VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Networking.xml@ 68716

Last change on this file since 68716 was 68122, checked in by vboxsync, 7 years ago

doc/manual: fixed link (ticketref:16912)

File size: 51.0 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4<chapter id="networkingdetails">
5 <title>Virtual networking</title>
6
7 <para>As briefly mentioned in <xref linkend="settings-network" />,
8 VirtualBox provides up to eight virtual PCI Ethernet cards for each virtual
9 machine. For each such card, you can individually select<orderedlist>
10 <listitem>
11 <para>the hardware that will be virtualized as well as</para>
12 </listitem>
13
14 <listitem>
15 <para>the virtualization mode that the virtual card will be operating
16 in with respect to your physical networking hardware on the
17 host.</para>
18 </listitem>
19 </orderedlist></para>
20
21 <para>Four of the network cards can be configured in the "Network" section
22 of the settings dialog in the graphical user interface of VirtualBox. You
23 can configure all eight network cards on the command line via VBoxManage
24 modifyvm; see <xref linkend="vboxmanage-modifyvm" />.</para>
25
26 <para>This chapter explains the various networking settings in more
27 detail.</para>
28
29 <sect1 id="nichardware">
30 <title>Virtual networking hardware</title>
31
32 <para>For each card, you can individually select what kind of
33 <emphasis>hardware</emphasis> will be presented to the virtual machine.
34 VirtualBox can virtualize the following six types of networking
35 hardware:<itemizedlist>
36 <listitem>
37 <para>AMD PCNet PCI II (Am79C970A);</para>
38 </listitem>
39
40 <listitem>
41 <para>AMD PCNet FAST III (Am79C973, the default);</para>
42 </listitem>
43
44 <listitem>
45 <para>Intel PRO/1000 MT Desktop (82540EM);</para>
46 </listitem>
47
48 <listitem>
49 <para>Intel PRO/1000 T Server (82543GC);</para>
50 </listitem>
51
52 <listitem>
53 <para>Intel PRO/1000 MT Server (82545EM);</para>
54 </listitem>
55
56 <listitem>
57 <para>Paravirtualized network adapter (virtio-net).</para>
58 </listitem>
59 </itemizedlist></para>
60
61 <para>The PCNet FAST III is the default because it is supported by nearly
62 all operating systems out of the box, as well as the GNU GRUB boot
63 manager. As an exception, the Intel PRO/1000 family adapters are chosen
64 for some guest operating system types that no longer ship with drivers for
65 the PCNet card, such as Windows Vista.</para>
66
67 <para>The Intel PRO/1000 MT Desktop type works with Windows Vista and
68 later versions. The T Server variant of the Intel PRO/1000 card is
69 recognized by Windows XP guests without additional driver installation.
70 The MT Server variant facilitates OVF imports from other platforms.</para>
71
72 <para>The <emphasis role="bold">"Paravirtualized network adapter
73 (virtio-net)"</emphasis> is special. If you select this, then VirtualBox
74 does <emphasis>not</emphasis> virtualize common networking hardware (that
75 is supported by common guest operating systems out of the box). Instead,
76 VirtualBox then expects a special software interface for virtualized
77 environments to be provided by the guest, thus avoiding the complexity of
78 emulating networking hardware and improving network performance. Starting
79 with version 3.1, VirtualBox provides support for the industry-standard
80 "virtio" networking drivers, which are part of the open-source KVM
81 project.</para>
82
83 <para>The "virtio" networking drivers are available for the following
84 guest operating systems:</para>
85
86 <para><itemizedlist>
87 <listitem>
88 <para>Linux kernels version 2.6.25 or later can be configured to
89 provide virtio support; some distributions also back-ported virtio
90 to older kernels.</para>
91 </listitem>
92
93 <listitem>
94 <para>For Windows 2000, XP and Vista, virtio drivers can be
95 downloaded and installed from the KVM project web page.<footnote>
96 <para><ulink
97 url="http://www.linux-kvm.org/page/WindowsGuestDrivers">http://www.linux-kvm.org/page/WindowsGuestDrivers</ulink>.</para>
98 </footnote></para>
99 </listitem>
100 </itemizedlist></para>
101
102 <para>VirtualBox also has limited support for so-called <emphasis
103 role="bold">jumbo frames</emphasis>, i.e. networking packets with more
104 than 1500 bytes of data, provided that you use the Intel card
105 virtualization and bridged networking. In other words, jumbo frames are
106 not supported with the AMD networking devices; in those cases, jumbo
107 packets will silently be dropped for both the transmit and the receive
108 direction. Guest operating systems trying to use this feature will observe
109 this as a packet loss, which may lead to unexpected application behavior
110 in the guest. This does not cause problems with guest operating systems in
111 their default configuration, as jumbo frames need to be explicitly
112 enabled.</para>
113 </sect1>
114
115 <sect1 id="networkingmodes">
116 <title>Introduction to networking modes</title>
117
118 <para>Each of the eight networking adapters can be separately configured
119 to operate in one of the following modes:<glosslist>
120 <glossentry>
121 <glossterm>Not attached</glossterm>
122
123 <glossdef>
124 <para>In this mode, VirtualBox reports to the guest that a network
125 card is present, but that there is no connection -- as if no
126 Ethernet cable was plugged into the card. This way it is possible
127 to "pull" the virtual Ethernet cable and disrupt the connection,
128 which can be useful to inform a guest operating system that no
129 network connection is available and enforce a
130 reconfiguration.</para>
131 </glossdef>
132 </glossentry>
133
134 <glossentry>
135 <glossterm>Network Address Translation (NAT)</glossterm>
136
137 <glossdef>
138 <para>If all you want is to browse the Web, download files and
139 view e-mail inside the guest, then this default mode should be
140 sufficient for you, and you can safely skip the rest of this
141 section. Please note that there are certain limitations when using
