VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Networking.xml@ 86692

Last change on this file since 86692 was 85107, checked in by vboxsync, 4 years ago

doc/manual: Clarify NAT/NAT service behavior regarding loopback access. Eliminate all "e.g." which have sneaked into the docs. Oracle doc team is avoiding it.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 54.6 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4<!ENTITY % all.entities SYSTEM "all-entities.ent">
5%all.entities;
6]>
7<chapter id="networkingdetails">
8
9 <title>Virtual Networking</title>
10
11 <para>
12 As mentioned in <xref linkend="settings-network" />, &product-name;
13 provides up to eight virtual PCI Ethernet cards for each virtual
14 machine. For each such card, you can individually select the
15 following:
16 </para>
17
18 <itemizedlist>
19
20 <listitem>
21 <para>
22 The hardware that will be virtualized.
23 </para>
24 </listitem>
25
26 <listitem>
27 <para>
28 The virtualization mode that the virtual card operates in, with
29 respect to your physical networking hardware on the host.
30 </para>
31 </listitem>
32
33 </itemizedlist>
34
35 <para>
36 Four of the network cards can be configured in the
37 <emphasis role="bold">Network</emphasis> section of the
38 <emphasis role="bold">Settings</emphasis> dialog in the graphical
39 user interface of &product-name;. You can configure all eight
40 network cards on the command line using <command>VBoxManage
41 modifyvm</command>. See <xref linkend="vboxmanage-modifyvm" />.
42 </para>
43
44 <para>
45 This chapter explains the various networking settings in more
46 detail.
47 </para>
48
49 <sect1 id="nichardware">
50
51 <title>Virtual Networking Hardware</title>
52
53 <para>
54 For each card, you can individually select what kind of
55 <emphasis>hardware</emphasis> will be presented to the virtual
56 machine. &product-name; can virtualize the following types of
57 networking hardware:
58 </para>
59
60 <itemizedlist>
61
62 <listitem>
63 <para>
64 AMD PCNet PCI II (Am79C970A)
65 </para>
66 </listitem>
67
68 <listitem>
69 <para>
70 AMD PCNet FAST III (Am79C973), the default setting
71 </para>
72 </listitem>
73
74 <listitem>
75 <para>
76 Intel PRO/1000 MT Desktop (82540EM)
77 </para>
78 </listitem>
79
80 <listitem>
81 <para>
82 Intel PRO/1000 T Server (82543GC)
83 </para>
84 </listitem>
85
86 <listitem>
87 <para>
88 Intel PRO/1000 MT Server (82545EM)
89 </para>
90 </listitem>
91
92 <listitem>
93 <para>
94 Paravirtualized network adapter (virtio-net)
95 </para>
96 </listitem>
97
98 </itemizedlist>
99
100 <para>
101 The PCNet FAST III is the default because it is supported by
102 nearly all operating systems, as well as by the GNU GRUB boot
103 manager. As an exception, the Intel PRO/1000 family adapters are
104 chosen for some guest operating system types that no longer ship
105 with drivers for the PCNet card, such as Windows Vista.
106 </para>
107
108 <para>
109 The Intel PRO/1000 MT Desktop type works with Windows Vista and
110 later versions. The T Server variant of the Intel PRO/1000 card is
111 recognized by Windows XP guests without additional driver
112 installation. The MT Server variant facilitates OVF imports from
113 other platforms.
114 </para>
115
116 <para>
117 The Paravirtualized network adapter (virtio-net) is special. If
118 you select this adapter, then &product-name; does
119 <emphasis>not</emphasis> virtualize common networking hardware
120 that is supported by common guest operating systems. Instead,
121 &product-name; expects a special software interface for
122 virtualized environments to be provided by the guest, thus
123 avoiding the complexity of emulating networking hardware and
124 improving network performance. &product-name; provides support for
125 the industry-standard <emphasis>virtio</emphasis> networking
126 drivers, which are part of the open source KVM project.
127 </para>
128
129 <para>
130 The virtio networking drivers are available for the following
131 guest operating systems:
132 </para>
133
134 <itemizedlist>
135
136 <listitem>
137 <para>
138 Linux kernels version 2.6.25 or later can be configured to
139 provide virtio support. Some distributions have also
140 back-ported virtio to older kernels.
