1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
|
---|
4 | <!ENTITY % all.entities SYSTEM "all-entities.ent">
|
---|
5 | %all.entities;
|
---|
6 | ]>
|
---|
7 | <chapter id="networkingdetails">
|
---|
8 |
|
---|
9 | <title>Virtual Networking</title>
|
---|
10 |
|
---|
11 | <para>
|
---|
12 | As mentioned in <xref linkend="settings-network" />, VirtualBox
|
---|
13 | provides up to eight virtual PCI Ethernet cards for each virtual
|
---|
14 | machine. For each such card, you can individually select the
|
---|
15 | following:
|
---|
16 | </para>
|
---|
17 |
|
---|
18 | <itemizedlist>
|
---|
19 |
|
---|
20 | <listitem>
|
---|
21 | <para>
|
---|
22 | The hardware that will be virtualized.
|
---|
23 | </para>
|
---|
24 | </listitem>
|
---|
25 |
|
---|
26 | <listitem>
|
---|
27 | <para>
|
---|
28 | The virtualization mode that the virtual card operates in, with
|
---|
29 | respect to your physical networking hardware on the host.
|
---|
30 | </para>
|
---|
31 | </listitem>
|
---|
32 |
|
---|
33 | </itemizedlist>
|
---|
34 |
|
---|
35 | <para>
|
---|
36 | Four of the network cards can be configured in the Network section
|
---|
37 | of the settings dialog in the graphical user interface of
|
---|
38 | VirtualBox. You can configure all eight network cards on the command
|
---|
39 | line using VBoxManage modifyvm. See
|
---|
40 | <xref linkend="vboxmanage-modifyvm" />.
|
---|
41 | </para>
|
---|
42 |
|
---|
43 | <para>
|
---|
44 | This chapter explains the various networking settings in more
|
---|
45 | detail.
|
---|
46 | </para>
|
---|
47 |
|
---|
48 | <sect1 id="nichardware">
|
---|
49 |
|
---|
50 | <title>Virtual Networking Hardware</title>
|
---|
51 |
|
---|
52 | <para>
|
---|
53 | For each card, you can individually select what kind of
|
---|
54 | <emphasis>hardware</emphasis> will be presented to the virtual
|
---|
55 | machine. VirtualBox can virtualize the following types of
|
---|
56 | networking hardware:
|
---|
57 | </para>
|
---|
58 |
|
---|
59 | <itemizedlist>
|
---|
60 |
|
---|
61 | <listitem>
|
---|
62 | <para>
|
---|
63 | AMD PCNet PCI II (Am79C970A)
|
---|
64 | </para>
|
---|
65 | </listitem>
|
---|
66 |
|
---|
67 | <listitem>
|
---|
68 | <para>
|
---|
69 | AMD PCNet FAST III (Am79C973), the default setting
|
---|
70 | </para>
|
---|
71 | </listitem>
|
---|
72 |
|
---|
73 | <listitem>
|
---|
74 | <para>
|
---|
75 | Intel PRO/1000 MT Desktop (82540EM)
|
---|
76 | </para>
|
---|
77 | </listitem>
|
---|
78 |
|
---|
79 | <listitem>
|
---|
80 | <para>
|
---|
81 | Intel PRO/1000 T Server (82543GC)
|
---|
82 | </para>
|
---|
83 | </listitem>
|
---|
84 |
|
---|
85 | <listitem>
|
---|
86 | <para>
|
---|
87 | Intel PRO/1000 MT Server (82545EM)
|
---|
88 | </para>
|
---|
89 | </listitem>
|
---|
90 |
|
---|
91 | <listitem>
|
---|
92 | <para>
|
---|
93 | Paravirtualized network adapter (virtio-net)
|
---|
94 | </para>
|
---|
95 | </listitem>
|
---|
96 |
|
---|
97 | </itemizedlist>
|
---|
98 |
|
---|
99 | <para>
|
---|
100 | The PCNet FAST III is the default because it is supported by
|
---|
101 | nearly all operating systems, as well as by the GNU GRUB boot
|
---|
102 | manager. As an exception, the Intel PRO/1000 family adapters are
|
---|
103 | chosen for some guest operating system types that no longer ship
|
---|
104 | with drivers for the PCNet card, such as Windows Vista.
|
---|
105 | </para>
|
---|
106 |
|
---|
107 | <para>
|
---|
108 | The Intel PRO/1000 MT Desktop type works with Windows Vista and
|
---|
109 | later versions. The T Server variant of the Intel PRO/1000 card is
|
---|
110 | recognized by Windows XP guests without additional driver
|
---|
111 | installation. The MT Server variant facilitates OVF imports from
|
---|
112 | other platforms.
|
---|
113 | </para>
|
---|
114 |
|
---|
115 | <para>
|
---|
116 | The Paravirtualized network adapter (virtio-net) is special. If
|
---|
117 | you select this adapter, then VirtualBox does
|
---|
118 | <emphasis>not</emphasis> virtualize common networking hardware
|
---|
119 | that is supported by common guest operating systems. Instead,
|
---|
120 | VirtualBox expects a special software interface for virtualized
|
---|
121 | environments to be provided by the guest, thus avoiding the
|
---|
122 | complexity of emulating networking hardware and improving network
|
---|
123 | performance. Starting with version 3.1, VirtualBox provides
|
---|
124 | support for the industry-standard <emphasis>virtio</emphasis>
|
---|
125 | networking drivers, which are part of the open source KVM project.
|
---|
126 | </para>
|
---|
127 |
|
---|
128 | <para>
|
---|
129 | The virtio networking drivers are available for the following
|
---|
130 | guest operating systems:
|
---|
131 | </para>
|
---|
132 |
|
---|
133 | <itemizedlist>
|
---|
134 |
|
---|
135 | <listitem>
|
---|
136 | <para>
|
---|
137 | Linux kernels version 2.6.25 or later can be configured to
|
---|
138 | provide virtio support. Some distributions have also
|
---|
139 | back-ported virtio to older kernels.
|
---|
140 | </para>
|
---|
141 | </listitem>
|
---|
142 |
|
---|
143 | <listitem>
|
---|
144 | <para>
|
---|
145 | For Windows 2000, XP, and Vista, virtio drivers can be
|
---|
146 | downloaded and installed from the KVM project web page:
|
---|
147 | </para>
|
---|
148 |
|
---|
149 | <para>
|
---|
150 | <ulink
|
---|
151 | url="http://www.linux-kvm.org/page/WindowsGuestDrivers"/>.
|
---|
152 | </para>
|
---|
153 | </listitem>
|
---|
154 |
|
---|
155 | </itemizedlist>
|
---|
156 |
|
---|
157 | <para>
|
---|
158 | VirtualBox also has limited support for <emphasis>jumbo
|
---|
159 | frames</emphasis>. These are networking packets with more than
|
---|
160 | 1500 bytes of data, provided that you use the Intel card
|
---|
161 | virtualization and bridged networking. Jumbo frames are not
|
---|
162 | supported with the AMD networking devices. In those cases, jumbo
|
---|
163 | packets will silently be dropped for both the transmit and the
|
---|
164 | receive direction. Guest operating systems trying to use this
|
---|
165 | feature will observe this as a packet loss, which may lead to
|
---|
166 | unexpected application behavior in the guest. This does not cause
|
---|
167 | problems with guest operating systems in their default
|
---|
168 | configuration, as jumbo frames need to be explicitly enabled.
|
---|
169 | </para>
|
---|
170 |
|
---|
171 | </sect1>
|
---|
172 |
|
---|
173 | <sect1 id="networkingmodes">
|
---|
174 |
|
---|
175 | <title>Introduction to Networking Modes</title>
|
---|
176 |
|
---|
177 | <para>
|
---|
178 | Each of the networking adapters can be separately configured to
|
---|
179 | operate in one of the following modes:
|
---|
180 | </para>
|
---|
181 |
|
---|
182 | <itemizedlist>
|
---|
183 |
|
---|
184 | <listitem>
|
---|
185 | <para>
|
---|
186 | <emphasis role="bold">Not attached.</emphasis> In this mode,
|
---|
187 | VirtualBox reports to the guest that a network card is
|
---|
188 | present, but that there is no connection. This is as if no
|
---|
189 | Ethernet cable was plugged into the card. Using this mode, it
|
---|
190 | is possible to "pull" the virtual Ethernet cable and disrupt
|
---|
191 | the connection, which can be useful to inform a guest
|
---|
192 | operating system that no network connection is available and
|
---|
193 | enforce a reconfiguration.
|
---|
194 | </para>
|
---|
195 | </listitem>
|
---|
196 |
|
---|
197 | <listitem>
|
---|
198 | <para>
|
---|
199 | <emphasis role="bold">Network Address Translation
|
---|
200 | (NAT)</emphasis>. If all you want is to browse the Web,
|
---|
201 | download files, and view email inside the guest, then this
|
---|
202 | default mode should be sufficient for you, and you can skip
|
---|
203 | the rest of this section. Please note that there are certain
|
---|
204 | limitations when using Windows file sharing. See
|
---|
205 | <xref linkend="nat-limitations" />.
