A multi-subnet enterprise-style network built entirely with Linux virtual machines. The lab covers routing, DHCP, DNS, NAT, web hosting, and persistent file sharing — all validated through live traffic and service testing.
| Device | Hostname | Role | IP Address |
|---|---|---|---|
| Router 1 | shreyank-Router1 | Gateway, NAT, Inter-subnet routing | 192.168.15.129 (LAN1), 192.168.15.253 (Transit) |
| Router 2 | shreyank-Router2 | Second subnet gateway | 192.168.15.161 (LAN2), 192.168.15.254 (Transit) |
| VM1 | shreyank-VM1Desktop | Client — Laptop subnet | 192.168.15.140–155 (DHCP) |
| VM2 | shreyank-VM2DNS | DNS Server (Bind9) | 192.168.15.130 (Static) |
| VM3 | shreyank-VM3Desktop | Client — Desktop subnet | 192.168.15.173–185 (DHCP) |
| VM4 | shreyank-VM4Web | Web Server (Apache) | 192.168.15.172 (DHCP reserved) |
| VM5 | shreyank-VM5dhcp-file | DHCP + File Server | 192.168.15.165 / 192.168.15.170 |
VM3 → Internet:
VM3 → Router2 (192.168.15.161) → Transit LAN → Router1 (192.168.15.253) → NAT → Internet
VM1 → File Server:
VM1 → Router1 (192.168.15.129) → Router2 (192.168.15.161) → VM5 (192.168.15.170)
DNS resolution for all VMs:
Any VM → VM2 DNS (192.168.15.130) → Bind9 resolves lab.com locally → forwards unknown queries to 8.8.8.8
| Layer | Technology |
|---|---|
| Virtualization | Oracle VirtualBox |
| OS | Ubuntu Server 24.04 (minimal), Ubuntu Desktop |
| Routing & NAT | Linux IP forwarding + iptables MASQUERADE |
| Network config | Netplan (networkd renderer) |
| DHCP | ISC DHCP Server (isc-dhcp-server) |
| DNS | Bind9 with custom lab.com zone |
| Web Server | Apache2 with name-based virtual hosts |
| Web Apps | WordPress, Magento 2.4.8 |
| File Sharing | Samba (CIFS), persistent via /etc/fstab |
| Traffic Analysis | Wireshark, tcpdump |
Two-router topology with a Transit LAN connecting the two physical machines. Router1 handles NAT and internet access via a bridged adapter. Router2 forwards all traffic to Router1 via a static default route.
ISC DHCP server on VM5 serves both subnets with dynamic leases and pushes the DNS server IP automatically to all clients. Critical servers (web, file) have MAC-based static reservations so their IPs never change.
Centralized Bind9 resolver on VM2 handles all internal name resolution for lab.com. Query access is restricted to trusted subnets only via ACL — preventing use as an open resolver. Unknown queries are forwarded to Google DNS (8.8.8.8).
Apache2 hosts WordPress on port 1515 and Magento on port 2015 using name-based virtual hosts. Services are accessible by hostname only — direct IP access returns a 403, enforcing DNS dependency.
Samba share accessible from both subnets. Mounted persistently on client VMs via /etc/fstab using _netdev and x-systemd.automount flags, ensuring the mount survives reboots and reconnects automatically when the network is available.
All services are enabled via systemd and survive a full reboot without manual intervention.
VM1 and VM3 both receive IP addresses dynamically via DHCP from VM5.
Traceroute from VM3 to VM1 confirms traffic flows through Router2 → Router1 → destination.
VM3 (deepest in the network) successfully reaches the internet through two routers and NAT on Router1.
All internal hostnames resolve correctly from any VM.
Both WordPress and Magento load by hostname on their respective custom ports.
A file created on VM1 appears instantly on VM3, confirming cross-subnet share access.
VM5 rebooted — Samba service starts automatically (enabled state), and VM1's network share is accessible without any manual remounting.
Wireshark capture on VM1 during a full lease release and renewal, showing the complete Discover → Offer → Request → ACK handshake between VM1 and the DHCP server (VM5 at 192.168.15.165), with the final ACK assigning 192.168.15.143.
tcpdump running on Router1's external interface (enp0s3) while VM3 pings google.com. The capture shows traffic leaving as shreyank-Router1 — Router1's external identity — not VM3's internal IP. This confirms MASQUERADE is replacing the source address before packets leave the network.
- DNS ACL restricts recursive queries to internal subnets only, preventing DNS amplification abuse
- Name-based access control on the web server means services cannot be reached by IP, reducing attack surface from within the network
- Network segmentation across two subnets limits lateral movement between the laptop and desktop sides
- NAT on Router1 hides all internal addressing from the external network
- DHCP-distributed DNS means a misconfigured DNS IP propagates to all clients instantly — a single point of failure worth monitoring in production
- DNS misconfiguration (wrong IP distributed via DHCP) broke hostname resolution across the entire network even though IP connectivity was working — highlighting DNS as a critical dependency
- Apache returned 403 errors when accessed by IP due to host header mismatch — required understanding of how name-based virtual hosting works at the HTTP layer
- Validating routing required packet-level analysis (tcpdump on router interfaces) to confirm traffic was actually traversing the expected path, not just that ping was succeeding
- Add firewall rules (nftables) to restrict inter-subnet traffic rather than allowing all routing by default
- Use HTTPS with internal CA certificates instead of HTTP for web services
- Implement DHCP failover for the DHCP server — currently a single point of failure
- Add logging and alerting on the DNS server for failed resolution attempts
.
├── README.md
├── architecture/
│ └── topology.png
├── configs/
│ ├── router1/
│ │ ├── netplan.yaml
│ │ ├── ip_forward
│ │ ├── nat-rules.sh
│ │ └── routing-table.txt
│ ├── router2/
│ │ ├── netplan.yaml
│ │ ├── ip_forward
│ │ └── routing-table.txt
│ ├── dns/
│ │ ├── named.conf.local
│ │ ├── named.conf.options
│ │ └── db.lab
│ ├── dhcp-fileserver/
│ │ ├── dhcpd.conf
│ │ └── smb.conf
│ ├── webserver/
│ │ ├── wordpress.conf
│ │ ├── magento.conf
│ │ └── ports.conf
│ ├── client-laptop/
│ │ ├── fstab
│ │ └── dns-config.txt
│ └── client-desktop/
│ ├── fstab
│ └── dns-config.txt
└── images/
├── dhcp-vm1.png
├── dhcp-vm3.png
├── dns-resolution.png
├── routing.png
├── internet-access.png
├── web-wordpress.png
├── web-magento.png
├── fileshare.png
├── persistence.png
├── wireshark-dhcp.png
└── tcpdump-nat.png
Note: All IP addresses are within a private VirtualBox lab environment. MAC addresses belong to VirtualBox-generated virtual interfaces, not physical hardware.