141 </para>
142 </listitem>
143
144 <listitem>
145 <para>
146 For Windows 2000, XP, and Vista, virtio drivers can be
147 downloaded and installed from the KVM project web page:
148 </para>
149
150 <para>
151 <ulink
152 url="http://www.linux-kvm.org/page/WindowsGuestDrivers" />.
153 </para>
154 </listitem>
155
156 </itemizedlist>
157
158 <para>
159 &product-name; also has limited support for <emphasis>jumbo
160 frames</emphasis>. These are networking packets with more than
161 1500 bytes of data, provided that you use the Intel card
162 virtualization and bridged networking. Jumbo frames are not
163 supported with the AMD networking devices. In those cases, jumbo
164 packets will silently be dropped for both the transmit and the
165 receive direction. Guest operating systems trying to use this
166 feature will observe this as a packet loss, which may lead to
167 unexpected application behavior in the guest. This does not cause
168 problems with guest operating systems in their default
169 configuration, as jumbo frames need to be explicitly enabled.
170 </para>
171
172 </sect1>
173
174 <sect1 id="networkingmodes">
175
176 <title>Introduction to Networking Modes</title>
177
178 <para>
179 Each of the networking adapters can be separately configured to
180 operate in one of the following modes:
181 </para>
182
183 <itemizedlist>
184
185 <listitem>
186 <para>
187 <emphasis role="bold">Not attached.</emphasis> In this mode,
188 &product-name; reports to the guest that a network card is
189 present, but that there is no connection. This is as if no
190 Ethernet cable was plugged into the card. Using this mode, it
191 is possible to <emphasis>pull</emphasis> the virtual Ethernet
192 cable and disrupt the connection, which can be useful to
193 inform a guest operating system that no network connection is
194 available and enforce a reconfiguration.
195 </para>
196 </listitem>
197
198 <listitem>
199 <para>
200 <emphasis role="bold">Network Address Translation
201 (NAT)</emphasis>. If all you want is to browse the Web,
202 download files, and view email inside the guest, then this
203 default mode should be sufficient for you, and you can skip
204 the rest of this section. Please note that there are certain
205 limitations when using Windows file sharing. See
206 <xref linkend="nat-limitations" />.
207 </para>
208 </listitem>
209
210 <listitem>
211 <para>
212 <emphasis role="bold">NAT Network.</emphasis> A NAT network is
213 a type of internal network that allows outbound connections.
214 See <xref linkend="network_nat_service"/>.
215 </para>
216 </listitem>
217
218 <listitem>
219 <para>
220 <emphasis role="bold">Bridged networking.</emphasis> This is
221 for more advanced networking needs, such as network
222 simulations and running servers in a guest. When enabled,
223 &product-name; connects to one of your installed network cards
224 and exchanges network packets directly, circumventing your
225 host operating system's network stack.
226 </para>
227 </listitem>
228
229 <listitem>
230 <para>
231 <emphasis role="bold">Internal networking.</emphasis> This can
232 be used to create a different kind of software-based network
233 which is visible to selected virtual machines, but not to
234 applications running on the host or to the outside world.
235 </para>
236 </listitem>
237
238 <listitem>
239 <para>
240 <emphasis role="bold">Host-only networking.</emphasis> This
241 can be used to create a network containing the host and a set
242 of virtual machines, without the need for the host's physical
243 network interface. Instead, a virtual network interface,
244 similar to a loopback interface, is created on the host,
245 providing connectivity among virtual machines and the host.
246 </para>
247 </listitem>
248
249 <listitem>
250 <para>
251 <emphasis role="bold"> Generic networking.</emphasis> Rarely
252 used modes which share the same generic network interface, by
253 allowing the user to select a driver which can be included
254 with &product-name; or be distributed in an extension pack.
255 </para>
256
257 <para>
258 The following sub-modes are available:
259 </para>
260
261 <itemizedlist>
262
263 <listitem>
264 <para>
265 <emphasis role="bold">UDP Tunnel:</emphasis> Used to
266 interconnect virtual machines running on different hosts
267 directly, easily, and transparently, over an existing
268 network infrastructure.
269 </para>
270 </listitem>
271
272 <listitem>
273 <para>
274 <emphasis role="bold">VDE (Virtual Distributed Ethernet)
275 networking:</emphasis> Used to connect to a Virtual
276 Distributed Ethernet switch on a Linux or a FreeBSD host.
277 At the moment this option requires compilation of
278 &product-name; from sources, as the Oracle packages do not
279 include it.
