cannot ping "internet" from DMZ on VirtualBox after changing the wan from Bridge

[rickeyw]

Hello Everyone,
I hope all is OK with you, and you are healthy, and safe !
In VirtualBox I created an OPNsense- firewall with LAN, and DMZ, both using Host-Only- adapters (so to be able to remote (SSH) from my Host- PC into LAN, and DMZ easily). My WAN has Bridged- adapter and accepting its IP- address from my home- network's DHCP. The VirtuaBox' DHCPs on LAN, and DMZ are stopped, and are configured on the Firewall so any dynamically configured client- pc to take an ip- address automatically. I have also a small web- server with a simple test- page into the DMZ. After adding PAT:8888, and Rules for ICM, :53, :80, and :443 on the Firewall, I am able to access from my Host by http://WAN:8888 the web page into the DMZ'z web- server, and to access, and ping Internet- web- pages from the DMZ.
I needed to isolate more my WAN so I have changed the VirtualBox' WAN interface from Bridged to Host-Only adapter too, but for it I left the DHCP- server of the VirtualBox active (it doesn't provide a Default Gateway, and DNS). I have changed all other Firewall' settings accordingly. I started a MS Win 10 Virtual PC with the same Host-Only interface as the WAN, and I am still able to access from it the web- page into the DMZ by http://WAN:8888 (with the new WAN- address of course). I am able to ping from the DMZ the WAN IP, but I am not able to ping from the DMZ the IP of Win 10 PC (its firewall is stopped).
Could you give some hand, what might be the issue here, please?
Thanks, and Best,
rickey

[rickeyw]

Hello again Everyone,

Here is some update:

I noticed something strange:
I have changed FW's WAN- adapter, and the one on Win 10 from HOST-ONLY to NATNetwork.
In VirtualBox, NATNetwork provides IP via internal DHCP (same as with HOST-ONLY) but also have Default Gateway, and DNS assigned so you are able to go to Internet from the Virtual PC.
As soon as I did this, I was able to ping from DMZ the new ip of Win 10's, but now I cannot access from Win 10 my web- page into the DMZ ...

Here's how my FW- Rules look like at the moment:
DMZ - Source, In:
1. ipv4, icmp - allows ping from DMZ-to-WAN
2. ipv4, tcp/udp, dns - allows name resolution from DMZ-to-WAN
3. ipv4, tcp, 80/443 - allows web- access from DMZ-to-WAN
WAN:
4. Destination - DMZ_ip_as alias:80 - automatically generated rule
5. Source, In - ipv4, icmp - needed with HOST-ONLY VirtualBox- adapter so to be able to ping from Win 10 to the WAN- Interface of the FW

Here's how the NAT is configured:
Port- Forwarding:
6. wan/tcp,  source-any/any,  dest.-wan_address/8888,  nat-alias_for_dmz_address/80  -  wan-to-dmz access of the web- server

I think, there is a need of Default Gateway into the WAN- part of the lab ...

Any suggestions ?

Best,

rickey

[rickeyw]

So finally, the resolution happened to be as I thought.

In the initial case, HOST-ONLY adapters from VirtualBox for the WAN of the FW, and Win 10 are configured with DHCP, and as mentioned there is no Default Gateway applied.
Simply, stopped the DHCP into VirtualBox, and applied static IP with Upstream_Gateway=ip_Win_10_PC on WAN- interface of the Firewall.
On the Win 10 PC, same procedure with DG=ip_WAN_Firewall should be executed.
Important:
Crated Hybrid Outbound Rule on DMZ- interface:
Source-any/icmp,  Dest.-wan_address/icmp,  NAT-wan_address
Thank you for the resolution @eddys, and @franco !  -  https://forum.opnsense.org/index.php?topic=3050.msg9401#msg9401

Then the PING from the DMZ's web- server goes to the Win 10 ("Internet"), and back. If you use 192.0.2.0/24 for the static configuration of your WAN, you can check back in the "Block private...", and "Block bogon..." check- boxes into "Interfaces"- section.

Isolated like this, I can install the PentestBox- tools into Win 10, and I can do all types of web- attacks onto DMZ, including the reverse- shell.
Another possible use could be for creation of authoritative, and cashing BIND- DNS into the "Internet"- zone, so split- horizon between WAN, and LAN to be tried. I will keep you posted.

Best,

rickey