your physical network.
For Windows: head over to VirtualBox.org and download and install VirtualBox. Download the Extension Pack from the same page, then open the File menu, select Extensions and click the ‘Adds new package’ button.
For Linux: follow the instructions from the VirtualBox download page. If you’re running Debian you may want to follow my instructions over here.
If all is well you now have either the full GUI version, the web interface or the command line version (CLI).
I’ll continue with the full GUI version. The command-line interface allows access to more configuration options. It it fully documented on the VirtualBox website and easy to use. Like a lot of things it takes some getting used to.
Create a VM
The first VM we’re going to install is a PfSense installation functioning as (internet) gateway, firewall and DHCP and DNS server. The internet part is optional.
If you have one available, dedicate a separate internet connection to a separate physical network card in your computer to provide your virtual LAN with a public IP address. If you haven’t that’s ok too.
I’m assuming you have a 64 bit machine. If you don’t, substitute accordingly for the rest of this article.
At https://www.pfsense.org/download/ select File Type: Install, Architecture: AMD64 (or whatever), Platform: CD Image (ISO Installer), and a mirror near you. Extract the ISO file.
In VirtualBox click the New button. Name: router; Type: BSD; Version: FreeBSD (64-bit)
Select where to store your virtual hard disk. I strongly suggest you use an SSD for this. If you have the possibility use a dedicated drive to store your VMs on. A dedicated SSD is the best possible location, second best is dedicated non-SSD, however anywhere will work. If you’ve selected to create a dynamic drive just set it to create a 2TB drive.
Under System, disable Floppy. We don’t need it and it’s a good habit to disable anything you don’t need. This is not just paranoid: a few years ago someone discovered a vulnerability in a hypervisor’s floppy disk driver. I then patted myself on the shoulder because noone else would but in any case I was happy I tend to disable options I don’t use.
Network: now it gets interesting. Since we’re installing a router we’re going to need two network interfaces: one for internet (WAN) and one for the local network (LAN). Adapter 1 will become the internet facing adapter.
Set Attached to to Bridged Adapter. This means that it’s going to hitch a ride on the physical adapter. To your network it will look like just another network interface.
If you have a dedicated network card in your computer with a dedicated internet connection then select it here. If you don’t then your routers WAN interface will get a private LAN address. That’s no problem but you should be aware of because your virtual router’s Adapter 2 must not use the same subnet.
For the purpose of this article I’ll assume you have just one public IP address so we’ll use the LAN trick. At Name select the physical network adapter you want to use.
Expand the Advanced section and set the Adapter Type to Paravirtualized Network (virtio-net). This means your VM can your hardware without much software overhead. Before FreeBSD (on which PfSense is based) supported this the network virtualization used to take up nearly all CPU resources. Paravirtualization fixes that. Make a note of the MAC address along with which interface this is (this is the WAN interface).
Open the second tab. Check Enable Network Adapter and attach it to an Internal Network. You can name this network whatever your like. Internal Networks in VirtualBox are networks only accessible to VM’s connecting to it.
Under Advanced, set Adapter type to Paravirtualized Network (virtio-net) and make a note of the MAC address and the interface (LAN).
PfSense by default does not have VirtualBox Guest Additions installed so there’s no mouse capturing going on. This means you need to press the right Control key on your keyboard (this is VirtualBox’s default ‘Host key’) to release your mouse to your own desktop.
Click Ok and hit the Start button!
Select Accept these Settings.
Now here’s a tricky part: we need to reboot without the CD but we can’t unmount the ISO when the machine is running and we can’t halt it, only reboot. So get ready and when you see the machine booting again choose Devices > Optical Drives > Remove disk from virtual drive.
If you’re too late just shut the machine off, remove the disk and start it again.
This is pretty much self-explanatory: choose the interface, choose the address, choose the subnet, do you want to use DHCP or static addresses, do you want to enable IPv6, and so on. Your values depend on your networking preferences; just make sure the the WAN address connect to either your physical LAN or an internet connection and the LAN has a different subnet.
There’s more to configure but we can’t use the web GUI just yet because your computer is actually on the virtual router’s WAN side (the internet facing interface) and that’s closed off by default – as well it should be!
So it is time to install a client in the new virtual network!
Set up a LAN client
I’m installing a Xubuntu virtual machine but you can use any platform you’re comfortable with. Download the ISO, create a new VM, set up the virtual drive, etc. Just as with the virtual router. Once the machine is created open its settings.
At the Network segment, attach the network adapter to the Internal Network you created earlier.
If all is well your new VM will receive a DHCP address from your virtual router.
Fire up your browser and enter your virtual router’s LAN IP. Note that any self-respecting browser will alert you to the fact that it is encountering a security issue. That is correct: PfSense is using a pre-installed self-signed certificate. This is normal and you can just carry on. If you use Firefox or one of its derevatives click Advanced > Add Exception > Confirm Security Exception. You can leave it like this, install the self-signed certificate, take out the encryption altogether of install a free or commercial certificate. The choice is yours.
After you’re done, you may find it useful to be able to manage the router via its web interface from your physical client rather than a VM. To enable this we need to create a firewall rule.
From the top menu chose Firewall > Rules. Click WAN.
Press the Add button and create a rule that reads:
Interface: WAN net
Destination: This firewall(self)
Destination Port Range: HTTPS(443) (or 80 if you decide not to use SSL)
Description: Allow management from WAN
On the Interfaces > WAN page scroll all the way down and deselect ‘Block private networks and loopback addresses’. If you’re on a dedicated internet connection this is unnecessary but then you’d need to think hard about allowing management from the WAN interface. In that case I suggest fixing SSL and allowing only certain IP addresses or setting up VPN accounts for securre access.
Your virtual router should now be accessible from your physical WAN.
If you want to isolate your virtual LAN from your physical LAN even further you can add a firewall rule that blocks traffic from LAN to the WAN network, excepting the internet gateway:
Address Family: IPv4+IPv6
Source: LAN net
Destination: WAN net
Description: Disallow traffic to external WAN
The rule is added to the bottom of the list; drag it up to just under the Anti-Lockout Rule (which can’t be second or lower). Don’t forget to Save etc.
* You could create a second virtual network and experiment with VPNs. The possibilities are endless.
* If you’ve finished working with your virtual router’s console, start it headlessly or detachable. It will then start but not show. You can always have it shown later if necessary.
* When switched off you can group machines and control them together.
* Play around with the Snapshot and Clone functionalities.
If you’ve enjoyed this howto please click some of the ads on this site. It won’t make me rich but I would know I helped someone. If you’re really excited, there is a PayPal donation button on the top of this page :)