280 </para>
281 </listitem>
282
283 </itemizedlist>
284 </listitem>
285
286 </itemizedlist>
287
288 <para>
289 The following table provides an overview of the most important
290 networking modes.
291 </para>
292
293 <table id="table-networking-modes" tabstyle="oracle-all">
294 <title>Overview of Networking Modes</title>
295 <tgroup cols="6">
296 <colspec align="left" />
297 <colspec align="center" />
298 <colspec align="center" />
299 <colspec align="center" />
300 <colspec align="center" />
301 <colspec align="center" />
302 <thead valign="middle">
303 <row>
304 <entry><emphasis role="bold">Mode</emphasis></entry>
305 <entry><para>
306 <emphasis role="bold">VM&rarr;Host</emphasis>
307 </para></entry>
308 <entry><para>
309 <emphasis role="bold">VM&larr;Host</emphasis>
310 </para></entry>
311 <entry><para>
312 <emphasis role="bold">VM1&harr;VM2</emphasis>
313 </para></entry>
314 <entry><para>
315 <emphasis role="bold">VM&rarr;Net/LAN</emphasis>
316 </para></entry>
317 <entry><para>
318 <emphasis role="bold">VM&larr;Net/LAN</emphasis>
319 </para></entry>
320 </row>
321 </thead>
322 <tbody valign="middle">
323 <row>
324 <entry><para>
325 Host-only
326 </para></entry>
327 <entry><para>
328 <emphasis role="bold">+</emphasis>
329 </para></entry>
330 <entry><para>
331 <emphasis role="bold">+</emphasis>
332 </para></entry>
333 <entry align="center"><para>
334 <emphasis role="bold">+</emphasis>
335 </para></entry>
336 <entry><para>
337 &ndash;
338 </para></entry>
339 <entry><para>
340 &ndash;
341 </para></entry>
342 </row>
343 <row>
344 <entry><para>
345 Internal
346 </para></entry>
347 <entry><para>
348 &ndash;
349 </para></entry>
350 <entry><para>
351 &ndash;
352 </para></entry>
353 <entry><para>
354 <emphasis role="bold">+</emphasis>
355 </para></entry>
356 <entry><para>
357 &ndash;
358 </para></entry>
359 <entry><para>
360 &ndash;
361 </para></entry>
362 </row>
363 <row>
364 <entry><para>
365 Bridged
366 </para></entry>
367 <entry><para>
368 <emphasis role="bold">+</emphasis>
369 </para></entry>
370 <entry><para>
371 <emphasis role="bold">+</emphasis>
372 </para></entry>
373 <entry><para>
374 <emphasis role="bold">+</emphasis>
375 </para></entry>
376 <entry><para>
377 <emphasis role="bold">+</emphasis>
378 </para></entry>
379 <entry><para>
380 <emphasis role="bold">+</emphasis>
381 </para></entry>
382 </row>
383 <row>
384 <entry><para>
385 NAT
386 </para></entry>
387 <entry><para>
388 <emphasis role="bold">+</emphasis>
389 </para></entry>
390 <entry><para>
391 <link linkend="natforward">Port forward</link>
392 </para></entry>
393 <entry><para>
394 &ndash;
395 </para></entry>
396 <entry><para>
397 <emphasis role="bold">+</emphasis>
398 </para></entry>
399 <entry><para>
400 <link linkend="natforward">Port forward</link>
401 </para></entry>
402 </row>
403 <row>
404 <entry><para>
405 NATservice
406 </para></entry>
407 <entry><para>
408 <emphasis role="bold">+</emphasis>
409 </para></entry>
410 <entry><para>
411 <link linkend="network_nat_service">Port forward</link>
412 </para></entry>
413 <entry><para>
414 <emphasis role="bold">+</emphasis>
415 </para></entry>
416 <entry><para>
417 <emphasis role="bold">+</emphasis>
418 </para></entry>
419 <entry><para>
420 <link linkend="network_nat_service">Port forward</link>
421 </para></entry>
422 </row>
423 </tbody>
424 </tgroup>
425 </table>
426
427 <para>
428 The following sections describe the available network modes in
429 more detail.
430 </para>
431
432 </sect1>
433
434 <sect1 id="network_nat">
435
436 <title>Network Address Translation (NAT)</title>
437
438 <para>
439 Network Address Translation (NAT) is the simplest way of accessing
440 an external network from a virtual machine. Usually, it does not
441 require any configuration on the host network and guest system.