142 Windows file sharing (see <xref linkend="nat-limitations" /> for
143 details).</para>
144 </glossdef>
145 </glossentry>
146
147 <glossentry>
148 <glossterm>NAT Network</glossterm>
149
150 <glossdef>
151 <para>The NAT network is a new NAT flavour introduced in
152 VirtualBox 4.3. See
153 <xref linkend="network_nat_service" xrefstyle="template: %n" />
154 for details.</para>
155 </glossdef>
156 </glossentry>
157
158 <glossentry>
159 <glossterm>Bridged networking</glossterm>
160
161 <glossdef>
162 <para>This is for more advanced networking needs such as network
163 simulations and running servers in a guest. When enabled,
164 VirtualBox connects to one of your installed network cards and
165 exchanges network packets directly, circumventing your host
166 operating system's network stack.</para>
167 </glossdef>
168 </glossentry>
169
170 <glossentry>
171 <glossterm>Internal networking</glossterm>
172
173 <glossdef>
174 <para>This can be used to create a different kind of
175 software-based network which is visible to selected virtual
176 machines, but not to applications running on the host or to the
177 outside world.</para>
178 </glossdef>
179 </glossentry>
180
181 <glossentry>
182 <glossterm>Host-only networking</glossterm>
183
184 <glossdef>
185 <para>This can be used to create a network containing the host and
186 a set of virtual machines, without the need for the host's
187 physical network interface. Instead, a virtual network interface
188 (similar to a loopback interface) is created on the host,
189 providing connectivity among virtual machines and the host.</para>
190 </glossdef>
191 </glossentry>
192
193 <glossentry>
194 <glossterm>Generic networking</glossterm>
195
196 <glossdef>
197 <para>Rarely used modes share the same generic network interface,
198 by allowing the user to select a driver which can be included with
199 VirtualBox or be distributed in an extension pack.</para>
200
201 <para>At the moment there are potentially two available
202 sub-modes:</para>
203
204 <para><glosslist>
205 <glossentry>
206 <glossterm>UDP Tunnel</glossterm>
207
208 <glossdef>
209 <para>This can be used to interconnect virtual machines
210 running on different hosts directly, easily and
211 transparently, over existing network
212 infrastructure.</para>
213 </glossdef>
214 </glossentry>
215
216 <glossentry>
217 <glossterm>VDE (Virtual Distributed Ethernet)
218 networking</glossterm>
219
220 <glossdef>
221 <para>This option can be used to connect to a Virtual
222 Distributed Ethernet switch on a Linux or a FreeBSD host.
223 At the moment this needs compiling VirtualBox from
224 sources, as the Oracle packages do not include it.</para>
225 </glossdef>
226 </glossentry>
227 </glosslist></para>
228 </glossdef>
229 </glossentry>
230 </glosslist></para>
231
232 <para>The following table provides a quick overview of the most important
233 networking modes:</para>
234 <table>
235 <title>Overview</title>
236 <tgroup cols="5">
237 <colspec align="left" />
238 <colspec align="center" />
239 <colspec align="center" />
240 <colspec align="center" />
241 <colspec align="center" />
242 <thead valign="middle">
243 <row>
244 <entry></entry>
245 <entry><emphasis role="bold">VM &harr; Host</emphasis></entry>
246 <entry><emphasis role="bold">VM1 &harr; VM2</emphasis></entry>
247 <entry><emphasis role="bold">VM &rarr; Internet</emphasis></entry>
248 <entry><emphasis role="bold">VM &larr; Internet</emphasis></entry>
249 </row>
250 </thead>
251 <tbody valign="middle">
252 <row>
253 <entry>Host-only</entry>
254 <entry><emphasis role="bold">+</emphasis></entry>
255 <entry align="center"><emphasis role="bold">+</emphasis></entry>
256 <entry>&ndash;</entry>
257 <entry>&ndash;</entry>
258 </row>
259 <row>
260 <entry>Internal</entry>
261 <entry>&ndash;</entry>
262 <entry><emphasis role="bold">+</emphasis></entry>
263 <entry>&ndash;</entry>
264 <entry>&ndash;</entry>
265 </row>
266 <row>
267 <entry>Bridged</entry>
268 <entry><emphasis role="bold">+</emphasis></entry>
269 <entry><emphasis role="bold">+</emphasis></entry>
270 <entry><emphasis role="bold">+</emphasis></entry>
271 <entry><emphasis role="bold">+</emphasis></entry>
272 </row>
273 <row>
274 <entry>NAT</entry>
275 <entry>&ndash;</entry>
276 <entry>&ndash;</entry>
277 <entry><emphasis role="bold">+</emphasis></entry>
278 <entry><link linkend="natforward">Port forwarding</link></entry>
279 </row>
280 <row>
281 <entry>NAT Network</entry>
282 <entry>&ndash;</entry>
283 <entry><emphasis role="bold">+</emphasis></entry>
284 <entry><emphasis role="bold">+</emphasis></entry>
285 <entry><link linkend="network_nat_service">Port forwarding</link></entry>
286 </row>
287 </tbody>
288 </tgroup>
289 </table>
290
291 <para>The following sections describe the available network modes in more
292 detail.</para>
293 </sect1>
294
295 <sect1 id="network_nat">
296 <title>Network Address Translation (NAT)</title>
297
298 <para>Network Address Translation (NAT) is the simplest way of accessing
299 an external network from a virtual machine. Usually, it does not require
300 any configuration on the host network and guest system. For this reason,
301 it is the default networking mode in VirtualBox.</para>
302
303 <para>A virtual machine with NAT enabled acts much like a real computer
304 that connects to the Internet through a router. The "router", in this
305 case, is the VirtualBox networking engine, which maps traffic from and to
306 the virtual machine transparently. In VirtualBox this router is placed
307 between each virtual machine and the host. This separation maximizes
308 security since by default virtual machines cannot talk to each
309 other.</para>
310
311 <para>The disadvantage of NAT mode is that, much like a private network
312 behind a router, the virtual machine is invisible and unreachable from the
313 outside internet; you cannot run a server this way unless you set up port
314 forwarding (described below).</para>
315
316 <para>The network frames sent out by the guest operating system are
