Return to Level1Techs.com

OpenWRT. How to quarantine VM from LAN?

i have a VM connecting to my router using a transparent bridge device on the VM host.
i would like to prevent this VM from being able to communicate with any other device on my LAN, yet still have internet access.

i have tried setting a firewall rule to reject any traffic from the VM’s IP to any address in LAN. but this seems to do nothing.
is there any way in OpenWRT to block traffic between a specified IP address and all other LAN devices?

You have setup your vm to be on the same data link layer as the other hosts on your subnet. So your firewall rule doesn’t appear to do anything because traffic from your vm to neighboring hosts doesn’t pass over your router/firewall. They communicate directly with each other.

The option that comes to mind if you want to keep the vm on the same subnet is to add your firewall rule on the vm itself that prohibits outbound traffic with the destination address of the local subnet. You would probably want to make an exception for dhcp and dns.

Another option would be to put your firewall rule on the VM’s host.

This may be the best option.

The way i do it is to spin up a VM of pfsense, give it a bridge interface and a localhost only network segment for “lan”, then put the vm i want to contain on that “lan” segment.

This way everything for the VM routes through pfsense and you can add whatever firewall rules you desire.

Just be sure to turn off ipv6 with pfsense (unless you know what you’re doing with ipv6 options) as its quite possible to accidentally cut yourself off from the internet via ipv6 routing advertisements from your pfsense vm interfering with your real network (basically the pfsense box advertising a default route to your LAN and creating a routing loop).

Easiest thing for now is to just disable ipv6 on that pfsense VM.

1 Like

This is something I’m very interested in, but I want to virtualize pfsense on the same machine so that the physical NIC only gets the pfsense VM, and the internal QEMU network drives the network for the Windows VM.

2 Likes

The only way I know if doing this is with “isolated VLAN’s”, which is a feature that’s specific to high end Cisco routers.

Yeah, that’s what I do.

pfsense gets a bridge to the physical nic, and the LAN for pfsense (and the windows VM) are a private network.

Which hypervisor are you using?

For the private network (common to pfsense LAN and Windows), in VMware Workstation you want to create a “LAN SEGMENT” for the private network. In KVM you want a “Isolated Network” interface type.

Other hypervisors may vary.

e.g., my work KVM setup:

Screenshot%20from%202020-01-31%2007-35-56

pfsense handles DHCP for that “Site-1” isolated network, has its LAN interface on that, and its WAN interface in that “routed-JRSubnet” network, but i could have just used a regular NAT network (e.g., select “default” for pfsense WAN). Reason i’m not is because i’m treating that “site-1” as something i can selectively route into my real network, with a “real” subnet my real network knows about :smiley: e.g., i’ve allocated 10.44.0.0/16 for up to 255 virtual networks on my linux box… i’m treating it like just another site on our private WAN and routing into it from my real local site.

Also because i didn’t figure out bridging in QEMU/KVM yet… and i didn’t want NAT… but for the OP’s purposes a regular “default” or “nat” interface for pfsense’s WAN should be fine.

oh another KVM quirk i haven’t yet worked out. the HOST always wants to have an ip of x.x.x.1 on whatever network i set up. so i made pfsense’s IP x.x.x.2 (e.g., above 10.44.100.2) and hand that out as the “default router” or “gateway” in DHCP.

If anyone knows how to stop the host getting an IP on a kvm virtual network that would be good to know :smiley: But i haven’t spent too much time looking into it…

That’s definitely a good resource for me when I start with virtualized pfsense and using virt-manager to create the network. Got any good firewall lists for Windows 10 telemetry?

Nah, unfortunately. I just turn it all off (to the degree the UI permits) and only use it for VPN back to work for admin tools. They can do all the telemetry they like, they won’t get any significant user behaviour out of it from me.

Yeah, I need to be ready for tin foil hat networks is why I’m asking. Can’t really spin a VPN.

It’s really difficult to block the telemetry only without breaking a lot of other stuff (e.g., 365, other reasons you might want to run windows in the first place).

If you’re only using windows vm for gaming, then block everything and only permit

  • tcp/udp 53 (DNS)
  • ICMP unreachables, ICMP fragment required (packet too big) - this is required for Path MTU discovery to work - possibly others, this is off the top of my head, google PMTU discovery
  • specific protocol(s) your game/steam requires - to the specific hosts/networks required

trying to do it the other way, and selectively block only Microsoft telemetry is a losing battle, because their IP ranges are constantly being updated for example.