442 For this reason, it is the default networking mode in
443 &product-name;.
444 </para>
445
446 <para>
447 A virtual machine with NAT enabled acts much like a real computer
448 that connects to the Internet through a router. The router, in
449 this case, is the &product-name; networking engine, which maps
450 traffic from and to the virtual machine transparently. In
451 &product-name; this router is placed between each virtual machine
452 and the host. This separation maximizes security since by default
453 virtual machines cannot talk to each other.
454 </para>
455
456 <para>
457 The disadvantage of NAT mode is that, much like a private network
458 behind a router, the virtual machine is invisible and unreachable
459 from the outside internet. You cannot run a server this way unless
460 you set up port forwarding. See <xref linkend="natforward"/>.
461 </para>
462
463 <para>
464 The network frames sent out by the guest operating system are
465 received by &product-name;'s NAT engine, which extracts the TCP/IP
466 data and resends it using the host operating system. To an
467 application on the host, or to another computer on the same
468 network as the host, it looks like the data was sent by the
469 &product-name; application on the host, using an IP address
470 belonging to the host. &product-name; listens for replies to the
471 packages sent, and repacks and resends them to the guest machine
472 on its private network.
473 </para>
474
475 <note>
476 <para>
477 Even though the NAT engine separates the VM from the host,
478 the VM has access to the host's loopback interface and the
479 network services running on it. The host's loopback interface
480 is accessible as IP address 10.0.2.2. This access to the host's
481 loopback interface can be extremely useful in some cases, for
482 example when running a web application under development in the
483 VM and the database server on the loopback interface on the host.
484 </para>
485 </note>
486
487 <para>
488 The virtual machine receives its network address and configuration
489 on the private network from a DHCP server integrated into
490 &product-name;. The IP address thus assigned to the virtual
491 machine is usually on a completely different network than the
492 host. As more than one card of a virtual machine can be set up to
493 use NAT, the first card is connected to the private network
494 10.0.2.0, the second card to the network 10.0.3.0 and so on. If
495 you need to change the guest-assigned IP range, see
496 <xref linkend="changenat" />.
497 </para>
498
499 <sect2 id="natforward">
500
501 <title>Configuring Port Forwarding with NAT</title>
502
503 <para>
504 As the virtual machine is connected to a private network
505 internal to &product-name; and invisible to the host, network
506 services on the guest are not accessible to the host machine or
507 to other computers on the same network. However, like a physical
508 router, &product-name; can make selected services available to
509 the world outside the guest through <emphasis>port
510 forwarding</emphasis>. This means that &product-name; listens to
511 certain ports on the host and resends all packets which arrive
512 there to the guest, on the same or a different port.
513 </para>
514
515 <para>
516 To an application on the host or other physical or virtual
517 machines on the network, it looks as though the service being
518 proxied is actually running on the host. This also means that
519 you cannot run the same service on the same ports on the host.
520 However, you still gain the advantages of running the service in
521 a virtual machine. For example, services on the host machine or
522 on other virtual machines cannot be compromised or crashed by a
523 vulnerability or a bug in the service, and the service can run
524 in a different operating system than the host system.
525 </para>
526
527 <para>
528 To configure port forwarding you can use the graphical
529 <emphasis role="bold">Port Forwarding</emphasis> editor which
530 can be found in the <emphasis role="bold">Network
531 Settings</emphasis> dialog for network adaptors configured to
532 use NAT. Here, you can map host ports to guest ports to allow
533 network traffic to be routed to a specific port in the guest.
534 </para>
535
536 <para>
537 Alternatively, the command line tool
538 <command>VBoxManage</command> can be used. See
539 <xref linkend="vboxmanage-modifyvm" />.
540 </para>
541
542 <para>
543 You will need to know which ports on the guest the service uses
544 and to decide which ports to use on the host. You may want to
545 use the same ports on the guest and on the host. You can use any
546 ports on the host which are not already in use by a service. For
547 example, to set up incoming NAT connections to an
548 <command>ssh</command> server in the guest, use the following
549 command:
550 </para>
551
552<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"</screen>
553
554 <para>
555 In the above example, all TCP traffic arriving on port 2222 on
556 any host interface will be forwarded to port 22 in the guest.
