Building a Virtual Sandbox (Part I) – Firewall/Router

Updated: 12/20/2020

To start with, it is nice to have a network of virtual machines that can be standalone or have Internet connectivity, as needed.  So, to start, I’ll with my run down of a great article from The Helpful Hacker website “A simple OpenBSD Router for your Virtual Machines”

You ask, “Why yet another technology?”.  It’s simple.  Not really, with this article, it’s really simple to get a router rolling for my purposes.  I’ll be exploring router/firewalls in CentOS and Ubuntu later, but for today: OpenBSD – quick and dirty. (

And because I like to work downstairs near my beautiful wife ( and, most of this will be done in VirtualBox ( on a Windows notebook.

Some assumptions:

  1. You are familiar with VirtualBox
  2. You have some basic system administration skills
  3. You know an editor, like ‘vi’ or ‘nano’.  I’ll be using ‘vi’ for all my examples.

This will be short on theory, and mostly “here’s what you need to do”.  If you want more theory, for now, I’d recommend hit Google, or send me a note.  Let’s get started.  Download VirtualBox and install it on your favorite workstation.  Next, go to OpenBSD and download the install68.iso (or the current release) from one of the mirrors.

First, let’s create our internal network.  Under File>Preferences>Network, add a new Host-only network.  Update the settings to have the following parameters:

  1. Adaptor Tab:
    1. Check Configure Adapter Manually
    2. IPv4 Address:
    3. IPv4 Network Mask:
  2. DHCP Server
    1. Enable Server
    2. Server Address:
    3. Server Mask:
    4. Lower Address Bound:
    5. Upper Address Bound:

From here, we’ll pretty much follow The Helpful Hacker article with some minor changes, and then wrap up with some networking in preparation for our sandbox.

Create a new machine:

  1. Name:
  2. Type: BSD
  3. Version: OpenBSD (64 bit)

Couple of notes here.  Unless needed, I’ll be creating all my virtual machines (VMs) as 64-bit machines.  My hostnames either follow martial arts, location, or other random name, for memory purposes.   For particular tasks, I’ll use canonical names (CNAMES) to assign services (WWW, MAIL, IMAP, etc) to a host.  This also allows me to move a service to a different server and not have to rename the server.  From my years in the field, this is particularly useful in server migrations or upgrades.

Through out this exercise, so there will be different subnets.  This first one is ‘’.  I’m working on my notebook that generally lives in the dining room.  Well, in the dining room, living room, dinette, kitchen, general mobile, but I had to pick one, so ‘dining’ works.  I could bridge my various VirtualBox networks in to one, but I have additional plans that we’ll eventually get to.

Host parameters:

  1. Memory: 64 M
  2. Disk: New VDI disk, Dynamically allocated, 16G

Leave the first network adaptor as a NAT.   Add a second adaptor, enable it, and attach it to the Host-only Adaptor.

Now, attach the OpenBSD ISO to the CD/DVD Drive and start the machine.

  1. (I)nstall
  2. “default” keyboard
  3. Hostname: torii
  4. Configure em0
  5. IPv4 Address: dhcp
  6. IPv6 Address: none
  7. Choose “done” for network configuration.
  8. Choose a root password
  9. Start sshd by default: yes
  10. Start ntpd by default; yes
  11. Use default NTP server
  12. No to X windows
  13. No additional users
  14. I’m in US/Central timezone, but choose the appropriate one for you.
  15. Choose disk wd0 for the root disk
  16. Use DUIDs
  17. Use the (W)hole disk
  18. (A)uto layout
  19. Location of sets: cd
  20. Install media: cd0
  21. Pathname: 5.4/amd64
  22. Deselect the Xwindows sets: -x*
  23. Deselect the games: -g*
  24. And “done”
  25. When the sets load, choose “done”
  26. Set the time

And you are done!  “Halt –p” the machine, unmount the disk, restart and log in as root.

Few more things, and we’ll be done:

  1. echo dhcp > /etc/hostname.em0
  2. echo “” > /etc/hostname.em1
  3. echo “nameserver” > /etc/resolv.conf
  4. sh /etc/netstart
  5. edit /etc/sysctl.conf, and uncomment net.inet.ip.forwarding and set to 1 (Permit forwarding of IPv4 packets)
  6. edit /etc/rc.conf and set pf=YES (enable pf firewall)
  7. edit /etc/pf.conf and add to the end: “pass out on em0 from em1:network to any nat-to (em0)”
  8. reboot

And you’re done.

If you want more details on the last steps, read the article at:

For our purposes, the first step of our sandbox is done.

Next up will be the first workstation/server.  It will perform double duty as my initial configuration server and workstation.  Later, the services that don’t make sense to be on this host will get migrated off.

Leave a Reply

Your email address will not be published.