Isolating The Vms On My Proxmox Server

[chr0megreyl0tus]

I finally set up a promox server in hopes to play around with backtrack 5. One thing i want to ask is how can i isolate the proxmox Vms from my network.

I'm Installing a bunch of vulnerable Machines and its not that safe having vulnerable boxes on the same network as my main computers.

For example i used virtual box and when i make VMs they are already on there own network. I can ping scan the Virtual machines on my proxmox server =/.

If you need anymore information just ask! Thanks again in advance =)

[Infiltrator]

Couple of ways you can go about that:

1) If your server has an additional lan adapter, you could use that nic to create a second subnet. For example, if your first nic has an address of 192.168.1.1, you could set the second adapter to operate on 10.0.0.1, you will also need to connect the 10.0.0.1 NIC to a second switch in order to isolate you VMs traffic from your main network.

2) If you have a switch that is Vlan capable, you could set up a few vlans to isolate your VMs from your main network traffic.

3) OR move your proxmox server to a different network switch, use that for pen-testing only.

[chr0megreyl0tus]

I'm not really good with networking and i still can't make heads or takes of the difference between a switch and a router.

Can explain the difference from a network switch and a router ?

Also i was wondering something like isolating the server into a different subnet would work?

[Infiltrator]

A switch is basically a device that connects multiple computers together. For example in your house you might have 3 or 6 computers and in order to exchange information between these computers, they will need to be connected to a central box or a network switch.

The image below, should give you a clear picture of what the switch role is.

A router on the other hand, could be seen as a bridge connecting two different houses (subnets) together.

See below picture for more details.

Edited July 5, 2011 by Infiltrator

[chr0megreyl0tus]

So basically i fee the router into my switch so that it is onto a different subnet?

Would any regular switch work ?

I talked to some friends and they recommend me picking up a router and flashing it with DD-Wrt and using it as a switch.

It seems that they are saying that the switch will be in a ridiculous price range so it would be better to flash a router with custom firmware ?

Im just wondering can i use any regular 20 dollar switch Specifically the ASUS GX-D1081 to suit my needs ?

I'm also fine picking up a router and flashing I'm just hoping for the simplest solution.

Thanks again for helping out !

[Infiltrator]

How did you set up proxmox? On your personal computer or on a completely different computer?

[chr0megreyl0tus]

On a completely different computer

[Infiltrator]

I would recommend the same thing as well, pick up an old router and flush it with DD-WRT or Tomato firmware. Once you have flushed your router with the firmware, connect your proxmox server to it, make sure its only the router and the proxmox server connected together, they should be completely isolated from your main network.

And happy hacking......

Let me know if you need further assistance.

[abferm]

I would recommend the same thing as well, pick up an old router and flush it with DD-WRT or Tomato firmware. Once you have flushed your router with the firmware, connect your proxmox server to it, make sure its only the router and the proxmox server connected together, they should be completely isolated from your main network.

And happy hacking......

Let me know if you need further assistance.

Why couldn't he just use the router the way it comes? To me flashing the firmware is just an extra step. Isn't a router just a switch that has more functionality(mainly DHCP) programmed into it?

[Infiltrator]

Why couldn't he just use the router the way it comes? To me flashing the firmware is just an extra step. Isn't a router just a switch that has more functionality(mainly DHCP) programmed into it?

Correct, the router is just like a switch but with more functionality. One of the reasons I recommended the OP to use DD-WRT was due stability and other issues he may encounter when using the old firmware.

Plus the DD-WRT firmware has some nice features that he may would like to use too. Furthermore, Its really up to the OP to use the router with its default firmware.

[chr0megreyl0tus]

So both a switch and a router would work out if i just feed the server into a separate router ?

[Infiltrator]

So both a switch and a router would work out if i just feed the server into a separate router ?

Use a spare router if you have. Reason to that, is very simple your router has a built in DHCP server which will allocate IP address individually and automatically to each of the VMs.

A switch on the other hand does not have a built in DHCP server which will make the IP address assignment a bit of a hassle for you. Because you have to manually set the IP on each of the VMs individually.

So forget about the switch and use a router instead.

Edited July 12, 2011 by Infiltrator

[abferm]

You could probably make it work if you have a couple extra NICs and crossover cable. Just put two extra NICs in your server and connect them with a crossover cable. You should be able to do that as long as you have at least one VM on each card and manually assign IPs just like you would with a switch. That would be the cheapest method for me seeing as I have several NICs and crossover cables laying around.