557 The protocol name <literal>tcp</literal> is a mandatory
558 attribute defining which protocol should be used for forwarding,
559 <literal>udp</literal> could also be used. The name
560 <literal>guestssh</literal> is purely descriptive and will be
561 auto-generated if omitted. The number after
562 <option>--natpf</option> denotes the network card, as with other
563 <command>VBoxManage</command> commands.
564 </para>
565
566 <para>
567 To remove this forwarding rule, use the following command:
568 </para>
569
570<screen>VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</screen>
571
572 <para>
573 If for some reason the guest uses a static assigned IP address
574 not leased from the built-in DHCP server, it is required to
575 specify the guest IP when registering the forwarding rule, as
576 follows:
577 </para>
578
579<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</screen>
580
581 <para>
582 This example is identical to the previous one, except that the
583 NAT engine is being told that the guest can be found at the
584 10.0.2.19 address.
585 </para>
586
587 <para>
588 To forward <emphasis>all</emphasis> incoming traffic from a
589 specific host interface to the guest, specify the IP of that
590 host interface as follows:
591 </para>
592
593<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</screen>
594
595 <para>
596 This example forwards all TCP traffic arriving on the localhost
597 interface at 127.0.0.1 through port 2222 to port 22 in the
598 guest.
599 </para>
600
601 <para>
602 It is possible to configure incoming NAT connections while the
603 VM is running, see <xref linkend="vboxmanage-controlvm"/>.
604 </para>
605
606 </sect2>
607
608 <sect2 id="nat-tftp">
609
610 <title>PXE Booting with NAT</title>
611
612 <para>
613 PXE booting is now supported in NAT mode. The NAT DHCP server
614 provides a boot file name of the form
615 <filename><replaceable>vmname</replaceable>.pxe</filename> if
616 the directory <literal>TFTP</literal> exists in the directory
617 where the user's <filename>VirtualBox.xml</filename> file is
618 kept. It is the responsibility of the user to provide
619 <filename><replaceable>vmname</replaceable>.pxe</filename>.
620 </para>
621
622 </sect2>
623
624 <sect2 id="nat-limitations">
625
626 <title>NAT Limitations</title>
627
628 <para>
629 There are some limitations of NAT mode which users should be
630 aware of, as follows:
631 </para>
632
633 <itemizedlist>
634
635 <listitem>
636 <para>
637 <emphasis role="bold">ICMP protocol limitations.</emphasis>
638 Some frequently used network debugging tools, such as
639 <command>ping</command> or <command>traceroute</command>,
640 rely on the ICMP protocol for sending and receiving
641 messages. &product-name; ICMP support has some limitations,
642 meaning <command>ping</command> should work but some other
643 tools may not work reliably.
644 </para>
645 </listitem>
646
647 <listitem>
648 <para>
649 <emphasis role="bold">Receiving of UDP
650 broadcasts.</emphasis> The guest does not reliably receive
651 UDP broadcasts. In order to save resources, it only listens
652 for a certain amount of time after the guest has sent UDP
653 data on a particular port. As a consequence, NetBios name
654 resolution based on broadcasts does not always work, but
655 WINS always works. As a workaround, you can use the numeric
656 IP of the desired server in the
657 <filename>\\<replaceable>server</replaceable>\<replaceable>share</replaceable></filename>
658 notation.
659 </para>
660 </listitem>
661
662 <listitem>
663 <para>
664 <emphasis role="bold">Some protocols are not
665 supported.</emphasis> Protocols other than TCP and UDP are
666 not supported. GRE is not supported. This means some VPN
667 products, such as PPTP from Microsoft, cannot be used. There
668 are other VPN products which use only TCP and UDP.
669 </para>
670 </listitem>
671
672 <listitem>
673 <para>
674 <emphasis role="bold">Forwarding host ports below
675 1024.</emphasis> On UNIX-based hosts, such as Linux, Oracle
676 Solaris, and Mac OS X, it is not possible to bind to ports
677 below 1024 from applications that are not run by
678 <literal>root</literal>. As a result, if you try to
679 configure such a port forwarding, the VM will refuse to
680 start.
681 </para>
682 </listitem>
683
684 </itemizedlist>
685
686 <para>
687 These limitations normally do not affect standard network use.
688 But the presence of NAT has also subtle effects that may
689 interfere with protocols that are normally working. One example
690 is NFS, where the server is often configured to refuse
691 connections from non-privileged ports, which are those ports not
692 below 1024.
