To be able to run a firewall as virtual machine, the NetworkManager application offers insufficient flexibility. We need to bring up one of the interfaces (eth0) with a static IP address, and the other interface (eth1) without IP address to connect the WAN to it and isolate the “outside world” through the firewall. eth1 is passed through (bridged) to the firewall's red interface.
apt-get remove network-manager network-manager-gnome
/etc/network/interfaces
# main server interface auto eth0 iface eth0 inet static address 192.168.1.11 netmask 255.255.255.0 network 192.168.1.0 gateway 192.168.1.1
# define pass through interface for web server vm iface eth1 inet manual
To keep eth1 invisible to the main server, but offer it to the vm, you need to manually bring the interface up. Add the following line to the definition of the eth0 interface:
post-up ifconfig eth1 up
vim /etc/resolv.conf
Remove all entries and add one line:
nameserver 192.168.1.3 # IP address of domain name resolver running on the firewall vm (dnsmasq)
Restart network:
sudo /etc/init.d/networking restart