[chr0megreyl0tus]

Alright i just flashed an old Wrt300N with DD-Wrt and i connected it to my current router and right now it is connected to my laptop. I was running some ping tests

and to my dismay i still can ping my main computer. Am i doing something wrong. I am thinking about this following tutorial http://www.hillbillyhomecompanion.com/dmzrouter.html I am still pretty lost as what to do next. I made no changes to the DD-Wrt router except for the password. Should i change the Operating mode of the router ? Any help would be appreciated !

[Infiltrator]

Alright i just flashed an old Wrt300N with DD-Wrt and i connected it to my current router and right now it is connected to my laptop. I was running some ping tests

and to my dismay i still can ping my main computer. Am i doing something wrong. I am thinking about this following tutorial http://www.hillbillyhomecompanion.com/dmzrouter.html I am still pretty lost as what to do next. I made no changes to the DD-Wrt router except for the password. Should i change the Operating mode of the router ? Any help would be appreciated !

OK, here is where you went wrong, rather the connecting your old Wrt300N modem to your current router, which is what you don't want and that's one of the reasons why you can still ping your main computer. Have both the modem and the router physically disconnected from each other. Once you have done that, connect your server that is running the virtual machines to your old Wrt300N modem, that's it. DO NOT connect your old Wrt300N modem to your router, because if you do you are not isolating your server from your main computer, you are simply connecting the two together and you don't want that.

With the server connected to the modem only, it should now be completely isolated from your main computer. Your main computer should not be able to ping the server or vice and versa, because its connected to the router and not to the modem, correct?

[chr0megreyl0tus]

My Modem has only one ethernet port i can't just plug it directly into my Wrt300n. My modem connects to my router which all the computers reside on that network. So it looks something like this.

Modem-->Router-->Wrt300n

The modem has only one port to plug into the router so unless i could get an adapter of some kid. Unless i am perceiving your instructions incorrectly i think that it would be possible!

And Once again thanks for the help Infiltrator!

[Infiltrator]

My Modem has only one ethernet port i can't just plug it directly into my Wrt300n. My modem connects to my router which all the computers reside on that network. So it looks something like this.

Modem-->Router-->Wrt300n

The modem has only one port to plug into the router so unless i could get an adapter of some kid. Unless i am perceiving your instructions incorrectly i think that it would be possible!

And Once again thanks for the help Infiltrator!

Ohh, now I know what is going on with your set up and that explains the situation a lot better. Let me ask you this question, do you have a spare router?

[chr0megreyl0tus]

The Wrt300n Is the spare router that i flash with DD-Wrt firmware

[Infiltrator]

The Wrt300n Is the spare router that i flash with DD-Wrt firmware

So you have two routers and one modem is this correct?

[chr0megreyl0tus]

Corrct

[Infiltrator]

Corrct

Get your second router and connect it up to your server. DO NOT connect it to your modem or first router, just have it sitting by itself with the server.

That should isolate your server from your main computer.

For example:

First network:

Modem->Router 1->Main computer

DO NOT Connect these two networks together. They are meant to be separated/isolated from each other. Hope this makes sense to you.

Second network:

Router2->Server

[chr0megreyl0tus]

How is the server going to receive a access to the internet ?

[Infiltrator]

How is the server going to receive a access to the internet ?

You never mentioned anything about internet. But to get around that, you will need to install an additional network card in your server.

Both network cards will need to be on different subnets. For example, the first card will be operating on the following IP address range, 192.168.1.1 and the second network card on 10.0.0.1.

[abferm]

Modem-->Wrt300n-->Router

This order would protect anything connected to the router from the rest of the computers plugged into your Wrt300n. Do you have DD-wrt configured as a router or a switch? Either way the order I show will accomplish your task, but your setup should have worked if it was configured as a router.

[Infiltrator]

Modem-->Wrt300n-->Router

This order would protect anything connected to the router from the rest of the computers plugged into your Wrt300n. Do you have DD-wrt configured as a router or a switch? Either way the order I show will accomplish your task, but your setup should have worked if it was configured as a router.

Just wondering, what feature in Wrt300 are you using to isolate the main computer from the server?