Ceci est une ancienne révision du document !
This all started when I needed to run a sandboxed instance of Wordpress. The simple part was creating a virtual Ubuntu 11.10 server as a guest inside my VirtualBox host. Then I discovered I knew much less about networking than I thought, a topic full of packets and switches and routing. I know even less about networking in VirtualBox, where all that stuff is virtualized in software. Several attempts and a networking crash-course later, mission accomplished, and, to save you my pain, here's what I found.
VirtualBox Network Options
Install any version of VirtualBox from 3.0 onwards, and you'll find similar layouts and capabilities.
For any of your installed virtual machines, click on Settings > Network. This is the default view. Any virtual machine can have up to four network adapters - which you can enable as needed. Most of the time, you'll need just one. Usually when you create a virtual machine, you can leave VirtualBox to get on with creating a single network adapter - allowing you to see out onto the Internet.
You might need multiple adapters of different types, or the same type with different settings, according to the use of your virtual machine and the networks - physical and virtual - to which it is connected.
For my virtual web-server running Wordpress, things get a bit more complex, so here we go… The Adapter Type defines the virtual hardware available to your virtual machine (VM). VirtualBox will do its best to mediate the virtual network card with whatever physical adapters you have on your host machine. Open the Advanced pane and you get additional options for setting up your network adapter. I'm going to run through the settings deliberately out of sequence, starting with the Adapter type.
Adapter Type : VirtualBox will attempt to emulate some common types of network cards for which it has the drivers and protocols. PCnet-FAST III is the default selection, although I often select the Intel PRO/1000MT adapters if I'm looking for better compatibility with Intel hardware. There are two server versions for higher throughput if you intend your VM to run hot in a production environment. Desktop users needn't worry. If you have a problem with one of the Adapter types, you can try another, including a PCnet-FAST II for older machines.
Mode : the rather racy sounding 'Promiscuous Mode' has to do with the behaviour of the virtual switch used by Internal Networking; Bridged and Host Only. You can make a VM's network port accept traffic targeted for other virtual machines, or even the host, in addition to traffic addressed specifically to it. Promiscuous Mode is something 99% of users should never touch, and is there in cases where you need to diagnose the cause of certain network problems.
MAC Address : short for Media Access Control, the MAC address is a hardware address that uniquely identifies each network resource or node of a network. It is a unique identifying number for something that is usually hard coded into physical network adapters. VirtualBox generates the MAC addresses of virtual machine network cards.
There is a little button on the right to regenerate the MAC address; should you clone a virtual machine, it will need its own unique MAC to run on your virtual network alongside the original.
The Cable connected check-box does the same thing as plugging or unplugging a physical cable. This is the setting that connects your virtual network adapter to your virtual network. It is different from the top-most check-box for Enable Network Adapter, which allows you to effectively insert or pull the network adapter from the machine.
Finally, the Port Forwarding button opens another dialog allowing you to define the traffic rules for the adapter; how traffic of certain types is routed between host and guest. This applies only to certain network attachments which we will look at next. This is determined by the Attached to option (with its little pal, the Name option), which is the sharp end of networking in VirtualBox, and the thing that gave me most trouble at the start of my experiment.
'Here be dragons.'
There are four types of network attachment available, and many possible combinations of settings across the other controls. This is where VirtualBox networking can seem like medieval sorcery. Following through the right selection for your given purpose can be simple. There may even be multiple right answers to achieve your goal. But everything else looks doomed to failure: I know…
Attached to Network types
We have four workable options here: • Network Address Translation, which is the default, • Bridged, • Host Only, and • Internal Network.
'Not attached' is also a type, but used for the purpose of keeping an adapter in place for troubleshooting. In this mode, VirtualBox reports to the guest that a network card is present, but that there is no connection.
Network Address Translation (NAT)
NAT enables the guest machine to see out onto the Internet, but via a private IP address that cannot be seen from the host, or indeed, the rest of your physical network. It will allow you to browse the web, download files, and view e-mail inside the guest, but the outside world will never be able to communicate with the guest machine directly.
When a guest machine sends an IP packet to some remote machine, the VirtualBox NAT service will intercept the packet, extract the TCP/IP segments, change the IP address to the IP address of the host machine, then send it. The outside world only sees the IP address of the host machine. Replies are received by the host machine and sent on to the Guest Machine.
For example, on your home network, your host and other physical machines will typically have addresses starting in the 192.168.x.x range. In VirtualBox, NAT adapters will be begin at 10.0.2.1, incrementing addresses up to 10.0.2.24 in what's called a sub-net. This is not usually routed onto the main network, so this sub-net will be inaccessible from your host. Your guest is able to see out onto the Internet for software updates and web-surfing, but is invisible to the rest of your network.