317 received by VirtualBox's NAT engine, which extracts the TCP/IP data and
318 resends it using the host operating system. To an application on the host,
319 or to another computer on the same network as the host, it looks like the
320 data was sent by the VirtualBox application on the host, using an IP
321 address belonging to the host. VirtualBox listens for replies to the
322 packages sent, and repacks and resends them to the guest machine on its
323 private network.</para>
324
325 <para>The virtual machine receives its network address and configuration
326 on the private network from a DHCP server integrated into VirtualBox. The
327 IP address thus assigned to the virtual machine is usually on a completely
328 different network than the host. As more than one card of a virtual
329 machine can be set up to use NAT, the first card is connected to the
330 private network 10.0.2.0, the second card to the network 10.0.3.0 and so
331 on. If you need to change the guest-assigned IP range for some reason,
332 please refer to <xref linkend="changenat" />.</para>
333
334 <sect2 id="natforward">
335 <title>Configuring port forwarding with NAT</title>
336
337 <para>As the virtual machine is connected to a private network internal
338 to VirtualBox and invisible to the host, network services on the guest
339 are not accessible to the host machine or to other computers on the same
340 network. However, like a physical router, VirtualBox can make selected
341 services available to the world outside the guest through <emphasis
342 role="bold">port forwarding.</emphasis> This means that VirtualBox
343 listens to certain ports on the host and resends all packets which
344 arrive there to the guest, on the same or a different port.</para>
345
346 <para>To an application on the host or other physical (or virtual)
347 machines on the network, it looks as though the service being proxied is
348 actually running on the host. This also means that you cannot run the
349 same service on the same ports on the host. However, you still gain the
350 advantages of running the service in a virtual machine -- for example,
351 services on the host machine or on other virtual machines cannot be
352 compromised or crashed by a vulnerability or a bug in the service, and
353 the service can run in a different operating system than the host
354 system.</para>
355
356 <para>To configure Port Forwarding you can use the graphical Port
357 Forwarding editor which can be found in the Network Settings dialog
358 for Network Adaptors configured to use NAT. Here you can map host
359 ports to guest ports to allow network traffic to be routed to a
360 specific port in the guest.</para>
361
362 <para>Alternatively command line tool <computeroutput>VBoxManage</computeroutput> could be used;
363 for details, please refer to <xref linkend="vboxmanage-modifyvm" />.</para>
364
365 <para>You will need to know which ports on the guest the service uses
366 and to decide which ports to use on the host (often but not always you
367 will want to use the same ports on the guest and on the host). You can
368 use any ports on the host which are not already in use by a service. For
369 example, to set up incoming NAT connections to an
370 <computeroutput>ssh</computeroutput> server in the guest, use the
371 following command: <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"</screen>With
372 the above example, all TCP traffic arriving on port 2222 on any host
373 interface will be forwarded to port 22 in the guest. The protocol name
374 <computeroutput>tcp</computeroutput> is a mandatory attribute defining
375 which protocol should be used for forwarding
376 (<computeroutput>udp</computeroutput> could also be used). The name
377 <computeroutput>guestssh</computeroutput> is purely descriptive and will
378 be auto-generated if omitted. The number after
379 <computeroutput>--natpf</computeroutput> denotes the network card, like
380 in other parts of VBoxManage.</para>
381
382 <para>To remove this forwarding rule again, use the following command:
383 <screen>VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</screen></para>
384
385 <para>If for some reason the guest uses a static assigned IP address not
386 leased from the built-in DHCP server, it is required to specify the
387 guest IP when registering the forwarding rule: <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</screen>This
388 example is identical to the previous one, except that the NAT engine is
389 being told that the guest can be found at the 10.0.2.19 address.</para>
390
391 <para>To forward <emphasis>all</emphasis> incoming traffic from a
392 specific host interface to the guest, specify the IP of that host
393 interface like this:<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</screen>This
394 forwards all TCP traffic arriving on the localhost interface (127.0.0.1)
395 via port 2222 to port 22 in the guest.</para>
396
397 <para>It is possible to configure incoming NAT connections while the
398 VM is running, see <xref linkend="vboxmanage-controlvm"/>.</para>
399 </sect2>
400
401 <sect2 id="nat-tftp">
402 <title>PXE booting with NAT</title>
403
404 <para>PXE booting is now supported in NAT mode. The NAT DHCP server
405 provides a boot file name of the form
406 <computeroutput>vmname.pxe</computeroutput> if the directory
407 <computeroutput>TFTP</computeroutput> exists in the directory where the
408 user's <computeroutput>VirtualBox.xml</computeroutput> file is kept. It
409 is the responsibility of the user to provide
410 <computeroutput>vmname.pxe</computeroutput>.</para>
411 </sect2>
412
413 <sect2 id="nat-limitations">
414 <title>NAT limitations</title>
415
416 <para>There are four <emphasis role="bold">limitations</emphasis> of NAT
417 mode which users should be aware of:</para>
418
419 <glosslist>
420 <glossentry>
421 <glossterm>ICMP protocol limitations:</glossterm>
422
423 <glossdef>
424 <para>Some frequently used network debugging tools (e.g.
