Isolate NIC Traffic

Hope someone can guide me on this…

openSuse 13.1, 2 NICs installed (2nd just added).

I currently have a Win7 VM running on VirtualBox 4.3.6, which I use to VPN into work, using the Cisco VPN client within the VM, so it creates its own tunnel through the primary NIC to work, and all other traffic is unaffected. Works like a champ.

Work sent me an Aruba RAP3 to extend the corp network to my house, eliminating the need for the VPN. I have connected the Aruba to the secondary NIC, and pointed the VM to that NIC.

The VM will use 802.1x authentication to the corp network through the Aruba. I do not want any of the traffic from the host to go through that NIC, for obvious reasons.

Questions are:

  1. How should the secondary NIC be configured? I use ifup rather than network manager. I think I just need the NIC to act as a transparent bridge to the Aruba, in other words, just acting as the path, but not needing any IP services itself. How is that achieved?

  2. If I cannot have it as a transparent path, how would it need to be configured?

  3. Do I need to enable 802.1x on that NIC, even though its not really doing anything?

enp4s0 = Primary NIC, all Linux traffic should go here
enp3s2 = Secondary NIC, all VM traffic should go here

If I configure enp3s2 as static, but do not assign an address, the following two interfaces show up on ifconfig

enp0s26u1 - shows no address and has a different MAC than enp3s2
enp3s2:av - this shows a 169.254.x.x address, and has the same MAC as enp3s2

Hope this all makes sense.

Thanks in advance

Although I haven’t set up this specific device before, on general principles assuming it functions pretty typically like other gateway appliances…

Ordinarily, I would figure out some way to deploy all gateway appliances coming into a LAN through a single Gateway to minimize possible exploit vectors, but you can also setup what I think you are describing, which is to deploy your Aruba appliance side by side with your DG. Unless your appliance is on its own physical network, there is no advantage to configuring a second NIC on your Host but it can be done as long as you bind all services for a certain machine (eg the Host) on a single NIC. So, as you’ve described your setup you want <all> your Guest network traffic to pass through the second NIC while you want <all> your Host network traffic to use the first NIC.

You should be able to configure the Guest’s NIC in the Guest Properties (on the Host) to point to your second NIC as you’ve described. If this physical NIC on the Host is connected directly to your appliance, then things should “just work.” But if the appliance is connected to your LAN, then you need to configure your Guest to point to the Aruba appliance as its default gateway which would be different than the other Hosts in your LAN.

As for what type of network connection (bridging or NAT or NAT-network), any might be possible… It just depends on the requirements of how your Aruba appliance and VPN are configured. The appliance will expose a VPN connection, so then the issue becomes how that VPN is configured which would include questions related to bridging, routing, name resolution and more.

Don’t know what you mean by “transparent path.” As I’ve noted, there are at least a few configurations that are possible beyond what you’ve described and I’m trying to guess you might choose one of the couple more obvious (at least to me). In most cases though, if you configure the properties on the Host NIC or in the Guest properties, then you shouldn’t need to do anything special in the Guest. To me, this is far preferable to any configuration that requires changes <in> the Guest so that once setup for a particular network connection <any> Guest would work automatically without internal customization.

Ordinarily no. I don’t know how 802.1x is implemented in your Aruba setup, but it’s normally setup as a <network configuration> and not the NIC’s own properties. So, although you’re not connecting using an openSUSE Guest, if you did the difference is that 802.1x would be setup in Network Manager(or similar) and not in YAST > Network Devices. On Windows, this means also that you would ordinarily setup 802.1x in a network management app and not in Device Manager > Adapter > Properties. Note I’m saying <ordinarily> because if the connection is setup on boot, the OS may blur the differences between network connection setup and network adapter (but that’s purely for convenience, not because architecture has changed). To a certain degree, this may also depend on the method of authentication. Like any other Network Security technologies, a variety of authentication methods can be implemented (or combination, providing multi-factor), eg Username/Password, certificates, firmware ID, software ID, biometrics, more.

And why would you test the above configuration (static but empty address)?
I’m not sure what the worth of that might be. You need to configure an address you believe suitable, and test. The 169.x.y.z is a self-generated address which most modern OS do when an address is missing, but it’s not routable or ordinarily usable in practice.

Thanks for the info. My goal with not assigning an IP to the secondary NIC is to make sure that no traffic routes from the host through it, so that it just provides a path. The VM gets its IP from the corp network.

Everything is working…VM is using that secondary NIC and connecting to the corp network, with no traffic crossing between the NICs.

Thanks again