The VirtualBox manual is a little more explicit:
“In NAT mode, the guest network interface is assigned to the IPv4 range 10.0.x.0/24 by default, where x corresponds to the instance of the NAT interface +2. So x is 2 when there is only one NAT instance active. In that case, the guest is assigned to the address 10.0.2.15, the gateway is set to 10.0.2.2 and the name server can be found at 10.0.2.3.” (Oracle Corporation, 2012, Chapter 9) NAT is useful when you don't really care what IP addresses your guest machines use, so long as they are unique. You will need to do more configuration when you need to forward traffic or expose services like a web-server to the outside world. Additionally, you cannot enable file and folder sharing over the network.
Bridged Adapter
Under the Bridged Adapter, your virtual machines behave as any other computer on the network where the hosting system resides; the bridged adapter bridges the virtual and physical networks. The outside world can directly communicate with the guest machine.
The Bridged Adapter connects through the host to your default network device that allocates IP addresses for your physical network. VirtualBox connects to one of your installed network cards and exchanges network packets directly; it bridges the virtual and physical networks. In normal use, it will try to get a standard 192.168.x.x IP address from your router, so that your virtual machine can look like a perfectly respectable physical device alongside all the other ironmongery on your network.
You may have more than one active network device available to your host; for example, my laptop has a wired ethernet port (called eth0) and a wireless card (called wlan0). The Name options allows you to choose which one you want to bridge with VirtualBox.
In my case, I use the Wireless adapter wlan0, because that is connected to the router, while eth0 doesn't even have a cable.
So my host connects as 192.168.0.2, allocated by the router. My bridged virtual machine pops up and requests its own IP address which the router allocates as 192.168.2.6, neither knowing nor caring that VirtualBox is handling the pass-through of traffic via the host. My virtual machine becomes just another device on the local network. If I count my host and three VM's under Bridged, then I have four machines visible on my physical network.
Come here, there's more…
NAT is useful because it protects our guest systems from the Internet at large, but in order to access them, we need to set up port forwarding to access the guests from the host (I have servers on some of my guests). Bridged Networking allows access, but the guests are exposed. If your network access device (be it a router, switch, or hard configuration by your ISP) will not allocate more than one IP address, you probably can't use Bridged networking.
Host-only Adapter
Under the Host-only adapter, virtual machines can communicate between each other and with the hosting system but not outside. The Host-only adapter uses its own dedicated network device, called vboxnet0, to set up a sub-net and allocates IP addresses to guest machines. The guest machines cannot communicate with the outside world, since they are not connected via a physical interface. Host-only provides restricted services, useful for creating private networks under a VirtualBox host for its guests.
Unlike other virtualization products, the VirtualBox NAT adapter doesn't bridge the default network device on your hosts, so there is no direct network access to NAT-ed machines and no access to applications and data on the host itself. Let's look at an example.
Typically your host has its own network address, the one it uses to access the Internet - commonly 192.168.0.101. Under Host-only, the host machine also becomes the VirtualBox router, with the default IP address of 192.168.56.1. The Host creates an internal local area network serving all the guest machines set-up for Host-only, visible to the rest of your network. The vboxnet0 adapter starts issuing IP addresses from 192.168.56.101 onward, but you can change the default IP address allocation, if you want.
Similar to the Bridged adapter, Host-only uses different address ranges. You can easily allow guest machines to obtain addresses using the DCHP (dynamic allocation, which will likely be a different address per session) that VirtualBox provides.
Additionally, the Host-only network for the host and guest does not have a gateway out to the Internet. It's used to just connect the host and the guest, much like a network switch. Therefore Host-only adapter does not provide guest machines with Internet access; vboxnet0 has no default gateway, so while the addition of vboxnet0 greatly simplifies networking between the Host and guests using it, you don't get external access or port forwarding, so you may still need a second NAT or Bridged adapter attached to your guest to achieve full access.
Internal network
If you want several guests machines to communicate with each other on one host, but with nothing else, then we can use this Internal network mode. Although you can use Bridged Networking for this, Internal Network is more secure. In Bridged networking, all the packets are sent/received from the physical network adapter in the Host machine, and the traffic can be tapped (say, by attaching a packet sniffer to the Host).
The Internal network option creates, according to the VirtualBox manual, “a software-based network which is visible to selected virtual machines, but not to applications running on the host or to the outside world.” This provides a network containing the host and a set of virtual machines, but none of it goes through the host's physical network interface - it is entirely virtual, with VirtualBox acting as a network switch. What you get is a private LAN for your guest machines only, without any access to the external world, which makes it very secure. Possible uses might be running a top-secret development server and clients, conducting penetration testing or otherwise creating a secure Intranet for a team or organisation. It's an ideal way to lock down an environment against unauthorised software installs, downloads, uploads and Facebook-ing during work time.