425 <computeroutput>ping</computeroutput> or tracerouting) rely on the
426 ICMP protocol for sending/receiving messages. While ICMP support
427 has been improved with VirtualBox 2.1
428 (<computeroutput>ping</computeroutput> should now work), some
429 other tools may not work reliably.</para>
430 </glossdef>
431 </glossentry>
432
433 <glossentry>
434 <glossterm>Receiving of UDP broadcasts is not reliable:</glossterm>
435
436 <glossdef>
437 <para>The guest does not reliably receive broadcasts, since, in
438 order to save resources, it only listens for a certain amount of
439 time after the guest has sent UDP data on a particular port. As a
440 consequence, NetBios name resolution based on broadcasts does not
441 always work (but WINS always works). As a workaround, you can use
442 the numeric IP of the desired server in the
443 <computeroutput>\\server\share</computeroutput> notation.</para>
444 </glossdef>
445 </glossentry>
446
447 <glossentry>
448 <glossterm>Protocols such as GRE are unsupported:</glossterm>
449
450 <glossdef>
451 <para>Protocols other than TCP and UDP are not supported. This
452 means some VPN products (e.g. PPTP from Microsoft) cannot be used.
453 There are other VPN products which use simply TCP and UDP.</para>
454 </glossdef>
455 </glossentry>
456
457 <glossentry>
458 <glossterm>Forwarding host ports &lt; 1024 impossible:</glossterm>
459
460 <glossdef>
461 <para>On Unix-based hosts (e.g. Linux, Solaris, Mac OS X) it is
462 not possible to bind to ports below 1024 from applications that
463 are not run by <computeroutput>root</computeroutput>. As a result,
464 if you try to configure such a port forwarding, the VM will refuse
465 to start.</para>
466 </glossdef>
467 </glossentry>
468 </glosslist>
469
470 <para>These limitations normally don't affect standard network use. But
471 the presence of NAT has also subtle effects that may interfere with
472 protocols that are normally working. One example is NFS, where the
473 server is often configured to refuse connections from non-privileged
474 ports (i.e. ports not below 1024).</para>
475 </sect2>
476 </sect1>
477
478 <sect1 id="network_nat_service">
479 <title>Network Address Translation Service</title>
480
481 <para>The Network Address Translation (NAT) service works in a similar way
482 to a home router, grouping the systems using it into a network and
483 preventing systems outside of this network from directly accessing systems
484 inside it, but letting systems inside communicate with each other and with
485 systems outside using TCP and UDP over IPv4 and IPv6.</para>
486
487 <para>A NAT service is attached to an internal network. Virtual machines
488 which are to make use of it should be attached to that internal network.
489 The name of internal network is chosen when the NAT service is created and
490 the internal network will be created if it does not already exist. An
491 example command to create a NAT network is:
492 </para>
493 <para><screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable</screen></para>
494 <para>
495 Here, "natnet1" is the name of the internal network to be used and
496 "192.168.15.0/24" is the network address and mask of the NAT service
497 interface. By default in this static configuration the gateway will be
498 assigned the address 192.168.15.1 (the address following the interface
499 address), though this is subject to change. To attach a DHCP server to the
500 internal network, we modify the example as follows:</para>
501 <para><screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable --dhcp on</screen></para>
502 <para> or to add a DHCP server to the network after creation:</para>
503 <para><screen>VBoxManage natnetwork modify --netname natnet1 --dhcp on</screen></para>
504 <para>To disable it again, use:</para>
505 <para><screen>VBoxManage natnetwork modify --netname natnet1 --dhcp off</screen></para>
506 <para>DHCP server provides list of registered nameservers, but doesn't map
507 servers from 127/8 network.</para>
508 <para>To start the NAT service, use the following command:</para>
509 <para><screen>VBoxManage natnetwork start --netname natnet1</screen></para>
510 <para>If the network has a DHCP server attached then it will start together
511 with the NAT network service.</para>
512 <para><screen>VBoxManage natnetwork stop --netname natnet1</screen> stops
513 the NAT network service, together with DHCP server if any.</para>
514 <para>To delete the NAT network service use:</para>
515 <para><screen>VBoxManage natnetwork remove --netname natnet1</screen></para>
516 <para>This command does not remove the DHCP server if one is enabled on the
517 internal network.</para>
518 <para>Port-forwarding is supported (using the
519 <computeroutput>--port-forward-4</computeroutput> switch for IPv4 and
520 <computeroutput>--port-forward-6</computeroutput>
521 for IPv6):</para>
522 <para><screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 "ssh:tcp:[]:1022:[192.168.15.5]:22"</screen></para>
523 <para>This adds a port-forwarding rule from the host's TCP 1022 port to
524 the port 22 on the guest with IP address 192.168.15.5. Host port, guest port and guest IP
525 are mandatory. To delete the rule, use:</para>
526 <para><screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 delete ssh</screen></para>
527 <para>It's possible to bind NAT service to specified interface:</para>
528 <screen>VBoxManage setextradata global "NAT/win-nat-test-0/SourceIp4" 192.168.1.185</screen>
529 <para>To see the list of registered NAT networks, use:</para>
530 <para><screen>VBoxManage list natnetworks</screen></para>
531 </sect1>
532
533 <sect1 id="network_bridged">
534 <title>Bridged networking</title>
535
536 <para>With bridged networking, VirtualBox uses a device driver on your
537 <emphasis>host</emphasis> system that filters data from your physical
538 network adapter. This driver is therefore called a "net filter" driver.