|
---|
206 | </para>
|
---|
207 | </listitem>
|
---|
208 |
|
---|
209 | <listitem>
|
---|
210 | <para>
|
---|
211 | <emphasis role="bold">NAT Network.</emphasis> The NAT network
|
---|
212 | is a new NAT flavour introduced in VirtualBox 4.3. See
|
---|
213 | <xref linkend="network_nat_service"/>.
|
---|
214 | </para>
|
---|
215 | </listitem>
|
---|
216 |
|
---|
217 | <listitem>
|
---|
218 | <para>
|
---|
219 | <emphasis role="bold">Bridged networking.</emphasis> This is
|
---|
220 | for more advanced networking needs, such as network
|
---|
221 | simulations and running servers in a guest. When enabled,
|
---|
222 | VirtualBox connects to one of your installed network cards and
|
---|
223 | exchanges network packets directly, circumventing your host
|
---|
224 | operating system's network stack.
|
---|
225 | </para>
|
---|
226 | </listitem>
|
---|
227 |
|
---|
228 | <listitem>
|
---|
229 | <para>
|
---|
230 | <emphasis role="bold">Internal networking.</emphasis> This can
|
---|
231 | be used to create a different kind of software-based network
|
---|
232 | which is visible to selected virtual machines, but not to
|
---|
233 | applications running on the host or to the outside world.
|
---|
234 | </para>
|
---|
235 | </listitem>
|
---|
236 |
|
---|
237 | <listitem>
|
---|
238 | <para>
|
---|
239 | <emphasis role="bold">Host-only networking.</emphasis> This
|
---|
240 | can be used to create a network containing the host and a set
|
---|
241 | of virtual machines, without the need for the host's physical
|
---|
242 | network interface. Instead, a virtual network interface,
|
---|
243 | similar to a loopback interface, is created on the host,
|
---|
244 | providing connectivity among virtual machines and the host.
|
---|
245 | </para>
|
---|
246 | </listitem>
|
---|
247 |
|
---|
248 | <listitem>
|
---|
249 | <para>
|
---|
250 | <emphasis role="bold"> Generic networking.</emphasis> Rarely
|
---|
251 | used modes which share the same generic network interface, by
|
---|
252 | allowing the user to select a driver which can be included
|
---|
253 | with VirtualBox or be distributed in an extension pack.
|
---|
254 | </para>
|
---|
255 |
|
---|
256 | <para>
|
---|
257 | The following sub-modes are available:
|
---|
258 | </para>
|
---|
259 |
|
---|
260 | <itemizedlist>
|
---|
261 |
|
---|
262 | <listitem>
|
---|
263 | <para>
|
---|
264 | <emphasis role="bold">UDP Tunnel:</emphasis> Used to
|
---|
265 | interconnect virtual machines running on different hosts
|
---|
266 | directly, easily, and transparently, over an existing
|
---|
267 | network infrastructure.
|
---|
268 | </para>
|
---|
269 | </listitem>
|
---|
270 |
|
---|
271 | <listitem>
|
---|
272 | <para>
|
---|
273 | <emphasis role="bold">VDE (Virtual Distributed Ethernet)
|
---|
274 | networking:</emphasis> Used to connect to a Virtual
|
---|
275 | Distributed Ethernet switch on a Linux or a FreeBSD host.
|
---|
276 | At the moment this option requires compilation of
|
---|
277 | VirtualBox from sources, as the Oracle packages do not
|
---|
278 | include it.
|
---|
279 | </para>
|
---|
280 | </listitem>
|
---|
281 |
|
---|
282 | </itemizedlist>
|
---|
283 | </listitem>
|
---|
284 |
|
---|
285 | </itemizedlist>
|
---|
286 |
|
---|
287 | <para>
|
---|
288 | <xref linkend="table-networking-modes"/> provides a quick overview
|
---|
289 | of the most important networking modes.
|
---|
290 | </para>
|
---|
291 |
|
---|
292 | <table id="table-networking-modes">
|
---|
293 | <title>Overview of Networking Modes</title>
|
---|
294 | <tgroup cols="5">
|
---|
295 | <colspec align="left" />
|
---|
296 | <colspec align="center" />
|
---|
297 | <colspec align="center" />
|
---|
298 | <colspec align="center" />
|
---|
299 | <colspec align="center" />
|
---|
300 | <thead valign="middle">
|
---|
301 | <row>
|
---|
302 | <entry></entry>
|
---|
303 | <entry><emphasis role="bold">VM ↔ Host</emphasis></entry>
|
---|
304 | <entry><emphasis role="bold">VM1 ↔ VM2</emphasis></entry>
|
---|
305 | <entry><emphasis role="bold">VM → Internet</emphasis></entry>
|
---|
306 | <entry><emphasis role="bold">VM ← Internet</emphasis></entry>
|
---|
307 | </row>
|
---|
308 | </thead>
|
---|
309 | <tbody valign="middle">
|
---|
310 | <row>
|
---|
311 | <entry>Host-only</entry>
|
---|
312 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
313 | <entry align="center"><emphasis role="bold">+</emphasis></entry>
|
---|
314 | <entry>–</entry>
|
---|
315 | <entry>–</entry>
|
---|
316 | </row>
|
---|
317 | <row>
|
---|
318 | <entry>Internal</entry>
|
---|
319 | <entry>–</entry>
|
---|
320 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
321 | <entry>–</entry>
|
---|
322 | <entry>–</entry>
|
---|
323 | </row>
|
---|
324 | <row>
|
---|
325 | <entry>Bridged</entry>
|
---|
326 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
327 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
328 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
329 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
330 | </row>
|
---|
331 | <row>
|
---|
332 | <entry>NAT</entry>
|
---|
333 | <entry>–</entry>
|
---|
334 | <entry>–</entry>
|
---|
335 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
336 | <entry><link linkend="natforward">Port forwarding</link></entry>
|
---|
337 | </row>
|
---|
338 | <row>
|
---|
339 | <entry>NAT Network</entry>
|
---|
340 | <entry>–</entry>
|
---|
341 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
342 | <entry><emphasis role="bold">+</emphasis></entry>
|
---|
343 | <entry><link linkend="network_nat_service">Port forwarding</link></entry>
|
---|
344 | </row>
|
---|
345 | </tbody>
|
---|
346 | </tgroup>
|
---|
347 | </table>
|
---|
348 |
|
---|
349 | <para>
|
---|
350 | The following sections describe the available network modes in
|
---|
351 | more detail.
|
---|
352 | </para>
|
---|
353 |
|
---|
354 | </sect1>
|
---|
355 |
|
---|
356 | <sect1 id="network_nat">
|
---|
357 |
|
---|
358 | <title>Network Address Translation (NAT)</title>
|
---|
359 |
|
---|
360 | <para>
|
---|
361 | Network Address Translation (NAT) is the simplest way of accessing
|
---|
362 | an external network from a virtual machine. Usually, it does not
|
---|
363 | require any configuration on the host network and guest system.
|
---|
364 | For this reason, it is the default networking mode in VirtualBox.
|
---|
365 | </para>
|
---|
366 |
|
---|
367 | <para>
|
---|
368 | A virtual machine with NAT enabled acts much like a real computer
|
---|
369 | that connects to the Internet through a router. The router, in
|
---|
370 | this case, is the VirtualBox networking engine, which maps traffic
|
---|
371 | from and to the virtual machine transparently. In VirtualBox this
|
---|
372 | router is placed between each virtual machine and the host. This
|
---|
373 | separation maximizes security since by default virtual machines
|
---|
374 | cannot talk to each other.
|
---|
375 | </para>
|
---|
376 |
|
---|
377 | <para>
|
---|
378 | The disadvantage of NAT mode is that, much like a private network
|
---|
379 | behind a router, the virtual machine is invisible and unreachable
|
---|
380 | from the outside internet. You cannot run a server this way unless
|
---|
381 | you set up port forwarding. See <xref linkend="natforward"/>.
|
---|
382 | </para>
|
---|
383 |
|
---|
384 | <para>
|
---|
385 | The network frames sent out by the guest operating system are
|
---|
386 | received by VirtualBox's NAT engine, which extracts the TCP/IP
|
---|
387 | data and resends it using the host operating system. To an
|
---|
388 | application on the host, or to another computer on the same
|
---|
389 | network as the host, it looks like the data was sent by the
|
---|
390 | VirtualBox application on the host, using an IP address belonging
|
---|
391 | to the host. VirtualBox listens for replies to the packages sent,
|
---|
392 | and repacks and resends them to the guest machine on its private
|
---|
393 | network.
|
---|
394 | </para>
|
---|
395 |
|
---|
396 | <para>
|
---|
397 | The virtual machine receives its network address and configuration
|
---|
398 | on the private network from a DHCP server integrated into
|
---|
399 | VirtualBox. The IP address thus assigned to the virtual machine is
|
---|
400 | usually on a completely different network than the host. As more
|
---|
401 | than one card of a virtual machine can be set up to use NAT, the
|
---|
402 | first card is connected to the private network 10.0.2.0, the
|
---|
403 | second card to the network 10.0.3.0 and so on. If you need to
|
---|
404 | change the guest-assigned IP range, see
|
---|
405 | <xref linkend="changenat" />.
