This is a tutorial for setting up VirtualBox so that all of the following conditions are met: A. Virtual machines can't send traffic to the host, physical router, etc. B. Host can't send traffic to virtual machines. C. Virtual machines can send traffic to each other if allowed by the software firewalls (if any) in the virtual machines. D. Virtual machines have internet access via the host. See VirtualBox: better to use NAT or Bridged Adapter for a malware test machine? for a discussion of what's wrong security-wise with the networking capabilities built into VirtualBox. You may wish to read this entire thread before doing anything, since I won't be able to alter this post after a certain amount of time has passed. 1. Download guide (in pdf format) at hxxp://magikh0e.ihtb.org/pubPapers/Penetration_Testing_LAB_Setup_Guide-iab.pdf . 2. Download pfSense "Live CD with Installer" for your computer architecture. pfSense will be used as a virtual router. 3. Create a new virtual machine for pfSense. See p. 7 in guide. The guide suggests 512 MB of memory; I use 256 MB. See https://www.pfsense.org/hardware/index.html#requirements for minimum memory requirements. Version should be either "FreeBSD" or "FreeBSD (64 bit)," corresponding with the computer architecture of the download in tutorial step 2. I recommend to change the boot order of Hard Disk to be first in the list. 4. Do guide steps 1 and 2 on pp. 8-9. The guide suggests using Promiscuous Mode=Allow VMs, but I believe that the safer setting of Deny also works fine for both network adapters. 5. Do guide step 3 on p. 9. When prompted for a start-up disk, choose the file downloaded in tutorial step 2. In guide step 3 iv, choose the default kernel setting. 6. Do guide step 4 on p. 10. 7. Do guide step 5 on p. 10. If asked about "new LAN IPv4 gateway address", press <Enter> for none. If asked about "new LAN IPv6 address," press <Enter> for none. 8. Press 5 to reboot pfSense. 9. Press 7 to ping a web server to see if pfSense has internet connectivity. You can ping www.google.com. 10. Choose a virtual machine that you want to connect to pfSense. Remove all virtual network adapters from it except for one. Attach the virtual network adapter to Internal Network. The guide suggests using Promiscuous Mode=Allow VMs, but I believe the safer choice of Deny also works. Start the virtual machine. At a command prompt, type ipconfig; check that IPv4 Address is in the range specified in tutorial step 7. Browse the web to verify internet connectivity. 11. In the virtual machine in tutorial step 10, use a web browser to browse 192.168.12.1. This should open the pfSense administrative interface. Default Username=admin. Default Password=pfsense. Go through the setup wizard; change the admin password at the appropriate step. 12. Now we'll add pfSense firewall rule(s) so that any virtual machine connected to pfSense can't send traffic to your host computer or other local devices. You can use ipconfig in a command prompt on the host to find its IPv4 address and subnet mask. Add this rule: Action=Block; Interface=LAN; TCP/IP Version=IPv4; Protocol=Any; Source Type=LAN subnet; Destination Type=Network; Destination Address=(fill in yours; mine is 192.168.1.1 / 24). Move this rule as far to the top as possible, since rule order matters. You might need multiple rules. My LAN rules look like this: 13. Repeat tutorial step 10 for any other virtual machines that you wish to connect to pfSense. The end. Feedback welcome .