539 This allows VirtualBox to intercept data from the physical network and
540 inject data into it, effectively creating a new network interface in
541 software. When a guest is using such a new software interface, it looks to
542 the host system as though the guest were physically connected to the
543 interface using a network cable: the host can send data to the guest
544 through that interface and receive data from it. This means that you can
545 set up routing or bridging between the guest and the rest of your
546 network.</para>
547
548 <para>For this to work, VirtualBox needs a device driver on your host
549 system. The way bridged networking works has been completely rewritten
550 with VirtualBox 2.0 and 2.1, depending on the host operating system. From
551 the user perspective, the main difference is that complex configuration is
552 no longer necessary on any of the supported host operating
553 systems.<footnote>
554 <para>For Mac OS X and Solaris hosts, net filter drivers were already
555 added in VirtualBox 2.0 (as initial support for Host Interface
556 Networking on these platforms). With VirtualBox 2.1, net filter
557 drivers were also added for the Windows and Linux hosts, replacing the
558 mechanisms previously present in VirtualBox for those platforms;
559 especially on Linux, the earlier method required creating TAP
560 interfaces and bridges, which was complex and varied from one
561 distribution to the next. None of this is necessary anymore. Bridged
562 network was formerly called "Host Interface Networking" and has been
563 renamed with version 2.2 without any change in functionality.</para>
564 </footnote></para>
565
566 <para><note>
567 <para>Even though TAP is no longer necessary on Linux with bridged
568 networking, you <emphasis>can</emphasis> still use TAP interfaces for
569 certain advanced setups, since you can connect a VM to any host
570 interface -- which could also be a TAP interface.</para>
571 </note>To enable bridged networking, all you need to do is to open the
572 Settings dialog of a virtual machine, go to the "Network" page and select
573 "Bridged network" in the drop down list for the "Attached to" field.
574 Finally, select desired host interface from the list at the bottom of the
575 page, which contains the physical network interfaces of your systems. On a
576 typical MacBook, for example, this will allow you to select between "en1:
577 AirPort" (which is the wireless interface) and "en0: Ethernet", which
578 represents the interface with a network cable.</para>
579
580 <note><para>Bridging to a wireless interface is done differently from
581 bridging to a wired interface, because most wireless adapters do not
582 support promiscuous mode. All traffic has to use the MAC address of the
583 host's wireless adapter, and therefore VirtualBox needs to replace the
584 source MAC address in the Ethernet header of an outgoing packet to make
585 sure the reply will be sent to the host interface. When VirtualBox sees
586 an incoming packet with a destination IP address that belongs to one of
587 the virtual machine adapters it replaces the destination MAC address in
588 the Ethernet header with the VM adapter's MAC address and passes it on.
589 VirtualBox examines ARP and DHCP packets in order to learn the IP
590 addresses of virtual machines.</para></note>
591
592 <para>Depending on your host operating system, the following limitations
593 should be kept in mind:<itemizedlist>
594 <listitem>
595 <para>On <emphasis role="bold">Macintosh</emphasis> hosts,
596 functionality is limited when using AirPort (the Mac's wireless
597 networking) for bridged networking. Currently, VirtualBox supports
598 only IPv4 and IPv6 over AirPort. For other protocols (such as IPX),
599 you must choose a wired interface.</para>
600 </listitem>
601
602 <listitem>
603 <para>On <emphasis role="bold">Linux</emphasis> hosts, functionality
604 is limited when using wireless interfaces for bridged networking.
605 Currently, VirtualBox supports only IPv4 and IPv6 over wireless.
606 For other protocols (such as IPX), you must choose a wired
607 interface.</para>
608
609 <para>Also, setting the MTU to less than 1500 bytes on wired
610 interfaces provided by the sky2 driver on the Marvell Yukon II EC
611 Ultra Ethernet NIC is known to cause packet losses under certain
612 conditions.</para>
613
614 <para>Some adapters strip VLAN tags in hardware. This does not allow
615 to use VLAN trunking between VM and the external network with
616 pre-2.6.27 Linux kernels nor with host operating systems other than
617 Linux.</para>
618 </listitem>
619
620 <listitem>
621 <para>On <emphasis role="bold">Solaris</emphasis> hosts, there is no
622 support for using wireless interfaces. Filtering guest traffic using
623 IPFilter is also not completely supported due to technical
624 restrictions of the Solaris networking subsystem. These issues would
625 be addressed in a future release of Solaris 11.</para>
626
627 <para>Starting with VirtualBox 4.1, on Solaris 11 hosts (build 159
628 and above), it is possible to use Solaris' Crossbow Virtual Network
629 Interfaces (VNICs) directly with VirtualBox without any additional
630 configuration other than each VNIC must be exclusive for every guest
631 network interface.</para>
632
633 <para>Starting with VirtualBox 2.0.4 and up to VirtualBox 4.0, VNICs
634 can be used but with the following caveats:</para>
635
636 <itemizedlist>
637 <listitem>
638 <para>A VNIC cannot be shared between multiple guest network
639 interfaces, i.e. each guest network interface must have its own,
640 exclusive VNIC.</para>
641 </listitem>
642
643 <listitem>
644 <para>The VNIC and the guest network interface that uses the
645 VNIC must be assigned identical MAC addresses.</para>
646 </listitem>
647 </itemizedlist>
648
649 <para>When using VLAN interfaces with VirtualBox, they must be named
650 according to the PPA-hack naming scheme (e.g. "e1000g513001"), as
651 otherwise the guest may receive packets in an unexpected
652 format.</para>
653 </listitem>
654 </itemizedlist></para>
655 </sect1>
656
657 <sect1 id="network_internal">
658 <title>Internal networking</title>
659
660 <para>Internal Networking is similar to bridged networking in that the VM
661 can directly communicate with the outside world. However, the "outside
662 world" is limited to other VMs on the same host which connect to the same