|
---|
406 | </para>
|
---|
407 |
|
---|
408 | <sect2 id="natforward">
|
---|
409 |
|
---|
410 | <title>Configuring Port Forwarding with NAT</title>
|
---|
411 |
|
---|
412 | <para>
|
---|
413 | As the virtual machine is connected to a private network
|
---|
414 | internal to VirtualBox and invisible to the host, network
|
---|
415 | services on the guest are not accessible to the host machine or
|
---|
416 | to other computers on the same network. However, like a physical
|
---|
417 | router, VirtualBox can make selected services available to the
|
---|
418 | world outside the guest through <emphasis>port
|
---|
419 | forwarding</emphasis>. This means that VirtualBox listens to
|
---|
420 | certain ports on the host and resends all packets which arrive
|
---|
421 | there to the guest, on the same or a different port.
|
---|
422 | </para>
|
---|
423 |
|
---|
424 | <para>
|
---|
425 | To an application on the host or other physical (or virtual)
|
---|
426 | machines on the network, it looks as though the service being
|
---|
427 | proxied is actually running on the host. This also means that
|
---|
428 | you cannot run the same service on the same ports on the host.
|
---|
429 | However, you still gain the advantages of running the service in
|
---|
430 | a virtual machine. For example, services on the host machine or
|
---|
431 | on other virtual machines cannot be compromised or crashed by a
|
---|
432 | vulnerability or a bug in the service, and the service can run
|
---|
433 | in a different operating system than the host system.
|
---|
434 | </para>
|
---|
435 |
|
---|
436 | <para>
|
---|
437 | To configure port forwarding you can use the graphical Port
|
---|
438 | Forwarding editor which can be found in the Network Settings
|
---|
439 | dialog for network adaptors configured to use NAT. Here, you can
|
---|
440 | map host ports to guest ports to allow network traffic to be
|
---|
441 | routed to a specific port in the guest.
|
---|
442 | </para>
|
---|
443 |
|
---|
444 | <para>
|
---|
445 | Alternatively, the command line tool
|
---|
446 | <computeroutput>VBoxManage</computeroutput> can be used. See
|
---|
447 | <xref linkend="vboxmanage-modifyvm" />.
|
---|
448 | </para>
|
---|
449 |
|
---|
450 | <para>
|
---|
451 | You will need to know which ports on the guest the service uses
|
---|
452 | and to decide which ports to use on the host. You may want to
|
---|
453 | use the same ports on the guest and on the host. You can use any
|
---|
454 | ports on the host which are not already in use by a service. For
|
---|
455 | example, to set up incoming NAT connections to an
|
---|
456 | <computeroutput>ssh</computeroutput> server in the guest, use
|
---|
457 | the following command:
|
---|
458 |
|
---|
459 | <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"</screen>
|
---|
460 |
|
---|
461 | With the above example, all TCP traffic arriving on port 2222 on
|
---|
462 | any host interface will be forwarded to port 22 in the guest.
|
---|
463 | The protocol name <computeroutput>tcp</computeroutput> is a
|
---|
464 | mandatory attribute defining which protocol should be used for
|
---|
465 | forwarding, <computeroutput>udp</computeroutput> could also be
|
---|
466 | used. The name <computeroutput>guestssh</computeroutput> is
|
---|
467 | purely descriptive and will be auto-generated if omitted. The
|
---|
468 | number after <computeroutput>--natpf</computeroutput> denotes
|
---|
469 | the network card, as with other VBoxManage command.
|
---|
470 | </para>
|
---|
471 |
|
---|
472 | <para>
|
---|
473 | To remove this forwarding rule, use the following command:
|
---|
474 |
|
---|
475 | <screen>VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</screen>
|
---|
476 | </para>
|
---|
477 |
|
---|
478 | <para>
|
---|
479 | If for some reason the guest uses a static assigned IP address
|
---|
480 | not leased from the built-in DHCP server, it is required to
|
---|
481 | specify the guest IP when registering the forwarding rule:
|
---|
482 |
|
---|
483 | <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</screen>
|
---|
484 |
|
---|
485 | This example is identical to the previous one, except that the
|
---|
486 | NAT engine is being told that the guest can be found at the
|
---|
487 | 10.0.2.19 address.
|
---|
488 | </para>
|
---|
489 |
|
---|
490 | <para>
|
---|
491 | To forward <emphasis>all</emphasis> incoming traffic from a
|
---|
492 | specific host interface to the guest, specify the IP of that
|
---|
493 | host interface like this:
|
---|
494 |
|
---|
495 | <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</screen>
|
---|
496 |
|
---|
497 | This forwards all TCP traffic arriving on the localhost
|
---|
498 | interface (127.0.0.1) via port 2222 to port 22 in the guest.
|
---|
499 | </para>
|
---|
500 |
|
---|
501 | <para>
|
---|
502 | It is possible to configure incoming NAT connections while the
|
---|
503 | VM is running, see <xref linkend="vboxmanage-controlvm"/>.
|
---|
504 | </para>
|
---|
505 |
|
---|
506 | </sect2>
|
---|
507 |
|
---|
508 | <sect2 id="nat-tftp">
|
---|
509 |
|
---|
510 | <title>PXE Booting with NAT</title>
|
---|
511 |
|
---|
512 | <para>
|
---|
513 | PXE booting is now supported in NAT mode. The NAT DHCP server
|
---|
514 | provides a boot file name of the form
|
---|
515 | <computeroutput>vmname.pxe</computeroutput> if the directory
|
---|
516 | <computeroutput>TFTP</computeroutput> exists in the directory
|
---|
517 | where the user's <computeroutput>VirtualBox.xml</computeroutput>
|
---|
518 | file is kept. It is the responsibility of the user to provide
|
---|
519 | <computeroutput>vmname.pxe</computeroutput>.
|
---|
520 | </para>
|
---|
521 |
|
---|
522 | </sect2>
|
---|
523 |
|
---|
524 | <sect2 id="nat-limitations">
|
---|
525 |
|
---|
526 | <title>NAT Limitations</title>
|
---|
527 |
|
---|
528 | <para>
|
---|
529 | There are some limitations of NAT mode which users should be
|
---|
530 | aware of, as follows:
|
---|
531 | </para>
|
---|
532 |
|
---|
533 | <itemizedlist>
|
---|
534 |
|
---|
535 | <listitem>
|
---|
536 | <para>
|
---|
537 | <emphasis role="bold">ICMP protocol limitations.</emphasis>
|
---|
538 | Some frequently used network debugging tools, such as
|
---|
539 | <computeroutput>ping</computeroutput> or tracerouting, rely
|
---|
540 | on the ICMP protocol for sending and receiving messages.
|
---|
541 | While ICMP support has been improved with VirtualBox 2.1,
|
---|
542 | meaning <computeroutput>ping</computeroutput> should now
|
---|
543 | work, some other tools may not work reliably.
|
---|
544 | </para>
|
---|
545 | </listitem>
|
---|
546 |
|
---|
547 | <listitem>
|
---|
548 | <para>
|
---|
549 | <emphasis role="bold">Receiving of UDP
|
---|
550 | broadcasts.</emphasis> The guest does not reliably receive
|
---|
551 | UDP broadcasts. In order to save resources, it only listens
|
---|
552 | for a certain amount of time after the guest has sent UDP
|
---|
553 | data on a particular port. As a consequence, NetBios name
|
---|
554 | resolution based on broadcasts does not always work, but
|
---|
555 | WINS always works. As a workaround, you can use the numeric
|
---|
556 | IP of the desired server in the
|
---|
557 | <computeroutput>\\server\share</computeroutput> notation.
|
---|
558 | </para>
|
---|
559 | </listitem>
|
---|
560 |
|
---|
561 | <listitem>
|
---|
562 | <para>
|
---|
563 | <emphasis role="bold">Some protocols are not
|
---|
564 | supported.</emphasis> Protocols other than TCP and UDP are
|
---|
565 | not supported. GRE is not supported. This means some VPN
|
---|
566 | products, such as PPTP from Microsoft, cannot be used. There
|
---|
567 | are other VPN products which use only TCP and UDP.
|
---|
568 | </para>
|
---|
569 | </listitem>
|
---|
570 |
|
---|
571 | <listitem>
|
---|
572 | <para>
|
---|
573 | <emphasis role="bold">Forwarding host ports below
|
---|
574 | 1024.</emphasis> On Unix-based hosts, such as Linux,
|
---|
575 | Solaris, and Mac OS X, it is not possible to bind to ports
|
---|
576 | below 1024 from applications that are not run by
|
---|
577 | <computeroutput>root</computeroutput>. As a result, if you
|
---|
578 | try to configure such a port forwarding, the VM will refuse
|
---|
579 | to start.
|
---|
580 | </para>
|
---|
581 | </listitem>
|
---|
582 |
|
---|
583 | </itemizedlist>
|
---|
584 |
|
---|
585 | <para>
|
---|
586 | These limitations normally do not affect standard network use.
|
---|
587 | But the presence of NAT has also subtle effects that may
|
---|
588 | interfere with protocols that are normally working. One example
|
---|
589 | is NFS, where the server is often configured to refuse
|
---|
590 | connections from non-privileged ports, which are those ports not
|
---|
591 | below 1024.