“block by default” is the preferred way to firewall stuff anyway. its far better to explicitly permit only what is required than be totally open except for the things you want to block, and just hope you listed it all…

Oh - one other thing with pfsense in qemu/kvm - you need to turn off hardware checksum offload or your network will not work properly.

This is because this seems to be broken in qemu/kvm (works in a VMware workstation VM).

This confused the shit out of me until i discovered that this was the cause of pfsense in KVM not working properly. Some traffic would sort of work, some wouldn’t even with open firewall. So yeah, be sure turn off that under the pfsense nic configuration if running under KVM.

if it sounds bad - its not. Modern cpus are so fast that the hardware checksum offload thing is pretty much useless anyway. And i think its turned off even on real hardware in both Windows and Linux now due to some either performance or stability/security/functionality problem.

The transparent bridge is the problem, the way it works is contrary to what you want.

A quick and dirty solution would be to just operate a second address range on your physical network, but this is weak isolation.

Can you install another network card in the VM host? that’s by far the most simple way, then you just put the VMs adapter into a different router port, split that off into a VLAN and make a new interface LAN1 that only forwards to WAN. The host does not need an address on this adapter.

If that’s not possible, then make a tagged VLAN adapter and do the same on your router (even the Network Manager applet lets you do this, its not an exclusive feature in any sense) but I would say that some switch chips don’t support tagging in a convenient way so check the openwrt wiki about that.

What’s touchy is 80 and 443, where I would still use the rules to stop telemetry (because I’m only using for gaming) but so many game launchers use Chromium that 80 and 443 realistically can’t be fully blocked.

installing an additional network card on the host is not viable for me at this time.
the VM host itself, and all it’s VMs (including the one i wish to quarantine), all share a single RJ-45 connection to my router.
physically modifying my configuration unfortunately is not an option here.

it is preferred to keep as much of the firewalling on my router aa possible, and to keep the networking config of the VM host as simple as i can.
that being said, i really need to quarantine this VM. so what would be the simplest way to accomplish this from the VM host?
if i could somehow force only this particular VM to make all its traffic go through the router, then my firewall rule should kick in and quarantine it right?

I can’t speak intelligently about windows or bsd, but if your VM host is linux, then you don’t have to modify any of VM/hosts network config if you are willing to just put the firewall rule on the vm host.

Ordinarily with bridged traffic, the vm hosts iptables chains aren’t hit because bridged traffic isn’t routed. But there is a simple kernel module that modifies that: br_netfiler.

If you modprobe br_netfilter on the vm host, the bridged traffic will also hit the filter forward chain, so you can add your firewall rule just like you would have on your router (but on the vm host).

iptables even has a physdev module for just this purpose that will let you match on the slave bridge ports (both the real nic and the vm’s virtual ethernet) that the traffic touches.

1 Like

If your VM box is going to a physical router via a single physical connection, you’d do best by either VLAN segregation and building firewall rules on the physical router to not allow that VLAN to interface with the other local network, or to setup a pfSense VM with its WAN port being connected to the Virtual LAN as all the other VMs/network devices, and using the pfSense LAN port to another virtual switch/subnet and only have your segregated VM attached to it.

I’m running the pfSense option to keep my HTPC stuff behind a VPN connection

would switching my VM networking approach from transparent bridging to SR-IOV help in any way?

VLANs are what you need then, Linux supports them well and most OpenWRT devices will too.

I’ll check this later, but as I remember it:

Linux side, eth0.1 is a VLAN interface that sets tags on outbound packets, this is extra data in the ethernet frame so both ends have to be aware.

eth0 > bridge0 > OS and LAN avalable VMs (if any)

eth0.1 > bridge1 > isolated VM

There are instructions all over on how to do this.

In the Switch section on OpenWRT, create a new VLAN, and for the port leading to your VM host and select tagged for that port, and the CPU port

Now make a new Interface (eg LAN1) and define it’s forwarding as you like (LAN1 > WAN allow, LAN1>LAN drop etc)

give LAN1 a static address in a new subnet (eg LAN is 192.168.1.1 so 192.168.10.1

jump back to your linux box, manually add 192.168.10.2 to bridge1 and try a ping and if it works your VM should be able to do the same. You don’t actually need an address on ‘bridge1’ permenenatly, and in fact not having one could be seen as more isolated too.

Please make backups of course, my experience with this is good but you could lock yourself out of the router with an error.

what I’m suggesting is probably what they would have been doing before they made that standard to make it faster and more autonomous.