663 internal network.</para>
664
665 <para>Even though technically, everything that can be done using internal
666 networking can also be done using bridged networking, there are security
667 advantages with internal networking. In bridged networking mode, all
668 traffic goes through a physical interface of the host system. It is
669 therefore possible to attach a packet sniffer (such as Wireshark) to the
670 host interface and log all traffic that goes over it. If, for any reason,
671 you prefer two or more VMs on the same machine to communicate privately,
672 hiding their data from both the host system and the user, bridged
673 networking therefore is not an option.</para>
674
675 <para>Internal networks are created automatically as needed, i.e. there is
676 no central configuration. Every internal network is identified simply by
677 its name. Once there is more than one active virtual network card with the
678 same internal network ID, the VirtualBox support driver will automatically
679 "wire" the cards and act as a network switch. The VirtualBox support
680 driver implements a complete Ethernet switch and supports both
681 broadcast/multicast frames and promiscuous mode.</para>
682
683 <para>In order to attach a VM's network card to an internal network, set
684 its networking mode to "internal networking". There are two ways to
685 accomplish this:</para>
686
687 <para><itemizedlist>
688 <listitem>
689 <para>You can use a VM's "Settings" dialog in the VirtualBox
690 graphical user interface. In the "Networking" category of the
691 settings dialog, select "Internal Networking" from the drop-down
692 list of networking modes. Now select the name of an existing
693 internal network from the drop-down below or enter a new name into
694 the entry field.</para>
695 </listitem>
696
697 <listitem>
698 <para>You can use <screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; intnet</screen>
699 Optionally, you can specify a network name with the command <screen>VBoxManage modifyvm "VM name" --intnet&lt;x&gt; "network name"</screen>
700 If you do not specify a network name, the network card will be
701 attached to the network <computeroutput>intnet</computeroutput> by
702 default.</para>
703 </listitem>
704 </itemizedlist></para>
705
706 <para>Unless you configure the (virtual) network cards in the guest
707 operating systems that are participating in the internal network to use
708 static IP addresses, you may want to use the DHCP server that is built
709 into VirtualBox to manage IP addresses for the internal network. Please
710 see <xref linkend="vboxmanage-dhcpserver" /> for details.</para>
711
712 <para>As a security measure, by default, the Linux implementation of internal
713 networking only allows VMs running under the same user ID to establish an
714 internal network. However, it is possible to create a shared
715 internal networking interface, accessible by users with different UUIds.</para>
716 </sect1>
717
718 <sect1 id="network_hostonly">
719 <title>Host-only networking</title>
720
721 <para>Host-only networking is another networking mode that was added with
722 version 2.2 of VirtualBox. It can be thought of as a hybrid between the
723 bridged and internal networking modes: as with bridged networking, the
724 virtual machines can talk to each other and the host as if they were
725 connected through a physical Ethernet switch. Similarly, as with internal
726 networking however, a physical networking interface need not be present,
727 and the virtual machines cannot talk to the world outside the host since
728 they are not connected to a physical networking interface.</para>
729
730 <para>Instead, when host-only networking is used, VirtualBox creates a new
731 software interface on the host which then appears next to your existing
732 network interfaces. In other words, whereas with bridged networking an
733 existing physical interface is used to attach virtual machines to, with
734 host-only networking a new "loopback" interface is created on the host.
735 And whereas with internal networking, the traffic between the virtual
736 machines cannot be seen, the traffic on the "loopback" interface on the
737 host can be intercepted.</para>
738
739 <para>Host-only networking is particularly useful for preconfigured
740 virtual appliances, where multiple virtual machines are shipped together
741 and designed to cooperate. For example, one virtual machine may contain a
742 web server and a second one a database, and since they are intended to
743 talk to each other, the appliance can instruct VirtualBox to set up a
744 host-only network for the two. A second (bridged) network would then
745 connect the web server to the outside world to serve data to, but the
746 outside world cannot connect to the database.</para>
747
748 <para>To change a virtual machine's virtual network interface to "host
749 only" mode:<itemizedlist>
750 <listitem>
751 <para>either go to the "Network" page in the virtual machine's
752 settings notebook in the graphical user interface and select
753 "Host-only networking", or</para>
754 </listitem>
755
756 <listitem>
757 <para>on the command line, type <computeroutput>VBoxManage modifyvm
758 "VM name" --nic&lt;x&gt; hostonly</computeroutput>; see <xref
759 linkend="vboxmanage-modifyvm" /> for details.</para>
760 </listitem>
761 </itemizedlist></para>
762
763 <para>Before you can attach a VM to a host-only network you have to
764 create at least one host-only interface, either from the GUI:
765 "File" &rarr; "Preferences" &rarr; "Network" &rarr; "Host-only network"
766 &rarr; "(+)Add host-only network", or via command line with</para>
767 <screen>VBoxManage hostonlyif create</screen>
768 <para>see <xref linkend="vboxmanage-hostonlyif" /> for details.</para>
769
770 <para>For host-only networking, like with internal networking, you may
771 find the DHCP server useful that is built into VirtualBox. This can be
772 enabled to then manage the IP addresses in the host-only network since
773 otherwise you would need to configure all IP addresses
774 statically.<itemizedlist>
775 <listitem>
776 <para>In the VirtualBox graphical user interface, you can configure
777 all these items in the global settings via "File" &rarr; "Preferences"
778 &rarr; "Network", which lists all host-only networks which are
