This will initially sound like a virtualbox problem, but please bear with me, the underlying question is about network configuration. I have a virtualbox installation, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G). So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H? I've been reading route and arp manuals all day, but I can't seem to figure anything on this - mainly because arp and route don't know about host/guest processes, and I guess weren't designed with this in mind...
TIA for any help