This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to run Sophos UTM Home in Virtualbox with only a cable modem connected

How to run Sophos UTM Home in Virtualbox with only a cable modem connected

Hi there,

I want to secure my home network and make it somehow power efficient.

That means, I switched from a cable router from unity media (german cable provider) to a simple cable modem with no "intelligence".

 

My initial plan was to power a small "server" which should do the following:

- Running Win10 LTSB as I don't get along with Linux / ubuntu

- Running a Raid1 for Media Files and Backup

- Running as a HTPC with Kodi

- Running a VirtualBox with Sophos UTM running

 

Quick Specs:

Intel i3 Skylake Proc

1x Intel QuadPort NIC

1x Intel Onboard LAN

16GB Ram

1x SSD OS

1x SSD VM

2x 2TB HDD

 

Now there are two things I still don't know

1. Is it possible to grant the VirtualBox "exclusive" access to one physical NIC, so the Host System can't be directly accessed?

2. How to configure the NICs in UTM that the NIC connected to the cable modem gets the public IP (WAN) <- this NIC should haev access to the host system

3. How to configure the separate NICs that other Clients / PCs / network Switches can be connected.

 

All tutorials I read had a (cable) router installed, that managed the WAN / LAN connection.

I followed this guide:

rationallyparanoid.com/.../sophos-utm-tutorial-virtualbox.html


And this thread doesn't really match my "adventure"

community.sophos.com/.../sophos-as-a-vm-in-virtualbox


I hope someone out there can help me =)

 

Best regards,

Daniel



This thread was automatically locked due to age.
Parents
  • Hi Daniel,

    Sorry for the delayed reply. I am not sure how much I can help. I am doing something identical to what you want, but with a Mac mini, VMware Fusion for Mac, and a KDLINKS USB/Ethernet adapter.

    I have a Mac mini server running UTM 9 in a VMware Fusion virtual machine. I use a simple Arris/Motorola SB6141 cable modem, which is a simple bridge, not a router or WiFi access point. The UTM 9 virtual machine is the router, and I have several WiFi access points (various AirPort routers in bridge mode) scattered on the LAN.

    The Mac mini shares its built-in Ethernet interface on the internal LAN. The Mac mini has its own dedicated IP address on the LAN, and the UTM has a separate dedicated IP address on the LAN (both are on the same Ethernet, on the same 10-net /24 subnet). The UTM's LAN IP address is the gateway for the rest of the network.

    For the WAN (public internet) side, I use a USB/Ethernet Adapter. It is a KDLINKS U3HN1 USB 3 to Gigabit Ethernet interface, with a built-in 3-port USB 3 hub. I configured the Mac's Network setting in System Preferences to IPv4 to "Off" and the IPv6 to "Link Local Only". This keeps the Mac mini server off the public internet. 

    In VMware I configured the UTM virtual machine's network adapters (Network and Network 2) both to be bridged. On the UTM virtual machine, they are assigned with dedicated internal IP address (LAN) and DHCP (WAN). The DHCP WAN IP address is assigned by my ISP, of course, but I note that it hasn't changed in years.

    (Off topic: Does the ISP keep assigning the same WAN IP address for years, to make it easier to track my internet activities? If true, who takes advantage of it?)

    FYI, I switched from the KDLINKS UN1 USB 3 to Gigabit Ethernet adapter to the KDLINKS U3HN1 model with the 3-port USB hub. You would think that the USB/Ethernet chipset would be identical, but it isn't. The Mac doesn't needed a special driver for the UN1, but not for the U3HN1, so I assume that they use different chipsets. I prefer the model that works with the native, built-in driver.

    This has been in operation for over three years without major issues, but lately there has been a problem at startup. At startup, the Mac mini automatically logs in to a "server" account and automatically launches VMware, which automatically launches the UTM virtual machine. Recently the virtual machine launches too early. It appears to be trying to attach to the interface before the Mac operating system is ready for it. This must be due to an Apple operating system patch or other change, because UTM automatic startup worked well in the past. I am pretty sure that I can fix it by adding a delay to when the virtual machine starts, to give the Mac time to finish booting and connecting its network interfaces. What I have been doing as a workaround is to unplug, then reconnect the USB/Ethernet "WAN" interface after the Mac mini is done booting. I also restart the cable modem. 

    I know that you want to do something similar, but with VirtualBox and Linux. I wrote a detailed description of my installation, with instructions here. I changed from the UN1 to the U3HN1 since I wrote it. Scroll halfway down the page until you see my long write-up: 

    community.sophos.com/.../80436

    I hope this experience and additional information helps.

  • Hi utmadm,

    thank you for your very detailed answer!

    Do you only have UTM running on your Mac Mini? 

    Thing is, that my Windows also works as a HTPC. But with an additional network adapter to a network switch would solve my problem, I guess. 

    You wrote that you have "System Preferences to IPv4 to "Off" and the IPv6 to "Link Local Only" with the WAN (USB) NIC. Is it the same thing with windows to deactivate "Internet Protocol Version 4 (TCP/IPv4)"?

    At the setting "Internet Protocol Version 6 (TCP/IPv6)" I can't see an option like "Link Local Only". Any idea what setting is similar to this in windows?#

     

    Best regards,

    Daniel

  • Hi Daniel,

    You're welcome.