779 presently in use. Click on the network name and then on the "Edit"
780 button to the right, and you can modify the adapter and DHCP
781 settings.</para>
782 </listitem>
783
784 <listitem>
785 <para>Alternatively, you can use <computeroutput>VBoxManage
786 dhcpserver</computeroutput> on the command line; please see <xref
787 linkend="vboxmanage-dhcpserver" /> for details.</para>
788 </listitem>
789 </itemizedlist>
790 </para>
791
792 <para><note><para>On Linux and Mac OS X hosts the number of host-only
793 interfaces is limited to 128. There is no such limit for Solaris and
794 Windows hosts.</para></note></para>
795 </sect1>
796
797 <sect1 id="network_udp_tunnel">
798 <title>UDP Tunnel networking</title>
799
800 <para>This networking mode allows to interconnect virtual machines running
801 on different hosts.</para>
802
803 <para>Technically this is done by encapsulating Ethernet frames sent or
804 received by the guest network card into UDP/IP datagrams, and sending them
805 over any network available to the host.</para>
806
807 <para>UDP Tunnel mode has three parameters:<glosslist>
808 <glossentry>
809 <glossterm>Source UDP port</glossterm>
810
811 <glossdef>
812 <para>The port on which the host listens. Datagrams arriving on
813 this port from any source address will be forwarded to the
814 receiving part of the guest network card.</para>
815 </glossdef>
816 </glossentry>
817
818 <glossentry>
819 <glossterm>Destination address</glossterm>
820
821 <glossdef>
822 <para>IP address of the target host of the transmitted
823 data.</para>
824 </glossdef>
825 </glossentry>
826
827 <glossentry>
828 <glossterm>Destination UDP port</glossterm>
829
830 <glossdef>
831 <para>Port number to which the transmitted data is sent.</para>
832 </glossdef>
833 </glossentry>
834 </glosslist></para>
835
836 <para>When interconnecting two virtual machines on two different hosts,
837 their IP addresses must be swapped. On single host, source and destination
838 UDP ports must be swapped.</para>
839
840 <para>In the following example host 1 uses the IP address 10.0.0.1 and
841 host 2 uses IP address 10.0.0.2. Configuration via command-line:<screen> VBoxManage modifyvm "VM 01 on host 1" --nic&lt;x&gt; generic
842 VBoxManage modifyvm "VM 01 on host 1" --nicgenericdrv&lt;x&gt; UDPTunnel
843 VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; dest=10.0.0.2
844 VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; sport=10001
845 VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; dport=10002</screen>
846 and <screen> VBoxManage modifyvm "VM 02 on host 2" --nic&lt;y&gt; generic
847 VBoxManage modifyvm "VM 02 on host 2" --nicgenericdrv&lt;y&gt; UDPTunnel
848 VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; dest=10.0.0.1
849 VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; sport=10002
850 VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; dport=10001</screen></para>
851
852 <para>Of course, you can always interconnect two virtual machines on the
853 same host, by setting the destination address parameter to 127.0.0.1 on
854 both. It will act similarly to "Internal network" in this case, however
855 the host can see the network traffic which it could not in the normal
856 Internal network case.</para>
857
858 <para><note><para>On Unix-based hosts (e.g. Linux, Solaris, Mac OS X) it is
859 not possible to bind to ports below 1024 from applications that are not run
860 by <computeroutput>root</computeroutput>. As a result, if you try to
861 configure such a source UDP port, the VM will refuse to
862 start.</para></note></para>
863 </sect1>
864
865 <sect1 id="network_vde">
866 <title>VDE networking</title>
867
868 <para>Virtual Distributed Ethernet (VDE<footnote>
869 <para>VDE is a project developed by Renzo Davoli, Associate Professor
870 at the University of Bologna, Italy.</para>
871 </footnote>) is a flexible, virtual network infrastructure system,
872 spanning across multiple hosts in a secure way. It allows for L2/L3
873 switching, including spanning-tree protocol, VLANs, and WAN emulation. It
874 is an optional part of VirtualBox which is only included in the source
875 code.</para>
876
877 <para>The basic building blocks of the infrastructure are VDE switches,
878 VDE plugs and VDE wires which inter-connect the switches.</para>
879
880 <para>The VirtualBox VDE driver has one parameter:<glosslist>
881 <glossentry>
882 <glossterm>VDE network</glossterm>
883
884 <glossdef>
885 <para>The name of the VDE network switch socket to which the VM
886 will be connected.</para>
887 </glossdef>
888 </glossentry>
889 </glosslist></para>
890
891 <para>The following basic example shows how to connect a virtual machine
892 to a VDE switch:</para>
893
894 <para><orderedlist>
895 <listitem>
896 <para>Create a VDE switch: <screen>vde_switch -s /tmp/switch1</screen></para>
897 </listitem>
898
899 <listitem>
900 <para>Configuration via command-line: <screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; generic</screen>
901 <screen>VBoxManage modifyvm "VM name" --nicgenericdrv&lt;x&gt; VDE</screen>
902 To connect to automatically allocated switch port, use: <screen>VBoxManage modifyvm "VM name" --nicproperty&lt;x&gt; network=/tmp/switch1</screen>
903 To connect to specific switch port &lt;n&gt;, use: <screen>VBoxManage modifyvm "VM name" --nicproperty&lt;x&gt; network=/tmp/switch1[&lt;n&gt;]</screen>
904 The latter option can be useful for VLANs.</para>
905 </listitem>
906
907 <listitem>
908 <para>Optionally map between VDE switch port and VLAN: (from switch
909 CLI) <screen>vde$ vlan/create &lt;VLAN&gt;</screen> <screen>vde$ port/setvlan &lt;port&gt; &lt;VLAN&gt;</screen></para>
910 </listitem>
911 </orderedlist></para>
912
913 <para>VDE is available on Linux and FreeBSD hosts only. It is only
914 available if the VDE software and the VDE plugin library from the
915 VirtualSquare project are installed on the host system<footnote>
916 <para>For Linux hosts, the shared library libvdeplug.so must be
917 available in the search path for shared libraries</para>
918 </footnote>. For more information on setting up VDE networks, please see
919 the documentation accompanying the software.<footnote>
920 <para><ulink
921 url="http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking">http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking</ulink>.</para>
922 </footnote></para>
923 </sect1>