|
---|
592 | </para>
|
---|
593 |
|
---|
594 | </sect2>
|
---|
595 |
|
---|
596 | </sect1>
|
---|
597 |
|
---|
598 | <sect1 id="network_nat_service">
|
---|
599 |
|
---|
600 | <title>Network Address Translation Service</title>
|
---|
601 |
|
---|
602 | <para>
|
---|
603 | The Network Address Translation (NAT) service works in a similar
|
---|
604 | way to a home router, grouping the systems using it into a network
|
---|
605 | and preventing systems outside of this network from directly
|
---|
606 | accessing systems inside it, but letting systems inside
|
---|
607 | communicate with each other and with systems outside using TCP and
|
---|
608 | UDP over IPv4 and IPv6.
|
---|
609 | </para>
|
---|
610 |
|
---|
611 | <para>
|
---|
612 | A NAT service is attached to an internal network. Virtual machines
|
---|
613 | which are to make use of it should be attached to that internal
|
---|
614 | network. The name of internal network is chosen when the NAT
|
---|
615 | service is created and the internal network will be created if it
|
---|
616 | does not already exist. An example command to create a NAT network
|
---|
617 | is:
|
---|
618 | </para>
|
---|
619 |
|
---|
620 | <para>
|
---|
621 | <screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable</screen>
|
---|
622 | </para>
|
---|
623 |
|
---|
624 | <para>
|
---|
625 | Here, natnet1 is the name of the internal network to be used and
|
---|
626 | 192.168.15.0/24 is the network address and mask of the NAT service
|
---|
627 | interface. By default in this static configuration the gateway
|
---|
628 | will be assigned the address 192.168.15.1, the address following
|
---|
629 | the interface address, though this is subject to change. To attach
|
---|
630 | a DHCP server to the internal network, we modify the example as
|
---|
631 | follows:
|
---|
632 | </para>
|
---|
633 |
|
---|
634 | <para>
|
---|
635 | <screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable --dhcp on</screen>
|
---|
636 | </para>
|
---|
637 |
|
---|
638 | <para>
|
---|
639 | To add a DHCP server to an existing network:
|
---|
640 | </para>
|
---|
641 |
|
---|
642 | <para>
|
---|
643 | <screen>VBoxManage natnetwork modify --netname natnet1 --dhcp on</screen>
|
---|
644 | </para>
|
---|
645 |
|
---|
646 | <para>
|
---|
647 | To disable the DHCP server:
|
---|
648 | </para>
|
---|
649 |
|
---|
650 | <para>
|
---|
651 | <screen>VBoxManage natnetwork modify --netname natnet1 --dhcp off</screen>
|
---|
652 | </para>
|
---|
653 |
|
---|
654 | <para>
|
---|
655 | A DHCP server provides a list of registered nameservers, but does
|
---|
656 | not map servers from the 127/8 network.
|
---|
657 | </para>
|
---|
658 |
|
---|
659 | <para>
|
---|
660 | To start the NAT service, use the following command:
|
---|
661 | </para>
|
---|
662 |
|
---|
663 | <para>
|
---|
664 | <screen>VBoxManage natnetwork start --netname natnet1</screen>
|
---|
665 | </para>
|
---|
666 |
|
---|
667 | <para>
|
---|
668 | If the network has a DHCP server attached then it will start
|
---|
669 | together with the NAT network service.
|
---|
670 | </para>
|
---|
671 |
|
---|
672 | <para>
|
---|
673 | To stops the NAT network service, together with any DHCP server:
|
---|
674 | </para>
|
---|
675 |
|
---|
676 | <para>
|
---|
677 | <screen>VBoxManage natnetwork stop --netname natnet1</screen>
|
---|
678 | </para>
|
---|
679 |
|
---|
680 | <para>
|
---|
681 | To delete the NAT network service:
|
---|
682 | </para>
|
---|
683 |
|
---|
684 | <para>
|
---|
685 | <screen>VBoxManage natnetwork remove --netname natnet1</screen>
|
---|
686 | </para>
|
---|
687 |
|
---|
688 | <para>
|
---|
689 | This command does not remove the DHCP server if one is enabled on
|
---|
690 | the internal network.
|
---|
691 | </para>
|
---|
692 |
|
---|
693 | <para>
|
---|
694 | Port-forwarding is supported, using the
|
---|
695 | <computeroutput>--port-forward-4</computeroutput> switch for IPv4
|
---|
696 | and <computeroutput>--port-forward-6</computeroutput> for IPv6.
|
---|
697 | For example:
|
---|
698 | </para>
|
---|
699 |
|
---|
700 | <para>
|
---|
701 | <screen>VBoxManage natnetwork modify \
|
---|
702 | --netname natnet1 --port-forward-4 "ssh:tcp:[]:1022:[192.168.15.5]:22"</screen>
|
---|
703 | </para>
|
---|
704 |
|
---|
705 | <para>
|
---|
706 | This adds a port-forwarding rule from the host's TCP 1022 port to
|
---|
707 | the port 22 on the guest with IP address 192.168.15.5. Host port,
|
---|
708 | guest port and guest IP are mandatory. To delete the rule, use:
|
---|
709 | </para>
|
---|
710 |
|
---|
711 | <para>
|
---|
712 | <screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 delete ssh</screen>
|
---|
713 | </para>
|
---|
714 |
|
---|
715 | <para>
|
---|
716 | It is possible to bind a NAT service to specified interface. For
|
---|
717 | example:
|
---|
718 | </para>
|
---|
719 |
|
---|
720 | <screen>VBoxManage setextradata global "NAT/win-nat-test-0/SourceIp4" 192.168.1.185</screen>
|
---|
721 |
|
---|
722 | <para>
|
---|
723 | To see the list of registered NAT networks, use:
|
---|
724 | </para>
|
---|
725 |
|
---|
726 | <para>
|
---|
727 | <screen>VBoxManage list natnetworks</screen>
|
---|
728 | </para>
|
---|
729 |
|
---|
730 | </sect1>
|
---|
731 |
|
---|
732 | <sect1 id="network_bridged">
|
---|
733 |
|
---|
734 | <title>Bridged Networking</title>
|
---|
735 |
|
---|
736 | <para>
|
---|
737 | With bridged networking, VirtualBox uses a device driver on your
|
---|
738 | <emphasis>host</emphasis> system that filters data from your
|
---|
739 | physical network adapter. This driver is therefore called a
|
---|
740 | <emphasis>net filter</emphasis> driver. This allows VirtualBox to
|
---|
741 | intercept data from the physical network and inject data into it,
|
---|
742 | effectively creating a new network interface in software. When a
|
---|
743 | guest is using such a new software interface, it looks to the host
|
---|
744 | system as though the guest were physically connected to the
|
---|
745 | interface using a network cable. The host can send data to the
|
---|
746 | guest through that interface and receive data from it. This means
|
---|
747 | that you can set up routing or bridging between the guest and the
|
---|
748 | rest of your network.
|
---|
749 | </para>
|
---|
750 |
|
---|
751 | <para>
|
---|
752 | For this to work, VirtualBox needs a device driver on your host
|
---|
753 | system. The way bridged networking works has been completely
|
---|
754 | rewritten with VirtualBox 2.0 and 2.1, depending on the host
|
---|
755 | operating system. From the user perspective, the main difference
|
---|
756 | is that complex configuration is no longer necessary on any of the
|
---|
757 | supported host operating systems.
|
---|
758 |
|
---|
759 | <footnote>
|
---|
760 |
|
---|
761 | <para>
|
---|
762 | For Mac OS X and Solaris hosts, net filter drivers were
|
---|
763 | already added in VirtualBox 2.0, as initial support for Host
|
---|
764 | Interface Networking on these platforms. With VirtualBox 2.1,
|
---|
765 | net filter drivers were also added for the Windows and Linux
|
---|
766 | hosts, replacing the mechanisms previously present in
|
---|
767 | VirtualBox for those platforms; especially on Linux, the
|
---|
768 | earlier method required creating TAP interfaces and bridges,
|
---|
769 | which was complex and varied from one distribution to the
|
---|
770 | next. None of this is necessary anymore. Bridged network was
|
---|
771 | formerly called Host Interface Networking and has been renamed
|
---|
772 | with version 2.2 without any change in functionality.
|
---|
773 | </para>
|
---|
774 |
|
---|
775 | </footnote>
|
---|
776 | </para>
|
---|
777 |
|
---|
778 | <note>
|
---|
779 | <para>
|
---|
780 | Even though TAP is no longer necessary on Linux with bridged
|
---|
781 | networking, you <emphasis>can</emphasis> still use TAP
|
---|
782 | interfaces for certain advanced setups, since you can connect a
|
---|
783 | VM to any host interface.
|
---|
784 | </para>
|
---|
785 | </note>
|
---|
786 |
|
---|
787 | <para>
|
---|
788 | To enable bridged networking, open the Settings dialog of a
|
---|
789 | virtual machine, go to the Network page and select
|
---|
790 | <emphasis role="bold">Bridged Network</emphasis> in the drop-down
|
---|
791 | list for the Attached To field. Select a host interface from the
|
---|
792 | list at the bottom of the page, which contains the physical
|
---|
793 | network interfaces of your systems. On a typical MacBook, for
|
---|
794 | example, this will allow you to select between en1: AirPort, which
|
---|
795 | is the wireless interface, and en0: Ethernet, which represents the
|
---|
796 | interface with a network cable.
|
---|
797 | </para>
|
---|
798 |
|
---|
799 | <note>
|
---|
800 | <para>
|
---|
801 | Bridging to a wireless interface is done differently from
|
---|
802 | bridging to a wired interface, because most wireless adapters do
|
---|
803 | not support promiscuous mode. All traffic has to use the MAC
|
---|
804 | address of the host's wireless adapter, and therefore VirtualBox
|
---|
805 | needs to replace the source MAC address in the Ethernet header
|
---|
806 | of an outgoing packet to make sure the reply will be sent to the
|
---|
807 | host interface. When VirtualBox sees an incoming packet with a
|
---|
808 | destination IP address that belongs to one of the virtual
|
---|
809 | machine adapters it replaces the destination MAC address in the
|
---|
810 | Ethernet header with the VM adapter's MAC address and passes it
|
---|
811 | on. VirtualBox examines ARP and DHCP packets in order to learn
|
---|
812 | the IP addresses of virtual machines.
|
---|
813 | </para>
|
---|
814 | </note>
|
---|
815 |
|
---|
816 | <para>
|
---|
817 | Depending on your host operating system, the following limitations
|
---|
818 | apply:
|
---|
819 | </para>
|
---|
820 |
|
---|
821 | <itemizedlist>
|
---|
822 |
|
---|
823 | <listitem>
|
---|
824 | <para>
|
---|
825 | <emphasis role="bold">Mac OS X hosts.</emphasis> Functionality
|
---|
826 | is limited when using AirPort, the Mac's wireless networking
|
---|
827 | system, for bridged networking. Currently, VirtualBox supports
|
---|
828 | only IPv4 and IPv6 over AirPort. For other protocols, such as
|
---|
829 | IPX, you must choose a wired interface.
|
---|
830 | </para>
|
---|
831 | </listitem>
|
---|
832 |
|
---|
833 | <listitem>
|
---|
834 | <para>
|
---|
835 | <emphasis role="bold">Linux hosts.</emphasis> Functionality is
|
---|
836 | limited when using wireless interfaces for bridged networking.
|
---|
837 | Currently, VirtualBox supports only IPv4 and IPv6 over
|
---|
838 | wireless. For other protocols, such as IPX, you must choose a
|
---|
839 | wired interface.
|
---|
840 | </para>
|
---|
841 |
|
---|
842 | <para>
|
---|
843 | Also, setting the MTU to less than 1500 bytes on wired
|
---|
844 | interfaces provided by the sky2 driver on the Marvell Yukon II
|
---|
845 | EC Ultra Ethernet NIC is known to cause packet losses under
|
---|
846 | certain conditions.
|
---|
847 | </para>
|
---|
848 |
|
---|
849 | <para>
|
---|
850 | Some adapters strip VLAN tags in hardware. This does not allow
|
---|
851 | to use VLAN trunking between VM and the external network with
|
---|
852 | pre-2.6.27 Linux kernels nor with host operating systems other
|
---|
853 | than Linux.
|
---|
854 | </para>
|
---|
855 | </listitem>
|
---|
856 |
|
---|
857 | <listitem>
|
---|
858 | <para>
|
---|
859 | <emphasis role="bold">Solaris hosts.</emphasis> There is no
|
---|
860 | support for using wireless interfaces. Filtering guest traffic
|
---|
861 | using IPFilter is also not completely supported due to
|
---|
862 | technical restrictions of the Solaris networking subsystem.
|
---|
863 | These issues would be addressed in a future release of Solaris
|
---|
864 | 11.
|
---|
865 | </para>
|
---|
866 |
|
---|
867 | <para>
|
---|
868 | Starting with VirtualBox 4.1, on Solaris 11 hosts build 159
|
---|
869 | and above, it is possible to use Solaris Crossbow Virtual
|
---|
870 | Network Interfaces (VNICs) directly with VirtualBox without
|
---|
871 | any additional configuration other than each VNIC must be
|
---|
872 | exclusive for every guest network interface.
|
---|
873 | </para>
|
---|
874 |
|
---|
875 | <para>
|
---|
876 | Starting with VirtualBox 2.0.4 and up to VirtualBox 4.0, VNICs
|
---|
877 | can be used, but with the following caveats:
|
---|
878 | </para>
|
---|
879 |
|
---|
880 | <itemizedlist>
|
---|
881 |
|
---|
882 | <listitem>
|
---|
883 | <para>
|
---|
884 | A VNIC cannot be shared between multiple guest network
|
---|
885 | interfaces. For example, each guest network interface must
|
---|
886 | have its own, exclusive VNIC.
|
---|
887 | </para>
|
---|
888 | </listitem>
|
---|
889 |
|
---|
890 | <listitem>
|
---|
891 | <para>
|
---|
892 | The VNIC and the guest network interface that uses the
|
---|
893 | VNIC must be assigned identical MAC addresses.
|
---|
894 | </para>
|
---|
895 | </listitem>
|
---|
896 |
|
---|
897 | </itemizedlist>
|
---|
898 |
|
---|
899 | <para>
|
---|
900 | When using VLAN interfaces with VirtualBox, they must be named
|
---|
901 | according to the PPA-hack naming scheme, such as e1000g513001.
|
---|
902 | Otherwise, the guest may receive packets in an unexpected
|
---|
903 | format.
|
---|
904 | </para>
|
---|
905 | </listitem>
|
---|
906 |
|
---|
907 | </itemizedlist>
|
---|
908 |
|
---|
909 | </sect1>
|
---|
910 |
|
---|
911 | <sect1 id="network_internal">
|
---|
912 |
|
---|
913 | <title>Internal Networking</title>
|
---|
914 |
|
---|
915 | <para>
|
---|
916 | Internal Networking is similar to bridged networking in that the
|
---|
917 | VM can directly communicate with the outside world. However, the
|
---|
918 | outside world is limited to other VMs on the same host which
|
---|
919 | connect to the same internal network.
|
---|
920 | </para>
|
---|
921 |
|
---|
922 | <para>
|
---|
923 | Even though technically, everything that can be done using
|
---|
924 | internal networking can also be done using bridged networking,
|
---|
925 | there are security advantages with internal networking. In bridged
|
---|
926 | networking mode, all traffic goes through a physical interface of
|
---|
927 | the host system. It is therefore possible to attach a packet
|
---|
928 | sniffer such as Wireshark to the host interface and log all
|
---|
929 | traffic that goes over it. If, for any reason, you prefer two or
|
---|
930 | more VMs on the same machine to communicate privately, hiding
|
---|
931 | their data from both the host system and the user, bridged
|
---|
932 | networking therefore is not an option.
|
---|
933 | </para>
|
---|
934 |
|
---|
935 | <para>
|
---|
936 | Internal networks are created automatically as needed. There is no
|
---|
937 | central configuration. Every internal network is identified simply
|
---|
938 | by its name. Once there is more than one active virtual network
|
---|
939 | card with the same internal network ID, the VirtualBox support
|
---|
940 | driver will automatically <emphasis>wire</emphasis> the cards and
|
---|
941 | act as a network switch. The VirtualBox support driver implements
|
---|
942 | a complete Ethernet switch and supports both broadcast/multicast
|
---|
943 | frames and promiscuous mode.
|
---|
944 | </para>
|
---|
945 |
|
---|
946 | <para>
|
---|
947 | In order to attach a VM's network card to an internal network, set
|
---|
948 | its networking mode to Internal Networking. There are two ways to
|
---|
949 | accomplish this:
|
---|
950 | </para>
|
---|
951 |
|
---|
952 | <itemizedlist>
|
---|
953 |
|
---|
954 | <listitem>
|
---|
955 | <para>
|
---|
956 | Use the VM's Settings dialog in the VirtualBox graphical user
|
---|
957 | interface. In the Networking category of the settings dialog,
|
---|
958 | select <emphasis role="bold">Internal Networking</emphasis>
|
---|
959 | from the drop-down list of networking modes. Select the name
|
---|
960 | of an existing internal network from the drop-down list below,
|
---|
961 | or enter a new name into the entry field.
|
---|
962 | </para>
|
---|
963 | </listitem>
|
---|
964 |
|
---|
965 | <listitem>
|
---|
966 | <para>
|
---|
967 | Use the command line, for example:
|
---|
968 | </para>
|
---|
969 |
|
---|
970 | <screen>VBoxManage modifyvm "VM name" --nic<x> intnet</screen>
|
---|
971 |
|
---|
972 | <para>
|
---|
973 | Optionally, you can specify a network name with the command:
|
---|
974 | </para>
|
---|
975 |
|
---|
976 | <screen>VBoxManage modifyvm "VM name" --intnet<x> "network name"</screen>
|
---|
977 |
|
---|
978 | <para>
|
---|
979 | If you do not specify a network name, the network card will be
|
---|
980 | attached to the network
|
---|
981 | <computeroutput>intnet</computeroutput> by default.
|
---|
982 | </para>
|
---|
983 | </listitem>
|
---|
984 |
|
---|
985 | </itemizedlist>
|
---|
986 |
|
---|
987 | <para>
|
---|
988 | Unless you configure the virtual network cards in the guest
|
---|
989 | operating systems that are participating in the internal network
|
---|
990 | to use static IP addresses, you may want to use the DHCP server
|
---|
991 | that is built into VirtualBox to manage IP addresses for the
|
---|
992 | internal network. See <xref linkend="vboxmanage-dhcpserver" />.
|
---|
993 | </para>
|
---|
994 |
|
---|
995 | <para>
|
---|
996 | As a security measure, by default, the Linux implementation of
|
---|
997 | internal networking only allows VMs running under the same user ID
|
---|
998 | to establish an internal network. However, it is possible to
|
---|
999 | create a shared internal networking interface, accessible by users
|
---|
1000 | with different user IDs.
|
---|
1001 | </para>
|
---|
1002 |
|
---|
1003 | </sect1>
|
---|
1004 |
|
---|
1005 | <sect1 id="network_hostonly">
|
---|
1006 |
|
---|
1007 | <title>Host-Only Networking</title>
|
---|
1008 |
|
---|
1009 | <para>
|
---|
1010 | Host-only networking is another networking mode that was added
|
---|
1011 | with version 2.2 of VirtualBox. It can be thought of as a hybrid
|
---|
1012 | between the bridged and internal networking modes. As with bridged
|
---|
1013 | networking, the virtual machines can talk to each other and the
|
---|
1014 | host as if they were connected through a physical Ethernet switch.
|
---|
1015 | As with internal networking, a physical networking interface need
|
---|
1016 | not be present, and the virtual machines cannot talk to the world
|
---|
1017 | outside the host since they are not connected to a physical
|
---|
1018 | networking interface.
|
---|
1019 | </para>
|
---|
1020 |
|
---|
1021 | <para>
|
---|
1022 | When host-only networking is used, VirtualBox creates a new
|
---|
1023 | software interface on the host which then appears next to your
|
---|
1024 | existing network interfaces. In other words, whereas with bridged
|
---|
1025 | networking an existing physical interface is used to attach
|
---|
1026 | virtual machines to, with host-only networking a new
|
---|
1027 | <emphasis>loopback</emphasis> interface is created on the host.
|
---|
1028 | And whereas with internal networking, the traffic between the
|
---|
1029 | virtual machines cannot be seen, the traffic on the loopback
|
---|
1030 | interface on the host can be intercepted.
|
---|
1031 | </para>
|
---|
1032 |
|
---|
1033 | <para>
|
---|
1034 | Host-only networking is particularly useful for preconfigured
|
---|
1035 | virtual appliances, where multiple virtual machines are shipped
|
---|
1036 | together and designed to cooperate. For example, one virtual
|
---|
1037 | machine may contain a web server and a second one a database, and
|
---|
1038 | since they are intended to talk to each other, the appliance can
|
---|
1039 | instruct VirtualBox to set up a host-only network for the two. A
|
---|
1040 | second, bridged, network would then connect the web server to the
|
---|
1041 | outside world to serve data to, but the outside world cannot
|
---|
1042 | connect to the database.
|
---|
1043 | </para>
|
---|
1044 |
|
---|
1045 | <para>
|
---|
1046 | To change a virtual machine's virtual network interface to Host
|
---|
1047 | Only mode, do either of the following:
|
---|
1048 | </para>
|
---|
1049 |
|
---|
1050 | <itemizedlist>
|
---|
1051 |
|
---|
1052 | <listitem>
|
---|
1053 | <para>
|
---|
1054 | Go to the Network page in the virtual machine's Settings
|
---|
1055 | dialog and select <emphasis role="bold">Host-Only
|
---|
1056 | Networking</emphasis>.
|
---|
1057 | </para>
|
---|
1058 | </listitem>
|
---|
1059 |
|
---|
1060 | <listitem>
|
---|
1061 | <para>
|
---|
1062 | On the command line, type <computeroutput>VBoxManage modifyvm
|
---|
1063 | "VM name" --nic<x> hostonly</computeroutput>. See
|
---|
1064 | <xref
|
---|
1065 | linkend="vboxmanage-modifyvm" />.
|
---|
1066 | </para>
|
---|
1067 | </listitem>
|
---|
1068 |
|
---|
1069 | </itemizedlist>
|
---|
1070 |
|
---|
1071 | <para>
|
---|
1072 | Before you can attach a VM to a host-only network you have to
|
---|
1073 | create at least one host-only interface. You can use the GUI for
|
---|
1074 | this. Choose <emphasis role="bold">File</emphasis>,
|
---|
1075 | <emphasis role="bold">Preferences</emphasis>,
|
---|
1076 | <emphasis role="bold">Network</emphasis>,
|
---|
1077 | <emphasis role="bold">Host-Only Network</emphasis>,
|
---|
1078 | <emphasis role="bold">(+)Add Host-Only Network</emphasis>.
|
---|
1079 | </para>
|
---|
1080 |
|
---|
1081 | <para>
|
---|
1082 | Alternatively, you can use the command line:
|
---|
1083 | </para>
|
---|
1084 |
|
---|
1085 | <screen>VBoxManage hostonlyif create</screen>
|
---|
1086 |
|
---|
1087 | <para>
|
---|
1088 | See <xref linkend="vboxmanage-hostonlyif" />.
|
---|
1089 | </para>
|
---|
1090 |
|
---|
1091 | <para>
|
---|
1092 | For host-only networking, as with internal networking, you may
|
---|
1093 | find the DHCP server useful that is built into VirtualBox. This
|
---|
1094 | can be enabled to then manage the IP addresses in the host-only
|
---|
1095 | network since otherwise you would need to configure all IP
|
---|
1096 | addresses statically.
|
---|
1097 | </para>
|
---|
1098 |
|
---|
1099 | <itemizedlist>
|
---|
1100 |
|
---|
1101 | <listitem>
|
---|
1102 | <para>
|
---|
1103 | In the VirtualBox graphical user interface, you can configure
|
---|
1104 | all these items in the global settings by choosing
|
---|
1105 | <emphasis role="bold">File</emphasis>,
|
---|
1106 | <emphasis role="bold">Preferences</emphasis>,
|
---|
1107 | <emphasis role="bold">Network</emphasis>. This lists all
|
---|
1108 | host-only networks which are presently in use. Click on the
|
---|
1109 | network name and then on
|
---|
1110 | <emphasis role="bold">Edit</emphasis>. You can then modify the
|
---|
1111 | adapter and DHCP settings.
|
---|
1112 | </para>
|
---|
1113 | </listitem>
|
---|
1114 |
|
---|
1115 | <listitem>
|
---|
1116 | <para>
|
---|
1117 | Alternatively, you can use <computeroutput>VBoxManage
|
---|
1118 | dhcpserver</computeroutput> on the command line. See
|
---|
1119 | <xref
|
---|
1120 | linkend="vboxmanage-dhcpserver" />.
|
---|
1121 | </para>
|
---|
1122 | </listitem>
|
---|
1123 |
|
---|
1124 | </itemizedlist>
|
---|
1125 |
|
---|
1126 | <note>
|
---|
1127 | <para>
|
---|
1128 | On Linux and Mac OS X hosts the number of host-only interfaces
|
---|
1129 | is limited to 128. There is no such limit for Solaris and
|
---|
1130 | Windows hosts.
|
---|
1131 | </para>
|
---|
1132 | </note>
|
---|
1133 |
|
---|
1134 | </sect1>
|
---|
1135 |
|
---|
1136 | <sect1 id="network_udp_tunnel">
|
---|
1137 |
|
---|
1138 | <title>UDP Tunnel Networking</title>
|
---|
1139 |
|
---|
1140 | <para>
|
---|
1141 | This networking mode allows you to interconnect virtual machines
|
---|
1142 | running on different hosts.
|
---|
1143 | </para>
|
---|
1144 |
|
---|
1145 | <para>
|
---|
1146 | Technically this is done by encapsulating Ethernet frames sent or
|
---|
1147 | received by the guest network card into UDP/IP datagrams, and
|
---|
1148 | sending them over any network available to the host.
|
---|
1149 | </para>
|
---|
1150 |
|
---|
1151 | <para>
|
---|
1152 | UDP Tunnel mode has the following parameters:
|
---|
1153 | </para>
|
---|
1154 |
|
---|
1155 | <itemizedlist>
|
---|
1156 |
|
---|
1157 | <listitem>
|
---|
1158 | <para>
|
---|
1159 | <emphasis role="bold">Source UDP port:</emphasis> The port on
|
---|
1160 | which the host listens. Datagrams arriving on this port from
|
---|
1161 | any source address will be forwarded to the receiving part of
|
---|
1162 | the guest network card.
|
---|
1163 | </para>
|
---|
1164 | </listitem>
|
---|
1165 |
|
---|
1166 | <listitem>
|
---|
1167 | <para>
|
---|
1168 | <emphasis role="bold">Destination address:</emphasis> IP
|
---|
1169 | address of the target host of the transmitted data.