    The UTM is the only virtual machine that runs on the Mac mini, but I would not hesitate to have it run another virtual machine if I wanted it. The Mac mini also operates as a Mac server, with its own separate IP address on the LAN. It offers a variety of local services to the family (e.g. file sharing, for example). I see no reason that you can't run the HTPC services on the LAN for your family, in a similar way that I use the Mac mini as a server.

    As you have already figured out, the trick is to make sure that the Windows computer cannot "see" the internet WAN, but always routes its internet traffic through the UTM virtual machine gateway. 

    I have not tried using a Windows host with VirtualBox as you want to do. I don't know whether you can force Windows to route all of its traffic on the LAN interface. To do that, you will have to disable Windows from using the WAN interface, but at the same time, your VirtualBox virtual machine must be able to see it and use it. Unless someone else can tell you about their experience running a virtual UTM inside a Windows host, then you may have test and debug it yourself. 

    I looked at the network settings on a Windows computer, and I can think of multiple ways to block Windows from communicating on the WAN, but I don't know which of them would work, so you may have to set them yourself to see what works. Windows network settings offer a lot of options in the network properties GUIs, and I would be reluctant to advise you about what to try first. It may take some trial and error on your part, unless you get some advice from someone else who has done it. I know what I would try - the problem is figuring out what disables Windows from seeing anything on the WAN interface (without going through the LAN gateway) but still allows VirtualBox to see the interface. I would try a simple Linux virtual machine as a placeholder for the UTM until you figure out the Windows interface settings on the Windows (HTPC) host. 

    IPv6 requires that all devices support a "Link Local" IPv6 address that starts with "fe80:..." It is equivalent to the self-assigned 169.254... address that your computer gets when it cannot get an IPv4 address (no dedicated IP address set, and no DHCP server available). Link local IPv6 addresses (fe80:...) are not routable to the internet. When IPv6 is enabled, a typical device sets up its link local address AND another routable IPv6 address. The "Link Local Only" setting on the Mac is a way to tell the Mac that you want it to use the mandatory IPv6 link local IPv6 address, but do NOT get a routable IPv6 address in addition to the link local one. In Windows, I saw settings for DHCP and Manual. I suppose that you can set the manual IPv6 address to a link local address (fe80::42, for example) and then Windows won't be able to use IPv6 to communicate with the internet. Personally I would try disabling (unchecking) IPv6 first, but then the question is whether the VirtualBox UTM can attach to it in bridged mode and use it.

    The bottom line is that you have some experimentation to do, unless someone else jumps in with their experience. I hope this helps. 

Reply
  • Hi Daniel,

    You're welcome.

    The UTM is the only virtual machine that runs on the Mac mini, but I would not hesitate to have it run another virtual machine if I wanted it. The Mac mini also operates as a Mac server, with its own separate IP address on the LAN. It offers a variety of local services to the family (e.g. file sharing, for example). I see no reason that you can't run the HTPC services on the LAN for your family, in a similar way that I use the Mac mini as a server.

    As you have already figured out, the trick is to make sure that the Windows computer cannot "see" the internet WAN, but always routes its internet traffic through the UTM virtual machine gateway. 

    I have not tried using a Windows host with VirtualBox as you want to do. I don't know whether you can force Windows to route all of its traffic on the LAN interface. To do that, you will have to disable Windows from using the WAN interface, but at the same time, your VirtualBox virtual machine must be able to see it and use it. Unless someone else can tell you about their experience running a virtual UTM inside a Windows host, then you may have test and debug it yourself. 

    I looked at the network settings on a Windows computer, and I can think of multiple ways to block Windows from communicating on the WAN, but I don't know which of them would work, so you may have to set them yourself to see what works. Windows network settings offer a lot of options in the network properties GUIs, and I would be reluctant to advise you about what to try first. It may take some trial and error on your part, unless you get some advice from someone else who has done it. I know what I would try - the problem is figuring out what disables Windows from seeing anything on the WAN interface (without going through the LAN gateway) but still allows VirtualBox to see the interface. I would try a simple Linux virtual machine as a placeholder for the UTM until you figure out the Windows interface settings on the Windows (HTPC) host. 

    IPv6 requires that all devices support a "Link Local" IPv6 address that starts with "fe80:..." It is equivalent to the self-assigned 169.254... address that your computer gets when it cannot get an IPv4 address (no dedicated IP address set, and no DHCP server available). Link local IPv6 addresses (fe80:...) are not routable to the internet. When IPv6 is enabled, a typical device sets up its link local address AND another routable IPv6 address. The "Link Local Only" setting on the Mac is a way to tell the Mac that you want it to use the mandatory IPv6 link local IPv6 address, but do NOT get a routable IPv6 address in addition to the link local one. In Windows, I saw settings for DHCP and Manual. I suppose that you can set the manual IPv6 address to a link local address (fe80::42, for example) and then Windows won't be able to use IPv6 to communicate with the internet. Personally I would try disabling (unchecking) IPv6 first, but then the question is whether the VirtualBox UTM can attach to it in bridged mode and use it.

    The bottom line is that you have some experimentation to do, unless someone else jumps in with their experience. I hope this helps. 

Children
No Data