693 </para>
694
695 </sect2>
696
697 </sect1>
698
699 <sect1 id="network_nat_service">
700
701 <title>Network Address Translation Service</title>
702
703 <para>
704 The Network Address Translation (NAT) service works in a similar
705 way to a home router, grouping the systems using it into a network
706 and preventing systems outside of this network from directly
707 accessing systems inside it, but letting systems inside
708 communicate with each other and with systems outside using TCP and
709 UDP over IPv4 and IPv6.
710 </para>
711
712 <para>
713 A NAT service is attached to an internal network. Virtual machines
714 which are to make use of it should be attached to that internal
715 network. The name of internal network is chosen when the NAT
716 service is created and the internal network will be created if it
717 does not already exist. The following is an example command to
718 create a NAT network:
719 </para>
720
721<screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable</screen>
722
723 <para>
724 Here, natnet1 is the name of the internal network to be used and
725 192.168.15.0/24 is the network address and mask of the NAT service
726 interface. By default in this static configuration the gateway
727 will be assigned the address 192.168.15.1, the address following
728 the interface address, though this is subject to change. To attach
729 a DHCP server to the internal network, modify the example command
730 as follows:
731 </para>
732
733<screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable --dhcp on</screen>
734
735 <para>
736 To add a DHCP server to an existing network, use the following
737 command:
738 </para>
739
740<screen>VBoxManage natnetwork modify --netname natnet1 --dhcp on</screen>
741
742 <para>
743 To disable the DHCP server, use the following command:
744 </para>
745
746<screen>VBoxManage natnetwork modify --netname natnet1 --dhcp off</screen>
747
748 <para>
749 A DHCP server provides a list of registered nameservers, but does
750 not map servers from the 127/8 network.
751 </para>
752
753 <para>
754 To start the NAT service, use the following command:
755 </para>
756
757<screen>VBoxManage natnetwork start --netname natnet1</screen>
758
759 <para>
760 If the network has a DHCP server attached then it will start
761 together with the NAT network service.
762 </para>
763
764 <para>
765 To stop the NAT network service, together with any DHCP server:
766 </para>
767
768<screen>VBoxManage natnetwork stop --netname natnet1</screen>
769
770 <para>
771 To delete the NAT network service:
772 </para>
773
774<screen>VBoxManage natnetwork remove --netname natnet1</screen>
775
776 <para>
777 This command does not remove the DHCP server if one is enabled on
778 the internal network.
779 </para>
780
781 <para>
782 Port-forwarding is supported, using the
783 <option>--port-forward-4</option> switch for IPv4 and
784 <option>--port-forward-6</option> for IPv6. For example:
785 </para>
786
787<screen>VBoxManage natnetwork modify \
788 --netname natnet1 --port-forward-4 "ssh:tcp:[]:1022:[192.168.15.5]:22"</screen>
789
790 <para>
791 This adds a port-forwarding rule from the host's TCP 1022 port to
792 the port 22 on the guest with IP address 192.168.15.5. Host port,
793 guest port and guest IP are mandatory. To delete the rule, use the
794 following command:
795 </para>
796
797<screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 delete ssh</screen>
798
799 <para>
800 It is possible to bind a NAT service to specified interface. For
801 example:
802 </para>
803
804<screen>VBoxManage setextradata global "NAT/win-nat-test-0/SourceIp4" 192.168.1.185</screen>
805
806 <para>
807 To see the list of registered NAT networks, use the following
808 command:
809 </para>
810
811<screen>VBoxManage list natnetworks</screen>
812
813 <note>
814 <para>
815 Even though the NAT service separates the VM from the host,
816 the VM has access to the host's loopback interface and the
817 network services running on it. The host's loopback interface
818 is accessible as IP address 10.0.2.2 (assuming the default
819 configuration, in other configurations it's the respective
820 address in the configured IPv4 or IPv6 network range). This
821 access to the host's loopback interface can be extremely useful
822 in some cases, for example when running a web application under
823 development in the VM and the database server on the loopback
824 interface on the host.