924
925 <sect1 id="network_bandwidth_limit">
926 <title>Limiting bandwidth for network I/O</title>
927
928 <para>Starting with version 4.2, VirtualBox allows for limiting the
929 maximum bandwidth used for network transmission. Several network adapters
930 of one VM may share limits through bandwidth groups. It is possible
931 to have more than one such limit.</para>
932 <note><para>VirtualBox shapes VM traffic only in the transmit direction,
933 delaying the packets being sent by virtual machines. It does not limit
934 the traffic being received by virtual machines.</para>
935 </note>
936
937 <para>Limits are configured through
938 <computeroutput>VBoxManage</computeroutput>. The example below creates a
939 bandwidth group named "Limit", sets the limit to 20 Mbit/s and assigns the
940 group to the first and second adapters of the VM:<screen>VBoxManage bandwidthctl "VM name" add Limit --type network --limit 20m
941VBoxManage modifyvm "VM name" --nicbandwidthgroup1 Limit
942VBoxManage modifyvm "VM name" --nicbandwidthgroup2 Limit</screen></para>
943
944 <para>All adapters in a group share the bandwidth limit, meaning that in the
945 example above the bandwidth of both adapters combined can never exceed 20
946 Mbit/s. However, if one adapter doesn't require bandwidth the other can use the
947 remaining bandwidth of its group.</para>
948
949 <para>The limits for each group can be changed while the VM is running,
950 with changes being picked up immediately. The example below changes the
951 limit for the group created in the example above to 100 Kbit/s:<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 100k</screen></para>
952
953 <para>To completely disable shaping for the first adapter of VM use the
954 following command:
955 <screen>VBoxManage modifyvm "VM name" --nicbandwidthgroup1 none</screen></para>
956
957 <para>It is also possible to disable shaping for all adapters assigned to a
958 bandwidth group while VM is running, by specifying the zero limit for the
959 group. For example, for the bandwidth group named "Limit" use:
960 <screen>VBoxManage bandwidthctl "VM name" set Limit --limit 0</screen></para>
961 </sect1>
962 <sect1 id="network_performance">
963 <title>Improving network performance</title>
964
965 <para>VirtualBox provides a variety of virtual network adapters that can be
966 "attached" to the host's network in a number of ways. Depending on which
967 types of adapters and attachments are used the network performance will
968 be different. Performance-wise the <emphasis>virtio</emphasis> network
969 adapter is preferable over <emphasis>Intel PRO/1000</emphasis> emulated
970 adapters, which are preferred over <emphasis>PCNet</emphasis> family of
971 adapters. Both <emphasis>virtio</emphasis> and <emphasis>Intel PRO/1000
972 </emphasis> adapters enjoy the benefit of segmentation and checksum
973 offloading. Segmentation offloading is essential for high performance as
974 it allows for less context switches, dramatically increasing the sizes
975 of packets that cross VM/host boundary.</para>
976 <note><para>Neither <emphasis>virtio</emphasis> nor <emphasis>Intel PRO/1000
977 </emphasis> drivers for Windows XP support segmentation
978 offloading. Therefore Windows XP guests never reach the same
979 transmission rates as other guest types. Refer to MS Knowledge base
980 article 842264 for additional information.</para>
981 </note>
982 <para>Three attachment types: <emphasis>internal</emphasis>,
983 <emphasis>bridged</emphasis> and <emphasis>host-only</emphasis>, have
984 nearly identical performance, the <emphasis>internal</emphasis> type
985 being a little bit faster and using less CPU cycles as the packets never
986 reach the host's network stack. The <emphasis>NAT</emphasis> attachment
987 is the slowest (and safest) of all attachment types as it provides
988 network address translation. The generic driver attachment is special and
989 cannot be considered as an alternative to other attachment types.</para>
990 <para>The number of CPUs assigned to VM does not improve network
991 performance and in some cases may hurt it due to increased concurrency in
992 the guest.</para>
993 <para>Here is the short summary of things to check in order to improve
994 network performance:</para>
995 <para><orderedlist>
996 <listitem>
997 <para>Whenever possible use <emphasis>virtio</emphasis> network
998 adapter, otherwise use one of <emphasis>Intel PRO/1000</emphasis>
999 adapters;</para>
1000 </listitem>
1001 <listitem>
1002 <para>Use <emphasis>bridged</emphasis> attachment instead of
1003 <emphasis>NAT</emphasis>;</para>
1004 </listitem>
1005 <listitem>
1006 <para>Make sure segmentation offloading is enabled in the guest OS.
1007 Usually it will be enabled by default. You can check and modify
1008 offloading settings using <computeroutput>ethtool</computeroutput>
1009 command in Linux guests.</para>
1010 </listitem>
1011 <listitem>
1012 <para>Perform a full, detailed analysis of network traffic on
1013 the VM's network adaptor using a 3rd party tool such as Wireshark.
1014 To do this, a promiscuous mode policy needs to be used on the
1015 VM's network adaptor. Use of this mode is only possible on
1016 networks: NAT Network, Bridged Adapter, Internal Network and Host-only Adapter.</para>
1017 <para>To setup a promiscuous mode policy, either select from the drop down list
1018 located in the Network Settings dialog for the network adaptor
1019 or use the command line tool <computeroutput>VBoxManage</computeroutput>;
1020 for details, refer to <xref linkend="vboxmanage-modifyvm" />.</para>
1021 <para>Promiscuous mode policies are: </para>
1022 <para><orderedlist>
1023 <listitem>
1024 <para><computeroutput>deny</computeroutput> (default setting) which hides
1025 any traffic not intended for this VM's network adaptor.</para>
1026 </listitem>
1027 <listitem>
1028 <para><computeroutput>allow-vms</computeroutput> which hides all host
1029 traffic from this VM's network adaptor, but allows it to see traffic from/to other
1030 VMs.</para>
1031 </listitem>
1032 <listitem>
1033 <para><computeroutput>allow-all</computeroutput> which removes all
1034 restrictions - this VM's network adaptor sees all traffic.</para>
1035 </listitem>
1036 </orderedlist></para>
1037 </listitem>
1038 </orderedlist></para>
1039 </sect1>
1040</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette