source: vbox/trunk/doc/manual/en_US/user_Networking.xml@ 76786

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
<!ENTITY % all.entities SYSTEM "all-entities.ent">
%all.entities;
]>
<chapter id="networkingdetails">

  <title>Virtual Networking</title>

  <para>
    As mentioned in <xref linkend="settings-network" />, &product-name;
    provides up to eight virtual PCI Ethernet cards for each virtual
    machine. For each such card, you can individually select the
    following:
  </para>

  <itemizedlist>

    <listitem>
      <para>
        The hardware that will be virtualized.
      </para>
    </listitem>

    <listitem>
      <para>
        The virtualization mode that the virtual card operates in, with
        respect to your physical networking hardware on the host.
      </para>
    </listitem>

  </itemizedlist>

  <para>
    Four of the network cards can be configured in the
    <emphasis role="bold">Network</emphasis> section of the
    <emphasis role="bold">Settings</emphasis> dialog in the graphical
    user interface of &product-name;. You can configure all eight
    network cards on the command line using <command>VBoxManage
    modifyvm</command>. See <xref linkend="vboxmanage-modifyvm" />.
  </para>

  <para>
    This chapter explains the various networking settings in more
    detail.
  </para>

  <sect1 id="nichardware">

    <title>Virtual Networking Hardware</title>

    <para>
      For each card, you can individually select what kind of
      <emphasis>hardware</emphasis> will be presented to the virtual
      machine. &product-name; can virtualize the following types of
      networking hardware:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          AMD PCNet PCI II (Am79C970A)
        </para>
      </listitem>

      <listitem>
        <para>
          AMD PCNet FAST III (Am79C973), the default setting
        </para>
      </listitem>

      <listitem>
        <para>
          Intel PRO/1000 MT Desktop (82540EM)
        </para>
      </listitem>

      <listitem>
        <para>
          Intel PRO/1000 T Server (82543GC)
        </para>
      </listitem>

      <listitem>
        <para>
          Intel PRO/1000 MT Server (82545EM)
        </para>
      </listitem>

      <listitem>
        <para>
          Paravirtualized network adapter (virtio-net)
        </para>
      </listitem>

    </itemizedlist>

    <para>
      The PCNet FAST III is the default because it is supported by
      nearly all operating systems, as well as by the GNU GRUB boot
      manager. As an exception, the Intel PRO/1000 family adapters are
      chosen for some guest operating system types that no longer ship
      with drivers for the PCNet card, such as Windows Vista.
    </para>

    <para>
      The Intel PRO/1000 MT Desktop type works with Windows Vista and
      later versions. The T Server variant of the Intel PRO/1000 card is
      recognized by Windows XP guests without additional driver
      installation. The MT Server variant facilitates OVF imports from
      other platforms.
    </para>

    <para>
      The Paravirtualized network adapter (virtio-net) is special. If
      you select this adapter, then &product-name; does
      <emphasis>not</emphasis> virtualize common networking hardware
      that is supported by common guest operating systems. Instead,
      &product-name; expects a special software interface for
      virtualized environments to be provided by the guest, thus
      avoiding the complexity of emulating networking hardware and
      improving network performance. &product-name; provides support for
      the industry-standard <emphasis>virtio</emphasis> networking
      drivers, which are part of the open source KVM project.
    </para>

    <para>
      The virtio networking drivers are available for the following
      guest operating systems:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          Linux kernels version 2.6.25 or later can be configured to
          provide virtio support. Some distributions have also
          back-ported virtio to older kernels.
        </para>
      </listitem>

      <listitem>
        <para>
          For Windows 2000, XP, and Vista, virtio drivers can be
          downloaded and installed from the KVM project web page:
        </para>

        <para>
          <ulink
            url="http://www.linux-kvm.org/page/WindowsGuestDrivers">http://www.linux-kvm.org/page/WindowsGuestDrivers</ulink>.
        </para>
      </listitem>

    </itemizedlist>

    <para>
      &product-name; also has limited support for <emphasis>jumbo
      frames</emphasis>. These are networking packets with more than
      1500 bytes of data, provided that you use the Intel card
      virtualization and bridged networking. Jumbo frames are not
      supported with the AMD networking devices. In those cases, jumbo
      packets will silently be dropped for both the transmit and the
      receive direction. Guest operating systems trying to use this
      feature will observe this as a packet loss, which may lead to
      unexpected application behavior in the guest. This does not cause
      problems with guest operating systems in their default
      configuration, as jumbo frames need to be explicitly enabled.
    </para>

  </sect1>

  <sect1 id="networkingmodes">

    <title>Introduction to Networking Modes</title>

    <para>
      Each of the networking adapters can be separately configured to
      operate in one of the following modes:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          <emphasis role="bold">Not attached.</emphasis> In this mode,
          &product-name; reports to the guest that a network card is
          present, but that there is no connection. This is as if no
          Ethernet cable was plugged into the card. Using this mode, it
          is possible to "pull" the virtual Ethernet cable and disrupt
          the connection, which can be useful to inform a guest
          operating system that no network connection is available and
          enforce a reconfiguration.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Network Address Translation
          (NAT)</emphasis>. If all you want is to browse the Web,
          download files, and view email inside the guest, then this
          default mode should be sufficient for you, and you can skip
          the rest of this section. Please note that there are certain
          limitations when using Windows file sharing. See
          <xref linkend="nat-limitations" />.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">NAT Network.</emphasis> A NAT network is
          a type of internal network that allows outbound connections.
          See <xref linkend="network_nat_service"/>.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Bridged networking.</emphasis> This is
          for more advanced networking needs, such as network
          simulations and running servers in a guest. When enabled,
          &product-name; connects to one of your installed network cards
          and exchanges network packets directly, circumventing your
          host operating system's network stack.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Internal networking.</emphasis> This can
          be used to create a different kind of software-based network
          which is visible to selected virtual machines, but not to
          applications running on the host or to the outside world.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Host-only networking.</emphasis> This
          can be used to create a network containing the host and a set
          of virtual machines, without the need for the host's physical
          network interface. Instead, a virtual network interface,
          similar to a loopback interface, is created on the host,
          providing connectivity among virtual machines and the host.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold"> Generic networking.</emphasis> Rarely
          used modes which share the same generic network interface, by
          allowing the user to select a driver which can be included
          with &product-name; or be distributed in an extension pack.
        </para>

        <para>
          The following sub-modes are available:
        </para>

        <itemizedlist>

          <listitem>
            <para>
              <emphasis role="bold">UDP Tunnel:</emphasis> Used to
              interconnect virtual machines running on different hosts
              directly, easily, and transparently, over an existing
              network infrastructure.
            </para>
          </listitem>

          <listitem>
            <para>
              <emphasis role="bold">VDE (Virtual Distributed Ethernet)
              networking:</emphasis> Used to connect to a Virtual
              Distributed Ethernet switch on a Linux or a FreeBSD host.
              At the moment this option requires compilation of
              &product-name; from sources, as the Oracle packages do not
              include it.
            </para>
          </listitem>

        </itemizedlist>
      </listitem>

    </itemizedlist>

    <para>
      The following table provides an overview of the most important
      networking modes.
    </para>

    <table id="table-networking-modes" tabstyle="oracle-all">
      <title>Overview of Networking Modes</title>
      <tgroup cols="6">
        <colspec align="left" />
        <colspec align="center" />
        <colspec align="center" />
        <colspec align="center" />
        <colspec align="center" />
        <colspec align="center" />
        <thead valign="middle">
          <row>
            <entry><emphasis role="bold">Mode</emphasis></entry>
            <entry><para>
                <emphasis role="bold">VM&rarr;Host</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">VM&larr;Host</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">VM1&harr;VM2</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">VM&rarr;Net/LAN</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">VM&larr;Net/LAN</emphasis>
              </para></entry>
          </row>
        </thead>
        <tbody valign="middle">
          <row>
            <entry><para>
                Host-only
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry align="center"><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
          </row>
          <row>
            <entry><para>
                Internal
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
          </row>
          <row>
            <entry><para>
                Bridged
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
          </row>
          <row>
            <entry><para>
                NAT
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <link linkend="natforward">Port forward</link>
              </para></entry>
            <entry><para>
                &ndash;
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <link linkend="natforward">Port forward</link>
              </para></entry>
          </row>
          <row>
            <entry><para>
                NATservice
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <link linkend="network_nat_service">Port forward</link>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <emphasis role="bold">+</emphasis>
              </para></entry>
            <entry><para>
                <link linkend="network_nat_service">Port forward</link>
              </para></entry>
          </row>
        </tbody>
      </tgroup>
    </table>

    <para>
      The following sections describe the available network modes in
      more detail.
    </para>

  </sect1>

  <sect1 id="network_nat">

    <title>Network Address Translation (NAT)</title>

    <para>
      Network Address Translation (NAT) is the simplest way of accessing
      an external network from a virtual machine. Usually, it does not
      require any configuration on the host network and guest system.
      For this reason, it is the default networking mode in
      &product-name;.
    </para>

    <para>
      A virtual machine with NAT enabled acts much like a real computer
      that connects to the Internet through a router. The router, in
      this case, is the &product-name; networking engine, which maps
      traffic from and to the virtual machine transparently. In
      &product-name; this router is placed between each virtual machine
      and the host. This separation maximizes security since by default
      virtual machines cannot talk to each other.
    </para>

    <para>
      The disadvantage of NAT mode is that, much like a private network
      behind a router, the virtual machine is invisible and unreachable
      from the outside internet. You cannot run a server this way unless
      you set up port forwarding. See <xref linkend="natforward"/>.
    </para>

    <para>
      The network frames sent out by the guest operating system are
      received by &product-name;'s NAT engine, which extracts the TCP/IP
      data and resends it using the host operating system. To an
      application on the host, or to another computer on the same
      network as the host, it looks like the data was sent by the
      &product-name; application on the host, using an IP address
      belonging to the host. &product-name; listens for replies to the
      packages sent, and repacks and resends them to the guest machine
      on its private network.
    </para>

    <para>
      The virtual machine receives its network address and configuration
      on the private network from a DHCP server integrated into
      &product-name;. The IP address thus assigned to the virtual
      machine is usually on a completely different network than the
      host. As more than one card of a virtual machine can be set up to
      use NAT, the first card is connected to the private network
      10.0.2.0, the second card to the network 10.0.3.0 and so on. If
      you need to change the guest-assigned IP range, see
      <xref linkend="changenat" />.
    </para>

    <sect2 id="natforward">

      <title>Configuring Port Forwarding with NAT</title>

      <para>
        As the virtual machine is connected to a private network
        internal to &product-name; and invisible to the host, network
        services on the guest are not accessible to the host machine or
        to other computers on the same network. However, like a physical
        router, &product-name; can make selected services available to
        the world outside the guest through <emphasis>port
        forwarding</emphasis>. This means that &product-name; listens to
        certain ports on the host and resends all packets which arrive
        there to the guest, on the same or a different port.
      </para>

      <para>
        To an application on the host or other physical or virtual
        machines on the network, it looks as though the service being
        proxied is actually running on the host. This also means that
        you cannot run the same service on the same ports on the host.
        However, you still gain the advantages of running the service in
        a virtual machine. For example, services on the host machine or
        on other virtual machines cannot be compromised or crashed by a
        vulnerability or a bug in the service, and the service can run
        in a different operating system than the host system.
      </para>

      <para>
        To configure port forwarding you can use the graphical
        <emphasis role="bold">Port Forwarding</emphasis> editor which
        can be found in the <emphasis role="bold">Network
        Settings</emphasis> dialog for network adaptors configured to
        use NAT. Here, you can map host ports to guest ports to allow
        network traffic to be routed to a specific port in the guest.
      </para>

      <para>
        Alternatively, the command line tool
        <command>VBoxManage</command> can be used. See
        <xref linkend="vboxmanage-modifyvm" />.
      </para>

      <para>
        You will need to know which ports on the guest the service uses
        and to decide which ports to use on the host. You may want to
        use the same ports on the guest and on the host. You can use any
        ports on the host which are not already in use by a service. For
        example, to set up incoming NAT connections to an
        <computeroutput>ssh</computeroutput> server in the guest, use
        the following command:
      </para>

<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"</screen>

      <para>
        In the above example, all TCP traffic arriving on port 2222 on
        any host interface will be forwarded to port 22 in the guest.
        The protocol name <computeroutput>tcp</computeroutput> is a
        mandatory attribute defining which protocol should be used for
        forwarding, <computeroutput>udp</computeroutput> could also be
        used. The name <computeroutput>guestssh</computeroutput> is
        purely descriptive and will be auto-generated if omitted. The
        number after <option>--natpf</option> denotes the network card,
        as with other <command>VBoxManage</command> commands.
      </para>

      <para>
        To remove this forwarding rule, use the following command:
      </para>

<screen>VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</screen>

      <para>
        If for some reason the guest uses a static assigned IP address
        not leased from the built-in DHCP server, it is required to
        specify the guest IP when registering the forwarding rule, as
        follows:
      </para>

<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</screen>

      <para>
        This example is identical to the previous one, except that the
        NAT engine is being told that the guest can be found at the
        10.0.2.19 address.
      </para>

      <para>
        To forward <emphasis>all</emphasis> incoming traffic from a
        specific host interface to the guest, specify the IP of that
        host interface as follows:
      </para>

<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</screen>

      <para>
        This example forwards all TCP traffic arriving on the localhost
        interface at 127.0.0.1 through port 2222 to port 22 in the
        guest.
      </para>

      <para>
        It is possible to configure incoming NAT connections while the
        VM is running, see <xref linkend="vboxmanage-controlvm"/>.
      </para>

    </sect2>

    <sect2 id="nat-tftp">

      <title>PXE Booting with NAT</title>

      <para>
        PXE booting is now supported in NAT mode. The NAT DHCP server
        provides a boot file name of the form
        <computeroutput>vmname.pxe</computeroutput> if the directory
        <computeroutput>TFTP</computeroutput> exists in the directory
        where the user's <computeroutput>VirtualBox.xml</computeroutput>
        file is kept. It is the responsibility of the user to provide
        <computeroutput>vmname.pxe</computeroutput>.
      </para>

    </sect2>

    <sect2 id="nat-limitations">

      <title>NAT Limitations</title>

      <para>
        There are some limitations of NAT mode which users should be
        aware of, as follows:
      </para>

      <itemizedlist>

        <listitem>
          <para>
            <emphasis role="bold">ICMP protocol limitations.</emphasis>
            Some frequently used network debugging tools, such as
            <computeroutput>ping</computeroutput> or tracerouting, rely
            on the ICMP protocol for sending and receiving messages.
            While ICMP support has been improved with &product-name;
            2.1, meaning <computeroutput>ping</computeroutput> should
            now work, some other tools may not work reliably.
          </para>
        </listitem>

        <listitem>
          <para>
            <emphasis role="bold">Receiving of UDP
            broadcasts.</emphasis> The guest does not reliably receive
            UDP broadcasts. In order to save resources, it only listens
            for a certain amount of time after the guest has sent UDP
            data on a particular port. As a consequence, NetBios name
            resolution based on broadcasts does not always work, but
            WINS always works. As a workaround, you can use the numeric
            IP of the desired server in the
            <computeroutput>\\server\share</computeroutput> notation.
          </para>
        </listitem>

        <listitem>
          <para>
            <emphasis role="bold">Some protocols are not
            supported.</emphasis> Protocols other than TCP and UDP are
            not supported. GRE is not supported. This means some VPN
            products, such as PPTP from Microsoft, cannot be used. There
            are other VPN products which use only TCP and UDP.
          </para>
        </listitem>

        <listitem>
          <para>
            <emphasis role="bold">Forwarding host ports below
            1024.</emphasis> On UNIX-based hosts, such as Linux, Oracle
            Solaris, and Mac OS X, it is not possible to bind to ports
            below 1024 from applications that are not run by
            <computeroutput>root</computeroutput>. As a result, if you
            try to configure such a port forwarding, the VM will refuse
            to start.
          </para>
        </listitem>

      </itemizedlist>

      <para>
        These limitations normally do not affect standard network use.
        But the presence of NAT has also subtle effects that may
        interfere with protocols that are normally working. One example
        is NFS, where the server is often configured to refuse
        connections from non-privileged ports, which are those ports not
        below 1024.
      </para>

    </sect2>

  </sect1>

  <sect1 id="network_nat_service">

    <title>Network Address Translation Service</title>

    <para>
      The Network Address Translation (NAT) service works in a similar
      way to a home router, grouping the systems using it into a network
      and preventing systems outside of this network from directly
      accessing systems inside it, but letting systems inside
      communicate with each other and with systems outside using TCP and
      UDP over IPv4 and IPv6.
    </para>

    <para>
      A NAT service is attached to an internal network. Virtual machines
      which are to make use of it should be attached to that internal
      network. The name of internal network is chosen when the NAT
      service is created and the internal network will be created if it
      does not already exist. The following is an example command to
      create a NAT network:
    </para>

<screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable</screen>

    <para>
      Here, natnet1 is the name of the internal network to be used and
      192.168.15.0/24 is the network address and mask of the NAT service
      interface. By default in this static configuration the gateway
      will be assigned the address 192.168.15.1, the address following
      the interface address, though this is subject to change. To attach
      a DHCP server to the internal network, modify the example command
      as follows:
    </para>

<screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable --dhcp on</screen>

    <para>
      To add a DHCP server to an existing network, use the following
      command:
    </para>

<screen>VBoxManage natnetwork modify --netname natnet1 --dhcp on</screen>

    <para>
      To disable the DHCP server, use the following command:
    </para>

<screen>VBoxManage natnetwork modify --netname natnet1 --dhcp off</screen>

    <para>
      A DHCP server provides a list of registered nameservers, but does
      not map servers from the 127/8 network.
    </para>

    <para>
      To start the NAT service, use the following command:
    </para>

<screen>VBoxManage natnetwork start --netname natnet1</screen>

    <para>
      If the network has a DHCP server attached then it will start
      together with the NAT network service.
    </para>

    <para>
      To stop the NAT network service, together with any DHCP server:
    </para>

<screen>VBoxManage natnetwork stop --netname natnet1</screen>

    <para>
      To delete the NAT network service:
    </para>

<screen>VBoxManage natnetwork remove --netname natnet1</screen>

    <para>
      This command does not remove the DHCP server if one is enabled on
      the internal network.
    </para>

    <para>
      Port-forwarding is supported, using the
      <computeroutput>--port-forward-4</computeroutput> switch for IPv4
      and <computeroutput>--port-forward-6</computeroutput> for IPv6.
      For example:
    </para>

<screen>VBoxManage natnetwork modify \
  --netname natnet1 --port-forward-4 "ssh:tcp:[]:1022:[192.168.15.5]:22"</screen>

    <para>
      This adds a port-forwarding rule from the host's TCP 1022 port to
      the port 22 on the guest with IP address 192.168.15.5. Host port,
      guest port and guest IP are mandatory. To delete the rule, use the
      following command:
    </para>

<screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 delete ssh</screen>

    <para>
      It is possible to bind a NAT service to specified interface. For
      example:
    </para>

<screen>VBoxManage setextradata global "NAT/win-nat-test-0/SourceIp4" 192.168.1.185</screen>

    <para>
      To see the list of registered NAT networks, use the following
      command:
    </para>

<screen>VBoxManage list natnetworks</screen>

  </sect1>

  <sect1 id="network_bridged">

    <title>Bridged Networking</title>

    <para>
      With bridged networking, &product-name; uses a device driver on
      your <emphasis>host</emphasis> system that filters data from your
      physical network adapter. This driver is therefore called a
      <emphasis>net filter</emphasis> driver. This enables
      &product-name; to intercept data from the physical network and
      inject data into it, effectively creating a new network interface
      in software. When a guest is using such a new software interface,
      it looks to the host system as though the guest were physically
      connected to the interface using a network cable. The host can
      send data to the guest through that interface and receive data
      from it. This means that you can set up routing or bridging
      between the guest and the rest of your network.
    </para>

    <note>
      <para>
        Even though TAP interfaces are no longer necessary on Linux for
        bridged networking, you <emphasis>can</emphasis> still use TAP
        interfaces for certain advanced setups, since you can connect a
        VM to any host interface.
      </para>
    </note>

    <para>
      To enable bridged networking, open the
      <emphasis role="bold">Settings</emphasis> dialog of a virtual
      machine, go to the <emphasis role="bold">Network</emphasis> page
      and select <emphasis role="bold">Bridged Network</emphasis> in the
      drop-down list for the <emphasis role="bold">Attached
      To</emphasis> field. Select a host interface from the list at the
      bottom of the page, which contains the physical network interfaces
      of your systems. On a typical MacBook, for example, this will
      allow you to select between en1: AirPort, which is the wireless
      interface, and en0: Ethernet, which represents the interface with
      a network cable.
    </para>

    <note>
      <para>
        Bridging to a wireless interface is done differently from
        bridging to a wired interface, because most wireless adapters do
        not support promiscuous mode. All traffic has to use the MAC
        address of the host's wireless adapter, and therefore
        &product-name; needs to replace the source MAC address in the
        Ethernet header of an outgoing packet to make sure the reply
        will be sent to the host interface. When &product-name; sees an
        incoming packet with a destination IP address that belongs to
        one of the virtual machine adapters it replaces the destination
        MAC address in the Ethernet header with the VM adapter's MAC
        address and passes it on. &product-name; examines ARP and DHCP
        packets in order to learn the IP addresses of virtual machines.
      </para>
    </note>

    <para>
      Depending on your host operating system, the following limitations
      apply:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          <emphasis role="bold">Mac OS X hosts.</emphasis> Functionality
          is limited when using AirPort, the Mac's wireless networking
          system, for bridged networking. Currently, &product-name;
          supports only IPv4 and IPv6 over AirPort. For other protocols,
          such as IPX, you must choose a wired interface.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Linux hosts.</emphasis> Functionality is
          limited when using wireless interfaces for bridged networking.
          Currently, &product-name; supports only IPv4 and IPv6 over
          wireless. For other protocols, such as IPX, you must choose a
          wired interface.
        </para>

        <para>
          Also, setting the MTU to less than 1500 bytes on wired
          interfaces provided by the sky2 driver on the Marvell Yukon II
          EC Ultra Ethernet NIC is known to cause packet losses under
          certain conditions.
        </para>

        <para>
          Some adapters strip VLAN tags in hardware. This does not allow
          you to use VLAN trunking between VM and the external network
          with pre-2.6.27 Linux kernels, or with host operating systems
          other than Linux.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Oracle Solaris hosts.</emphasis> There
          is no support for using wireless interfaces. Filtering guest
          traffic using IPFilter is also not completely supported due to
          technical restrictions of the Oracle Solaris networking
          subsystem. These issues may be addressed in later releases of
          Oracle Solaris 11.
        </para>

        <para>
          On Oracle Solaris 11 hosts build 159 and above, it is possible
          to use Oracle Solaris Crossbow Virtual Network Interfaces
          (VNICs) directly with &product-name; without any additional
          configuration other than each VNIC must be exclusive for every
          guest network interface.
        </para>

        <para>
          When using VLAN interfaces with &product-name;, they must be
          named according to the PPA-hack naming scheme, such as
          e1000g513001. Otherwise, the guest may receive packets in an
          unexpected format.
        </para>
      </listitem>

    </itemizedlist>

  </sect1>

  <sect1 id="network_internal">

    <title>Internal Networking</title>

    <para>
      Internal Networking is similar to bridged networking in that the
      VM can directly communicate with the outside world. However, the
      outside world is limited to other VMs on the same host which
      connect to the same internal network.
    </para>

    <para>
      Even though technically, everything that can be done using
      internal networking can also be done using bridged networking,
      there are security advantages with internal networking. In bridged
      networking mode, all traffic goes through a physical interface of
      the host system. It is therefore possible to attach a packet
      sniffer such as Wireshark to the host interface and log all
      traffic that goes over it. If, for any reason, you prefer two or
      more VMs on the same machine to communicate privately, hiding
      their data from both the host system and the user, bridged
      networking therefore is not an option.
    </para>

    <para>
      Internal networks are created automatically as needed. There is no
      central configuration. Every internal network is identified simply
      by its name. Once there is more than one active virtual network
      card with the same internal network ID, the &product-name; support
      driver will automatically <emphasis>wire</emphasis> the cards and
      act as a network switch. The &product-name; support driver
      implements a complete Ethernet switch and supports both
      broadcast/multicast frames and promiscuous mode.
    </para>

    <para>
      In order to attach a VM's network card to an internal network, set
      its networking mode to Internal Networking. There are two ways to
      accomplish this:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          Use the VM's <emphasis role="bold">Settings</emphasis> dialog
          in the &product-name; graphical user interface. In the
          <emphasis role="bold">Networking</emphasis> category of the
          settings dialog, select <emphasis role="bold">Internal
          Networking</emphasis> from the drop-down list of networking
          modes. Select the name of an existing internal network from
          the drop-down list below, or enter a new name into the
          <emphasis role="bold">Name</emphasis> field.
        </para>
      </listitem>

      <listitem>
        <para>
          Use the command line, for example:
        </para>

<screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; intnet</screen>

        <para>
          Optionally, you can specify a network name with the command:
        </para>

<screen>VBoxManage modifyvm "VM name" --intnet&lt;x&gt; "network name"</screen>

        <para>
          If you do not specify a network name, the network card will be
          attached to the network
          <computeroutput>intnet</computeroutput> by default.
        </para>
      </listitem>

    </itemizedlist>

    <para>
      Unless you configure the virtual network cards in the guest
      operating systems that are participating in the internal network
      to use static IP addresses, you may want to use the DHCP server
      that is built into &product-name; to manage IP addresses for the
      internal network. See <xref linkend="vboxmanage-dhcpserver" />.
    </para>

    <para>
      As a security measure, by default, the Linux implementation of
      internal networking only allows VMs running under the same user ID
      to establish an internal network. However, it is possible to
      create a shared internal networking interface, accessible by users
      with different user IDs.
    </para>

  </sect1>

  <sect1 id="network_hostonly">

    <title>Host-Only Networking</title>

    <para>
      Host-only networking is another networking mode that was added
      with version 2.2 of &product-name;. It can be thought of as a
      hybrid between the bridged and internal networking modes. As with
      bridged networking, the virtual machines can talk to each other
      and the host as if they were connected through a physical Ethernet
      switch. As with internal networking, a physical networking
      interface need not be present, and the virtual machines cannot
      talk to the world outside the host since they are not connected to
      a physical networking interface.
    </para>

    <para>
      When host-only networking is used, &product-name; creates a new
      software interface on the host which then appears next to your
      existing network interfaces. In other words, whereas with bridged
      networking an existing physical interface is used to attach
      virtual machines to, with host-only networking a new
      <emphasis>loopback</emphasis> interface is created on the host.
      And whereas with internal networking, the traffic between the
      virtual machines cannot be seen, the traffic on the loopback
      interface on the host can be intercepted.
    </para>

    <para>
      Host-only networking is particularly useful for preconfigured
      virtual appliances, where multiple virtual machines are shipped
      together and designed to cooperate. For example, one virtual
      machine may contain a web server and a second one a database, and
      since they are intended to talk to each other, the appliance can
      instruct &product-name; to set up a host-only network for the two.
      A second, bridged, network would then connect the web server to
      the outside world to serve data to, but the outside world cannot
      connect to the database.
    </para>

    <para>
      To change a virtual machine's virtual network interface to Host
      Only mode, do either of the following:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          Go to the <emphasis role="bold">Network</emphasis> page in the
          virtual machine's <emphasis role="bold">Settings</emphasis>
          dialog and select <emphasis role="bold">Host-Only
          Networking</emphasis>.
        </para>
      </listitem>

      <listitem>
        <para>
          On the command line, enter <computeroutput>VBoxManage modifyvm
          "VM name" --nic&lt;x&gt; hostonly</computeroutput>. See
          <xref
          linkend="vboxmanage-modifyvm" />.
        </para>
      </listitem>

    </itemizedlist>

    <para>
      Before you can attach a VM to a host-only network you have to
      create at least one host-only interface. You can use the GUI for
      this. Choose <emphasis role="bold">File</emphasis>,
      <emphasis role="bold">Preferences</emphasis>,
      <emphasis role="bold">Network</emphasis>,
      <emphasis role="bold">Host-Only Network</emphasis>,
      <emphasis role="bold">(+)Add Host-Only Network</emphasis>.
    </para>

    <para>
      Alternatively, you can use the command line:
    </para>

<screen>VBoxManage hostonlyif create</screen>

    <para>
      See <xref linkend="vboxmanage-hostonlyif" />.
    </para>

    <para>
      For host-only networking, as with internal networking, you may
      find the DHCP server useful that is built into &product-name;.
      This can be enabled to then manage the IP addresses in the
      host-only network since otherwise you would need to configure all
      IP addresses statically.
    </para>

    <itemizedlist>

      <listitem>
        <para>
          In the &product-name; graphical user interface, you can
          configure all these items in the global settings by choosing
          <emphasis role="bold">File</emphasis>,
          <emphasis role="bold">Preferences</emphasis>,
          <emphasis role="bold">Network</emphasis>. This lists all
          host-only networks which are presently in use. Click on the
          network name and then on
          <emphasis role="bold">Edit</emphasis>. You can then modify the
          adapter and DHCP settings.
        </para>
      </listitem>

      <listitem>
        <para>
          Alternatively, you can use <command>VBoxManage
          dhcpserver</command> on the command line. See
          <xref
          linkend="vboxmanage-dhcpserver" />.
        </para>
      </listitem>

    </itemizedlist>

    <note>
      <para>
        On Linux and Mac OS X hosts the number of host-only interfaces
        is limited to 128. There is no such limit for Oracle Solaris and
        Windows hosts.
      </para>
    </note>

  </sect1>

  <sect1 id="network_udp_tunnel">

    <title>UDP Tunnel Networking</title>

    <para>
      This networking mode enables you to interconnect virtual machines
      running on different hosts.
    </para>

    <para>
      Technically this is done by encapsulating Ethernet frames sent or
      received by the guest network card into UDP/IP datagrams, and
      sending them over any network available to the host.
    </para>

    <para>
      UDP Tunnel mode has the following parameters:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          <emphasis role="bold">Source UDP port:</emphasis> The port on
          which the host listens. Datagrams arriving on this port from
          any source address will be forwarded to the receiving part of
          the guest network card.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Destination address:</emphasis> IP
          address of the target host of the transmitted data.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Destination UDP port:</emphasis> Port
          number to which the transmitted data is sent.
        </para>
      </listitem>

    </itemizedlist>

    <para>
      When interconnecting two virtual machines on two different hosts,
      their IP addresses must be swapped. On a single host, source and
      destination UDP ports must be swapped.
    </para>

    <para>
      In the following example, host 1 uses the IP address 10.0.0.1 and
      host 2 uses IP address 10.0.0.2. To configure using the
      command-line:
    </para>

<screen>        VBoxManage modifyvm "VM 01 on host 1" --nic&lt;x&gt; generic
        VBoxManage modifyvm "VM 01 on host 1" --nicgenericdrv&lt;x&gt; UDPTunnel
        VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; dest=10.0.0.2
        VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; sport=10001
        VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; dport=10002</screen>

<screen>        VBoxManage modifyvm "VM 02 on host 2" --nic&lt;y&gt; generic
        VBoxManage modifyvm "VM 02 on host 2" --nicgenericdrv&lt;y&gt; UDPTunnel
        VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; dest=10.0.0.1
        VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; sport=10002
        VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; dport=10001</screen>

    <para>
      Of course, you can always interconnect two virtual machines on the
      same host, by setting the destination address parameter to
      127.0.0.1 on both. It will act similarly to an internal network in
      this case. However, the host can see the network traffic which it
      could not in the normal internal network case.
    </para>

    <note>
      <para>
        On UNIX-based hosts, such as Linux, Oracle Solaris, and Mac OS
        X, it is not possible to bind to ports below 1024 from
        applications that are not run by
        <computeroutput>root</computeroutput>. As a result, if you try
        to configure such a source UDP port, the VM will refuse to
        start.
      </para>
    </note>

  </sect1>

  <sect1 id="network_vde">

    <title>VDE Networking</title>

    <para>
      Virtual Distributed Ethernet (VDE) is a flexible, virtual network
      infrastructure system, spanning across multiple hosts in a secure
      way. It enables L2/L3 switching, including spanning-tree protocol,
      VLANs, and WAN emulation. It is an optional part of &product-name;
      which is only included in the source code.
    </para>

    <para>
      VDE is a project developed by Renzo Davoli, Associate Professor at
      the University of Bologna, Italy.
    </para>

    <para>
      The basic building blocks of the infrastructure are VDE switches,
      VDE plugs, and VDE wires which interconnect the switches.
    </para>

    <para>
      The &product-name; VDE driver has a single parameter: VDE network.
      This is the name of the VDE network switch socket to which the VM
      will be connected.
    </para>

    <para>
      The following basic example shows how to connect a virtual machine
      to a VDE switch.
    </para>

    <orderedlist>

      <listitem>
        <para>
          Create a VDE switch:
        </para>

<screen>vde_switch -s /tmp/switch1</screen>
      </listitem>

      <listitem>
        <para>
          Configure VMs using the command-line:
        </para>

<screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; generic</screen>

<screen>VBoxManage modifyvm "VM name" --nicgenericdrv&lt;x&gt; VDE</screen>

        <para>
          To connect to an automatically allocated switch port:
        </para>

<screen>VBoxManage modifyvm "VM name" --nicproperty&lt;x&gt; network=/tmp/switch1</screen>

        <para>
          To connect to a specific switch port
          <replaceable>n</replaceable>:
        </para>

<screen>VBoxManage modifyvm "VM name" --nicproperty&lt;x&gt; network=/tmp/switch1[&lt;n&gt;]</screen>

        <para>
          This command can be useful for VLANs.
        </para>
      </listitem>

      <listitem>
        <para>
          (Optional) Map between a VDE switch port and a VLAN.
        </para>

        <para>
          Using the switch command line:
        </para>

<screen>vde$ vlan/create &lt;VLAN&gt;</screen>

<screen>vde$ port/setvlan &lt;port&gt; &lt;VLAN&gt;</screen>
      </listitem>

    </orderedlist>

    <para>
      VDE is available on Linux and FreeBSD hosts only. It is only
      available if the VDE software and the VDE plugin library from the
      VirtualSquare project are installed on the host system.
    </para>

    <note>
      <para>
        For Linux hosts, the shared library libvdeplug.so must be
        available in the search path for shared libraries.
      </para>
    </note>

    <para>
      For more information on setting up VDE networks, please see the
      documentation accompanying the software. See also
      <ulink
        url="http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking">http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking</ulink>.
    </para>

  </sect1>

  <sect1 id="network_bandwidth_limit">

    <title>Limiting Bandwidth for Network Input/Output</title>

    <para>
      &product-name; supports limiting of the maximum bandwidth used for
      network transmission. Several network adapters of one VM may share
      limits through bandwidth groups. It is possible to have more than
      one such limit.
    </para>

    <note>
      <para>
        &product-name; shapes VM traffic only in the transmit direction,
        delaying the packets being sent by virtual machines. It does not
        limit the traffic being received by virtual machines.
      </para>
    </note>

    <para>
      Limits are configured through <command>VBoxManage</command>. The
      following example creates a bandwidth group named Limit, sets the
      limit to 20 Mbps and assigns the group to the first and second
      adapters of the VM:
    </para>

<screen>VBoxManage bandwidthctl "VM name" add Limit --type network --limit 20m
VBoxManage modifyvm "VM name" --nicbandwidthgroup1 Limit
VBoxManage modifyvm "VM name" --nicbandwidthgroup2 Limit</screen>

    <para>
      All adapters in a group share the bandwidth limit, meaning that in
      the example above the bandwidth of both adapters combined can
      never exceed 20 Mbps. However, if one adapter does not require
      bandwidth the other can use the remaining bandwidth of its group.
    </para>

    <para>
      The limits for each group can be changed while the VM is running,
      with changes being picked up immediately. The following example
      changes the limit for the group created in the previous example to
      100 Kbps:
    </para>

<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 100k</screen>

    <para>
      To completely disable shaping for the first adapter of VM use the
      following command:
    </para>

<screen>VBoxManage modifyvm "VM name" --nicbandwidthgroup1 none</screen>

    <para>
      It is also possible to disable shaping for all adapters assigned
      to a bandwidth group while VM is running, by specifying the zero
      limit for the group. For example, for the bandwidth group named
      Limit:
    </para>

<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 0</screen>

  </sect1>

  <sect1 id="network_performance">

    <title>Improving Network Performance</title>

    <para>
      &product-name; provides a variety of virtual network adapters that
      can be attached to the host's network in a number of ways.
      Depending on which types of adapters and attachments are used the
      network performance will be different. Performance-wise the virtio
      network adapter is preferable over Intel PRO/1000 emulated
      adapters, which are preferred over the PCNet family of adapters.
      Both virtio and Intel PRO/1000 adapters enjoy the benefit of
      segmentation and checksum offloading. Segmentation offloading is
      essential for high performance as it allows for less context
      switches, dramatically increasing the sizes of packets that cross
      the VM/host boundary.
    </para>

    <note>
      <para>
        Neither virtio nor Intel PRO/1000 drivers for Windows XP support
        segmentation offloading. Therefore Windows XP guests never reach
        the same transmission rates as other guest types. Refer to MS
        Knowledge base article 842264 for additional information.
      </para>
    </note>

    <para>
      Three attachment types: Internal, Bridged, and Host-Only, have
      nearly identical performance. The Internal type is a little bit
      faster and uses less CPU cycles as the packets never reach the
      host's network stack. The NAT attachment type is the slowest and
      most secure of all attachment types, as it provides network
      address translation. The generic driver attachment is special and
      cannot be considered as an alternative to other attachment types.
    </para>

    <para>
      The number of CPUs assigned to VM does not improve network
      performance and in some cases may hurt it due to increased
      concurrency in the guest.
    </para>

    <para>
      Here is a short summary of things to check in order to improve
      network performance:
    </para>

    <itemizedlist>

      <listitem>
        <para>
          Whenever possible use the virtio network adapter. Otherwise,
          use one of the Intel PRO/1000 adapters.
        </para>
      </listitem>

      <listitem>
        <para>
          Use a Bridged attachment instead of NAT.
        </para>
      </listitem>

      <listitem>
        <para>
          Make sure segmentation offloading is enabled in the guest OS.
          Usually it will be enabled by default. You can check and
          modify offloading settings using the
          <command>ethtool</command> command on Linux guests.
        </para>
      </listitem>

      <listitem>
        <para>
          Perform a full detailed analysis of network traffic on the
          VM's network adaptor using a third party tool such as
          Wireshark. To do this, a promiscuous mode policy needs to be
          used on the VM's network adaptor. Use of this mode is only
          possible on the following network types: NAT Network, Bridged
          Adapter, Internal Network, and Host-Only Adapter.
        </para>

        <para>
          To setup a promiscuous mode policy, either select from the
          drop down list located in the <emphasis role="bold">Network
          Settings</emphasis> dialog for the network adaptor or use the
          command line tool <command>VBoxManage</command>. See
          <xref linkend="vboxmanage-modifyvm" />.
        </para>

        <para>
          Promiscuous mode policies are as follows:
        </para>

        <itemizedlist>

          <listitem>
            <para>
              <computeroutput>deny</computeroutput>, which hides any
              traffic not intended for the VM's network adaptor. This is
              the default setting.
            </para>
          </listitem>

          <listitem>
            <para>
              <computeroutput>allow-vms</computeroutput>, which hides
              all host traffic from the VM's network adaptor, but allows
              it to see traffic from and to other VMs.
            </para>
          </listitem>

          <listitem>
            <para>
              <computeroutput>allow-all</computeroutput>, which removes
              all restrictions. The VM's network adaptor sees all
              traffic.
            </para>
          </listitem>

        </itemizedlist>
      </listitem>

    </itemizedlist>

  </sect1>

</chapter>