825 </para>
826 </note>
827
828 </sect1>
829
830 <sect1 id="network_bridged">
831
832 <title>Bridged Networking</title>
833
834 <para>
835 With bridged networking, &product-name; uses a device driver on
836 your <emphasis>host</emphasis> system that filters data from your
837 physical network adapter. This driver is therefore called a
838 <emphasis>net filter</emphasis> driver. This enables
839 &product-name; to intercept data from the physical network and
840 inject data into it, effectively creating a new network interface
841 in software. When a guest is using such a new software interface,
842 it looks to the host system as though the guest were physically
843 connected to the interface using a network cable. The host can
844 send data to the guest through that interface and receive data
845 from it. This means that you can set up routing or bridging
846 between the guest and the rest of your network.
847 </para>
848
849 <note>
850 <para>
851 Even though TAP interfaces are no longer necessary on Linux for
852 bridged networking, you <emphasis>can</emphasis> still use TAP
853 interfaces for certain advanced setups, since you can connect a
854 VM to any host interface.
855 </para>
856 </note>
857
858 <para>
859 To enable bridged networking, open the
860 <emphasis role="bold">Settings</emphasis> dialog of a virtual
861 machine, go to the <emphasis role="bold">Network</emphasis> page
862 and select <emphasis role="bold">Bridged Network</emphasis> in the
863 drop-down list for the <emphasis role="bold">Attached
864 To</emphasis> field. Select a host interface from the list at the
865 bottom of the page, which contains the physical network interfaces
866 of your systems. On a typical MacBook, for example, this will
867 allow you to select between en1: AirPort, which is the wireless
868 interface, and en0: Ethernet, which represents the interface with
869 a network cable.
870 </para>
871
872 <note>
873 <para>
874 Bridging to a wireless interface is done differently from
875 bridging to a wired interface, because most wireless adapters do
876 not support promiscuous mode. All traffic has to use the MAC
877 address of the host's wireless adapter, and therefore
878 &product-name; needs to replace the source MAC address in the
879 Ethernet header of an outgoing packet to make sure the reply
880 will be sent to the host interface. When &product-name; sees an
881 incoming packet with a destination IP address that belongs to
882 one of the virtual machine adapters it replaces the destination
883 MAC address in the Ethernet header with the VM adapter's MAC
884 address and passes it on. &product-name; examines ARP and DHCP
885 packets in order to learn the IP addresses of virtual machines.
886 </para>
887 </note>
888
889 <para>
890 Depending on your host operating system, the following limitations
891 apply:
892 </para>
893
894 <itemizedlist>
895
896 <listitem>
897 <para>
898 <emphasis role="bold">Mac OS X hosts.</emphasis> Functionality
899 is limited when using AirPort, the Mac's wireless networking
900 system, for bridged networking. Currently, &product-name;
901 supports only IPv4 and IPv6 over AirPort. For other protocols,
902 such as IPX, you must choose a wired interface.
903 </para>
904 </listitem>
905
906 <listitem>
907 <para>
908 <emphasis role="bold">Linux hosts.</emphasis> Functionality is
909 limited when using wireless interfaces for bridged networking.
910 Currently, &product-name; supports only IPv4 and IPv6 over
911 wireless. For other protocols, such as IPX, you must choose a
912 wired interface.
913 </para>
914
915 <para>
916 Also, setting the MTU to less than 1500 bytes on wired
917 interfaces provided by the sky2 driver on the Marvell Yukon II
918 EC Ultra Ethernet NIC is known to cause packet losses under
919 certain conditions.
920 </para>
921
922 <para>
923 Some adapters strip VLAN tags in hardware. This does not allow
924 you to use VLAN trunking between VM and the external network
925 with pre-2.6.27 Linux kernels, or with host operating systems
926 other than Linux.
927 </para>
928 </listitem>
929
930 <listitem>
931 <para>
932 <emphasis role="bold">Oracle Solaris hosts.</emphasis> There
933 is no support for using wireless interfaces. Filtering guest
934 traffic using IPFilter is also not completely supported due to
935 technical restrictions of the Oracle Solaris networking
936 subsystem. These issues may be addressed in later releases of
937 Oracle Solaris 11.
938 </para>
939
940 <para>
941 On Oracle Solaris 11 hosts build 159 and above, it is possible
942 to use Oracle Solaris Crossbow Virtual Network Interfaces
943 (VNICs) directly with &product-name; without any additional
944 configuration other than each VNIC must be exclusive for every
945 guest network interface.
946 </para>
947
948 <para>
949 When using VLAN interfaces with &product-name;, they must be
950 named according to the PPA-hack naming scheme, such as
951 e1000g513001. Otherwise, the guest may receive packets in an
952 unexpected format.