|
---|
1170 | </para>
|
---|
1171 | </listitem>
|
---|
1172 |
|
---|
1173 | <listitem>
|
---|
1174 | <para>
|
---|
1175 | <emphasis role="bold">Destination UDP port:</emphasis> Port
|
---|
1176 | number to which the transmitted data is sent.
|
---|
1177 | </para>
|
---|
1178 | </listitem>
|
---|
1179 |
|
---|
1180 | </itemizedlist>
|
---|
1181 |
|
---|
1182 | <para>
|
---|
1183 | When interconnecting two virtual machines on two different hosts,
|
---|
1184 | their IP addresses must be swapped. On a single host, source and
|
---|
1185 | destination UDP ports must be swapped.
|
---|
1186 | </para>
|
---|
1187 |
|
---|
1188 | <para>
|
---|
1189 | In the following example, host 1 uses the IP address 10.0.0.1 and
|
---|
1190 | host 2 uses IP address 10.0.0.2. To configure using the
|
---|
1191 | command-line:
|
---|
1192 | </para>
|
---|
1193 |
|
---|
1194 | <screen> VBoxManage modifyvm "VM 01 on host 1" --nic<x> generic
|
---|
1195 | VBoxManage modifyvm "VM 01 on host 1" --nicgenericdrv<x> UDPTunnel
|
---|
1196 | VBoxManage modifyvm "VM 01 on host 1" --nicproperty<x> dest=10.0.0.2
|
---|
1197 | VBoxManage modifyvm "VM 01 on host 1" --nicproperty<x> sport=10001
|
---|
1198 | VBoxManage modifyvm "VM 01 on host 1" --nicproperty<x> dport=10002</screen>
|
---|
1199 |
|
---|
1200 | <screen> VBoxManage modifyvm "VM 02 on host 2" --nic<y> generic
|
---|
1201 | VBoxManage modifyvm "VM 02 on host 2" --nicgenericdrv<y> UDPTunnel
|
---|
1202 | VBoxManage modifyvm "VM 02 on host 2" --nicproperty<y> dest=10.0.0.1
|
---|
1203 | VBoxManage modifyvm "VM 02 on host 2" --nicproperty<y> sport=10002
|
---|
1204 | VBoxManage modifyvm "VM 02 on host 2" --nicproperty<y> dport=10001</screen>
|
---|
1205 |
|
---|
1206 | <para>
|
---|
1207 | Of course, you can always interconnect two virtual machines on the
|
---|
1208 | same host, by setting the destination address parameter to
|
---|
1209 | 127.0.0.1 on both. It will act similarly to an internal network in
|
---|
1210 | this case. However, the host can see the network traffic which it
|
---|
1211 | could not in the normal internal network case.
|
---|
1212 | </para>
|
---|
1213 |
|
---|
1214 | <note>
|
---|
1215 | <para>
|
---|
1216 | On Unix-based hosts, such as Linux, Solaris, and Mac OS X, it is
|
---|
1217 | not possible to bind to ports below 1024 from applications that
|
---|
1218 | are not run by <computeroutput>root</computeroutput>. As a
|
---|
1219 | result, if you try to configure such a source UDP port, the VM
|
---|
1220 | will refuse to start.
|
---|
1221 | </para>
|
---|
1222 | </note>
|
---|
1223 |
|
---|
1224 | </sect1>
|
---|
1225 |
|
---|
1226 | <sect1 id="network_vde">
|
---|
1227 |
|
---|
1228 | <title>VDE Networking</title>
|
---|
1229 |
|
---|
1230 | <para>
|
---|
1231 | Virtual Distributed Ethernet (VDE)
|
---|
1232 |
|
---|
1233 | <footnote>
|
---|
1234 |
|
---|
1235 | <para>
|
---|
1236 | VDE is a project developed by Renzo Davoli, Associate
|
---|
1237 | Professor at the University of Bologna, Italy.
|
---|
1238 | </para>
|
---|
1239 |
|
---|
1240 | </footnote>
|
---|
1241 |
|
---|
1242 | is a flexible, virtual network infrastructure system, spanning
|
---|
1243 | across multiple hosts in a secure way. It allows for L2/L3
|
---|
1244 | switching, including spanning-tree protocol, VLANs, and WAN
|
---|
1245 | emulation. It is an optional part of VirtualBox which is only
|
---|
1246 | included in the source code.
|
---|
1247 | </para>
|
---|
1248 |
|
---|
1249 | <para>
|
---|
1250 | The basic building blocks of the infrastructure are VDE switches,
|
---|
1251 | VDE plugs and VDE wires which inter-connect the switches.
|
---|
1252 | </para>
|
---|
1253 |
|
---|
1254 | <para>
|
---|
1255 | The VirtualBox VDE driver has a single parameter: VDE network.
|
---|
1256 | This is the name of the VDE network switch socket to which the VM
|
---|
1257 | will be connected.
|
---|
1258 | </para>
|
---|
1259 |
|
---|
1260 | <para>
|
---|
1261 | The following basic example shows how to connect a virtual machine
|
---|
1262 | to a VDE switch.
|
---|
1263 | </para>
|
---|
1264 |
|
---|
1265 | <orderedlist>
|
---|
1266 |
|
---|
1267 | <listitem>
|
---|
1268 | <para>
|
---|
1269 | Create a VDE switch:
|
---|
1270 | </para>
|
---|
1271 |
|
---|
1272 | <screen>vde_switch -s /tmp/switch1</screen>
|
---|
1273 | </listitem>
|
---|
1274 |
|
---|
1275 | <listitem>
|
---|
1276 | <para>
|
---|
1277 | Configure VMs using the command-line:
|
---|
1278 | </para>
|
---|
1279 |
|
---|
1280 | <screen>VBoxManage modifyvm "VM name" --nic<x> generic</screen>
|
---|
1281 |
|
---|
1282 | <screen>VBoxManage modifyvm "VM name" --nicgenericdrv<x> VDE</screen>
|
---|
1283 |
|
---|
1284 | <para>
|
---|
1285 | To connect to an automatically allocated switch port:
|
---|
1286 | </para>
|
---|
1287 |
|
---|
1288 | <screen>VBoxManage modifyvm "VM name" --nicproperty<x> network=/tmp/switch1</screen>
|
---|
1289 |
|
---|
1290 | <para>
|
---|
1291 | To connect to a specific switch port
|
---|
1292 | <replaceable>n</replaceable>:
|
---|
1293 | </para>
|
---|
1294 |
|
---|
1295 | <screen>VBoxManage modifyvm "VM name" --nicproperty<x> network=/tmp/switch1[<n>]</screen>
|
---|
1296 |
|
---|
1297 | <para>
|
---|
1298 | This command can be useful for VLANs.
|
---|
1299 | </para>
|
---|
1300 | </listitem>
|
---|
1301 |
|
---|
1302 | <listitem>
|
---|
1303 | <para>
|
---|
1304 | (Optional) Map between a VDE switch port and a VLAN.
|
---|
1305 | </para>
|
---|
1306 |
|
---|
1307 | <para>
|
---|
1308 | Using the switch command line:
|
---|
1309 | </para>
|
---|
1310 |
|
---|
1311 | <screen>vde$ vlan/create <VLAN></screen>
|
---|
1312 |
|
---|
1313 | <screen>vde$ port/setvlan <port> <VLAN></screen>
|
---|
1314 | </listitem>
|
---|
1315 |
|
---|
1316 | </orderedlist>
|
---|
1317 |
|
---|
1318 | <para>
|
---|
1319 | VDE is available on Linux and FreeBSD hosts only. It is only
|
---|
1320 | available if the VDE software and the VDE plugin library from the
|
---|
1321 | VirtualSquare project are installed on the host system
|
---|
1322 |
|
---|
1323 | <footnote>
|
---|
1324 |
|
---|
1325 | <para>
|
---|
1326 | For Linux hosts, the shared library libvdeplug.so must be
|
---|
1327 | available in the search path for shared libraries
|
---|
1328 | </para>
|
---|
1329 |
|
---|
1330 | </footnote>
|
---|
1331 |
|
---|
1332 | . For more information on setting up VDE networks, please see the
|
---|
1333 | documentation accompanying the software.
|
---|
1334 |
|
---|
1335 | <footnote>
|
---|
1336 |
|
---|
1337 | <para>
|
---|
1338 | <ulink
|
---|
1339 | url="http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking">http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking</ulink>.
|
---|
1340 | </para>
|
---|
1341 |
|
---|
1342 | </footnote>
|
---|
1343 | </para>
|
---|
1344 |
|
---|
1345 | </sect1>
|
---|
1346 |
|
---|
1347 | <sect1 id="network_bandwidth_limit">
|
---|
1348 |
|
---|
1349 | <title>Limiting Bandwidth for Network I/O</title>
|
---|
1350 |
|
---|
1351 | <para>
|
---|
1352 | Starting with version 4.2, VirtualBox allows for limiting the
|
---|
1353 | maximum bandwidth used for network transmission. Several network
|
---|
1354 | adapters of one VM may share limits through bandwidth groups. It
|
---|
1355 | is possible to have more than one such limit.