This is where you begin to see the different types of network setups come into their own, being fit for different purposes. Which brings me back to my start-point; creating a virtual server for Wordpress development and testing.
Guest Access to the Internet
First, I need my guest machine to be able to access the internet for installing updates, downloading packages, and the like. I need to access it from my host machine, but I don’t want the server to be accessible from anywhere else on the network.
Selecting my guest machine from the VirtualBox Manager window, I then select Settings > Network.
I begin by keeping the default networking NAT adapter. This allows the guest machine to access the Internet through my host’s connection. The guest isn't visible to anyone else on my network; I cannot access any guest resources from my host machine either, nor can any guest machines access each other.
Configure Host-only Adapter in VirtualBox Manager
The easy method is to use the default Host-only adapter provided by VirtualBox, this is the one named vboxnet0, but you can add more if you want several separate Host-only networks. If you go to the VirtualBox Manager main window and select File > Preferences > Network, you can configure vboxnet0 or add new adapters.
Click on the “Edit” button for your Host-only network, that's the screwdriver icon titled “Edit host only network,” and you'll find the default settings. The IP address 192.168.56.1 is the address at which the guests can access the host. I'll leave this as-is.
By default, vboxnet0 has a DHCP server set up to dynamically allocate IP addresses on a per session basis. I want my Wordpress virtual server to keep static IP addresses, so on the DHCP tab, I uncheck the “Enable Server” box for DHCP. Add Host-only Adapter to Guest
I'll add another network adapter to my guest machine, a Host-Only Adapter, that enables a self-contained, private, virtual network consisting solely of my host and any guests using host-only. Any of the member machines can access each other, but nothing outside it can get in.
So on my Adapter 2 tab for my guest, I set the Attached to option to Host-only, and the name is the default vboxnet0. Promiscuous mode doesn't matter, but I do need the Cable Connected checkbox enabled.
Configure the Guest
I need my guest's virtual server to have a static IP address on the host-only network, otherwise the address changes for every session and I have to work out what it is before I can access it from the host. Logging into the guest, I open a terminal and issue the following command:
ifconfig eth1 192.168.56.101 netmask 255.255.255.0 up
This sets the IP address on my host-only adapter for this guest, and brings up the network interface. It uses the 192 network prefix for domestic networks, followed by .168 for the start of the host ID, .56 as the host-only sub-net range, and I could use use any final identifier above .1 (my host) on my host-only network. The NAT adapter is sitting on eth0, so logically the Host-only adapter is bound to eth1. I can now secure shell (SSH) or browse to the guest from the host using this IP address as a test. However, this is just temporary; if I reboot, this configuration will disappear. To make it permanent, I need to add it to the /etc/network/interfaces file (as root) in the form:
# The host-only network interface auto eth1 iface eth1 inet static address 192.168.56.101 netmask 255.255.255.0 network 192.168.56.0 broadcast 192.168.56.255
Once I reboot, this interface will be raised automatically. I can check that it's present using the ifconfig command in a terminal on the guest.
Naming of parts
Since I'm not so good with numbers and IP addresses, I'd rather use the guest machine name over the IP address. To do this I can add an alias to the /etc/hosts file on my Host machine, so that I can browse by name to my running guest.
I edit the file (as root) adding the line:
192.168.56.101 ocelotsvr
If I add more guests to the host-only network, I can do the same so that I can address any of them, from any of them, by name.
Any Port in a Storm?
The networking experts out there will have spotted an alternate route to accessing my virtual server.
Using my default NAT adapter, I could run some extra configuration there to let me access my virtual server from the host - without using Host-only networking.
I can set up port forwarding in VirtualBox, using the guest's Network Adapter settings panel. Going to the NAT adapter, the big button at the bottom is for Port forwarding. This opens a further configuration dialog box so I can set the port forwarding rules for this network adapter for this guest only.
I need two rules; one to access the Apache web-server on my guest, the other to handle all the other TCP traffic (http requests, mostly).
Keeping it simple, I'll name them Apache and TCP; and both use the TCP protocol. If I stick to the common port numbers, 8888 on the host forwarding to port 80 on the guest for Apache; then 2222 on the host forwarding to port 22 on the guest; this gives me specific access on the guest for those service requests. Anything else will be rejected by VirtualBox as there's no viable route.
This also means any other guests I wish to run can't access this virtual server, as no network route exists under NAT.