| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
|---|
| 2 | <!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
|
|---|
| 3 | <topic xml:lang="en-us" id="network_nat">
|
|---|
| 4 | <title>Network Address Translation (NAT)</title>
|
|---|
| 5 |
|
|---|
| 6 | <body>
|
|---|
| 7 | <p>
|
|---|
| 8 | Network Address Translation (NAT) is the simplest way of accessing
|
|---|
| 9 | an external network from a virtual machine. Usually, it does not
|
|---|
| 10 | require any configuration on the host network and guest system.
|
|---|
| 11 | For this reason, it is the default networking mode in
|
|---|
| 12 | <ph conkeyref="vbox-conkeyref-phrases/product-name"/>.
|
|---|
| 13 | </p>
|
|---|
| 14 | <p>
|
|---|
| 15 | A virtual machine with NAT enabled acts much like a real computer
|
|---|
| 16 | that connects to the Internet through a router. The router, in
|
|---|
| 17 | this case, is the <ph conkeyref="vbox-conkeyref-phrases/product-name"/> networking engine, which maps
|
|---|
| 18 | traffic from and to the virtual machine transparently. In
|
|---|
| 19 | <ph conkeyref="vbox-conkeyref-phrases/product-name"/> this router is placed between each virtual machine
|
|---|
| 20 | and the host. This separation maximizes security since by default
|
|---|
| 21 | virtual machines cannot talk to each other.
|
|---|
| 22 | </p>
|
|---|
| 23 | <p>
|
|---|
| 24 | The disadvantage of NAT mode is that, much like a private network
|
|---|
| 25 | behind a router, the virtual machine is invisible and unreachable
|
|---|
| 26 | from the outside internet. You cannot run a server this way unless
|
|---|
| 27 | you set up port forwarding. See <xref href="natforward.dita#natforward"/>.
|
|---|
| 28 | </p>
|
|---|
| 29 | <p>
|
|---|
| 30 | The network frames sent out by the guest operating system are
|
|---|
| 31 | received by <ph conkeyref="vbox-conkeyref-phrases/product-name"/>'s NAT engine, which extracts the TCP/IP
|
|---|
| 32 | data and resends it using the host operating system. To an
|
|---|
| 33 | application on the host, or to another computer on the same
|
|---|
| 34 | network as the host, it looks like the data was sent by the
|
|---|
| 35 | <ph conkeyref="vbox-conkeyref-phrases/product-name"/> application on the host, using an IP address
|
|---|
| 36 | belonging to the host. <ph conkeyref="vbox-conkeyref-phrases/product-name"/> listens for replies to the
|
|---|
| 37 | packages sent, and repacks and resends them to the guest machine
|
|---|
| 38 | on its private network.
|
|---|
| 39 | </p>
|
|---|
| 40 | <note>
|
|---|
| 41 | <p>
|
|---|
| 42 | Even though the NAT engine separates the VM from the host, the
|
|---|
| 43 | VM has access to the host's loopback interface and the network
|
|---|
| 44 | services running on it. The host's loopback interface is
|
|---|
| 45 | accessible as IP address 10.0.2.2. This access to the host's
|
|---|
| 46 | loopback interface can be extremely useful in some cases, for
|
|---|
| 47 | example when running a web application under development in the
|
|---|
| 48 | VM and the database server on the loopback interface on the
|
|---|
| 49 | host.
|
|---|
| 50 | </p>
|
|---|
| 51 | </note>
|
|---|
| 52 | <p>
|
|---|
| 53 | The virtual machine receives its network address and configuration
|
|---|
| 54 | on the private network from a DHCP server integrated into
|
|---|
| 55 | <ph conkeyref="vbox-conkeyref-phrases/product-name"/>. The IP address thus assigned to the virtual
|
|---|
| 56 | machine is usually on a completely different network than the
|
|---|
| 57 | host. As more than one card of a virtual machine can be set up to
|
|---|
| 58 | use NAT, the first card is connected to the private network
|
|---|
| 59 | 10.0.2.0, the second card to the network 10.0.3.0 and so on. If
|
|---|
| 60 | you need to change the guest-assigned IP range, see
|
|---|
| 61 | <xref href="changenat.dita">Fine Tuning the <ph conkeyref="vbox-conkeyref-phrases/product-name"/> NAT Engine</xref>.
|
|---|
| 62 | </p>
|
|---|
| 63 | </body>
|
|---|
| 64 | </topic>
|
|---|