|
---|
1356 | </para>
|
---|
1357 |
|
---|
1358 | <note>
|
---|
1359 | <para>
|
---|
1360 | VirtualBox shapes VM traffic only in the transmit direction,
|
---|
1361 | delaying the packets being sent by virtual machines. It does not
|
---|
1362 | limit the traffic being received by virtual machines.
|
---|
1363 | </para>
|
---|
1364 | </note>
|
---|
1365 |
|
---|
1366 | <para>
|
---|
1367 | Limits are configured through
|
---|
1368 | <computeroutput>VBoxManage</computeroutput>. The example below
|
---|
1369 | creates a bandwidth group named Limit, sets the limit to 20 Mbps
|
---|
1370 | and assigns the group to the first and second adapters of the VM:
|
---|
1371 |
|
---|
1372 | <screen>VBoxManage bandwidthctl "VM name" add Limit --type network --limit 20m
|
---|
1373 | VBoxManage modifyvm "VM name" --nicbandwidthgroup1 Limit
|
---|
1374 | VBoxManage modifyvm "VM name" --nicbandwidthgroup2 Limit</screen>
|
---|
1375 | </para>
|
---|
1376 |
|
---|
1377 | <para>
|
---|
1378 | All adapters in a group share the bandwidth limit, meaning that in
|
---|
1379 | the example above the bandwidth of both adapters combined can
|
---|
1380 | never exceed 20 Mbps. However, if one adapter does not require
|
---|
1381 | bandwidth the other can use the remaining bandwidth of its group.
|
---|
1382 | </para>
|
---|
1383 |
|
---|
1384 | <para>
|
---|
1385 | The limits for each group can be changed while the VM is running,
|
---|
1386 | with changes being picked up immediately. The example below
|
---|
1387 | changes the limit for the group created in the example above to
|
---|
1388 | 100 Kbps:
|
---|
1389 |
|
---|
1390 | <screen>VBoxManage bandwidthctl "VM name" set Limit --limit 100k</screen>
|
---|
1391 | </para>
|
---|
1392 |
|
---|
1393 | <para>
|
---|
1394 | To completely disable shaping for the first adapter of VM use the
|
---|
1395 | following command:
|
---|
1396 |
|
---|
1397 | <screen>VBoxManage modifyvm "VM name" --nicbandwidthgroup1 none</screen>
|
---|
1398 | </para>
|
---|
1399 |
|
---|
1400 | <para>
|
---|
1401 | It is also possible to disable shaping for all adapters assigned
|
---|
1402 | to a bandwidth group while VM is running, by specifying the zero
|
---|
1403 | limit for the group. For example, for the bandwidth group named
|
---|
1404 | Limit use:
|
---|
1405 |
|
---|
1406 | <screen>VBoxManage bandwidthctl "VM name" set Limit --limit 0</screen>
|
---|
1407 | </para>
|
---|
1408 |
|
---|
1409 | </sect1>
|
---|
1410 |
|
---|
1411 | <sect1 id="network_performance">
|
---|
1412 |
|
---|
1413 | <title>Improving Network Performance</title>
|
---|
1414 |
|
---|
1415 | <para>
|
---|
1416 | VirtualBox provides a variety of virtual network adapters that can
|
---|
1417 | be attached to the host's network in a number of ways. Depending
|
---|
1418 | on which types of adapters and attachments are used the network
|
---|
1419 | performance will be different. Performance-wise the virtio network
|
---|
1420 | adapter is preferable over Intel PRO/1000 emulated adapters, which
|
---|
1421 | are preferred over the PCNet family of adapters. Both virtio and
|
---|
1422 | Intel PRO/1000 adapters enjoy the benefit of segmentation and
|
---|
1423 | checksum offloading. Segmentation offloading is essential for high
|
---|
1424 | performance as it allows for less context switches, dramatically
|
---|
1425 | increasing the sizes of packets that cross the VM/host boundary.
|
---|
1426 | </para>
|
---|
1427 |
|
---|
1428 | <note>
|
---|
1429 | <para>
|
---|
1430 | Neither virtio nor Intel PRO/1000 drivers for Windows XP support
|
---|
1431 | segmentation offloading. Therefore Windows XP guests never reach
|
---|
1432 | the same transmission rates as other guest types. Refer to MS
|
---|
1433 | Knowledge base article 842264 for additional information.
|
---|
1434 | </para>
|
---|
1435 | </note>
|
---|
1436 |
|
---|
1437 | <para>
|
---|
1438 | Three attachment types: Internal, Bridged, and Host-Only, have
|
---|
1439 | nearly identical performance. The Internal type is a little bit
|
---|
1440 | faster and uses less CPU cycles as the packets never reach the
|
---|
1441 | host's network stack. The NAT attachment type is the slowest and
|
---|
1442 | most secure of all attachment types, as it provides network
|
---|
1443 | address translation. The generic driver attachment is special and
|
---|
1444 | cannot be considered as an alternative to other attachment types.
|
---|
1445 | </para>
|
---|
1446 |
|
---|
1447 | <para>
|
---|
1448 | The number of CPUs assigned to VM does not improve network
|
---|
1449 | performance and in some cases may hurt it due to increased
|
---|
1450 | concurrency in the guest.
|
---|
1451 | </para>
|
---|
1452 |
|
---|
1453 | <para>
|
---|
1454 | Here is a short summary of things to check in order to improve
|
---|
1455 | network performance:
|
---|
1456 | </para>
|
---|
1457 |
|
---|
1458 | <orderedlist>
|
---|
1459 |
|
---|
1460 | <listitem>
|
---|
1461 | <para>
|
---|
1462 | Whenever possible use the virtio network adapter. Otherwise,
|
---|
1463 | use one of the Intel PRO/1000 adapters.
|
---|
1464 | </para>
|
---|
1465 | </listitem>
|
---|
1466 |
|
---|
1467 | <listitem>
|
---|
1468 | <para>
|
---|
1469 | Use a Bridged attachment instead of NAT.
|
---|
1470 | </para>
|
---|
1471 | </listitem>
|
---|
1472 |
|
---|
1473 | <listitem>
|
---|
1474 | <para>
|
---|
1475 | Make sure segmentation offloading is enabled in the guest OS.
|
---|
1476 | Usually it will be enabled by default. You can check and
|
---|
1477 | modify offloading settings using the
|
---|
1478 | <computeroutput>ethtool</computeroutput> command on Linux
|
---|
1479 | guests.
|
---|
1480 | </para>
|
---|
1481 | </listitem>
|
---|
1482 |
|
---|
1483 | <listitem>
|
---|
1484 | <para>
|
---|
1485 | Perform a full, detailed analysis of network traffic on the
|
---|
1486 | VM's network adaptor using a third party tool such as
|
---|
1487 | Wireshark. To do this, a promiscuous mode policy needs to be
|
---|
1488 | used on the VM's network adaptor. Use of this mode is only
|
---|
1489 | possible on the following network types: NAT Network, Bridged
|
---|
1490 | Adapter, Internal Network, and Host-Only Adapter.
|
---|
1491 | </para>
|
---|
1492 |
|
---|
1493 | <para>
|
---|
1494 | To setup a promiscuous mode policy, either select from the
|
---|
1495 | drop down list located in the Network Settings dialog for the
|
---|
1496 | network adaptor or use the command line tool
|
---|
1497 | <computeroutput>VBoxManage</computeroutput>. See
|
---|
1498 | <xref linkend="vboxmanage-modifyvm" />.
|
---|
1499 | </para>
|
---|
1500 |
|
---|
1501 | <para>
|
---|
1502 | Promiscuous mode policies are as follows:
|
---|
1503 | </para>
|
---|
1504 |
|
---|
1505 | <itemizedlist>
|
---|
1506 |
|
---|
1507 | <listitem>
|
---|
1508 | <para>
|
---|
1509 | <computeroutput>deny</computeroutput>, which hides any
|
---|
1510 | traffic not intended for the VM's network adaptor. This is
|
---|
1511 | the default setting.
|
---|
1512 | </para>
|
---|
1513 | </listitem>
|
---|
1514 |
|
---|
1515 | <listitem>
|
---|
1516 | <para>
|
---|
1517 | <computeroutput>allow-vms</computeroutput>, which hides
|
---|
1518 | all host traffic from the VM's network adaptor, but allows
|
---|
1519 | it to see traffic from and to other VMs.
|
---|
1520 | </para>
|
---|
1521 | </listitem>
|
---|
1522 |
|
---|
1523 | <listitem>
|
---|
1524 | <para>
|
---|
1525 | <computeroutput>allow-all</computeroutput>, which removes
|
---|
1526 | all restrictions. The VM's network adaptor sees all
|
---|
1527 | traffic.
|
---|
1528 | </para>
|
---|
1529 | </listitem>
|
---|
1530 |
|
---|
1531 | </itemizedlist>
|
---|
1532 | </listitem>
|
---|
1533 |
|
---|
1534 | </orderedlist>
|
---|
1535 |
|
---|
1536 | </sect1>
|
---|
1537 |
|
---|
1538 | </chapter>
|
---|