953 </para>
954 </listitem>
955
956 </itemizedlist>
957
958 </sect1>
959
960 <sect1 id="network_internal">
961
962 <title>Internal Networking</title>
963
964 <para>
965 Internal Networking is similar to bridged networking in that the
966 VM can directly communicate with the outside world. However, the
967 outside world is limited to other VMs on the same host which
968 connect to the same internal network.
969 </para>
970
971 <para>
972 Even though technically, everything that can be done using
973 internal networking can also be done using bridged networking,
974 there are security advantages with internal networking. In bridged
975 networking mode, all traffic goes through a physical interface of
976 the host system. It is therefore possible to attach a packet
977 sniffer such as Wireshark to the host interface and log all
978 traffic that goes over it. If, for any reason, you prefer two or
979 more VMs on the same machine to communicate privately, hiding
980 their data from both the host system and the user, bridged
981 networking therefore is not an option.
982 </para>
983
984 <para>
985 Internal networks are created automatically as needed. There is no
986 central configuration. Every internal network is identified simply
987 by its name. Once there is more than one active virtual network
988 card with the same internal network ID, the &product-name; support
989 driver will automatically <emphasis>wire</emphasis> the cards and
990 act as a network switch. The &product-name; support driver
991 implements a complete Ethernet switch and supports both
992 broadcast/multicast frames and promiscuous mode.
993 </para>
994
995 <para>
996 In order to attach a VM's network card to an internal network, set
997 its networking mode to Internal Networking. There are two ways to
998 accomplish this:
999 </para>
1000
1001 <itemizedlist>
1002
1003 <listitem>
1004 <para>
1005 Use the VM's <emphasis role="bold">Settings</emphasis> dialog
1006 in the &product-name; graphical user interface. In the
1007 <emphasis role="bold">Networking</emphasis> category of the
1008 settings dialog, select <emphasis role="bold">Internal
1009 Networking</emphasis> from the drop-down list of networking
1010 modes. Select the name of an existing internal network from
1011 the drop-down list below, or enter a new name into the
1012 <emphasis role="bold">Name</emphasis> field.
1013 </para>
1014 </listitem>
1015
1016 <listitem>
1017 <para>
1018 Use the command line, for example:
1019 </para>
1020
1021<screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; intnet</screen>
1022
1023 <para>
1024 Optionally, you can specify a network name with the command:
1025 </para>
1026
1027<screen>VBoxManage modifyvm "VM name" --intnet&lt;x&gt; "network name"</screen>
1028
1029 <para>
1030 If you do not specify a network name, the network card will be
1031 attached to the network <literal>intnet</literal> by default.
1032 </para>
1033 </listitem>
1034
1035 </itemizedlist>
1036
1037 <para>
1038 Unless you configure the virtual network cards in the guest
1039 operating systems that are participating in the internal network
1040 to use static IP addresses, you may want to use the DHCP server
1041 that is built into &product-name; to manage IP addresses for the
1042 internal network. See <xref linkend="vboxmanage-dhcpserver" />.
1043 </para>
1044
1045 <para>
1046 As a security measure, by default, the Linux implementation of
1047 internal networking only allows VMs running under the same user ID
1048 to establish an internal network. However, it is possible to
1049 create a shared internal networking interface, accessible by users
1050 with different user IDs.
1051 </para>
1052
1053 </sect1>
1054
1055 <sect1 id="network_hostonly">
1056
1057 <title>Host-Only Networking</title>
1058
1059 <para>
1060 Host-only networking can be thought of as a hybrid between the
1061 bridged and internal networking modes. As with bridged networking,
1062 the virtual machines can talk to each other and the host as if
1063 they were connected through a physical Ethernet switch. As with
1064 internal networking, a physical networking interface need not be
1065 present, and the virtual machines cannot talk to the world outside
1066 the host since they are not connected to a physical networking
1067 interface.
1068 </para>
1069
1070 <para>
1071 When host-only networking is used, &product-name; creates a new
1072 software interface on the host which then appears next to your
1073 existing network interfaces. In other words, whereas with bridged
1074 networking an existing physical interface is used to attach
1075 virtual machines to, with host-only networking a new
1076 <emphasis>loopback</emphasis> interface is created on the host.
1077 And whereas with internal networking, the traffic between the
1078 virtual machines cannot be seen, the traffic on the loopback
1079 interface on the host can be intercepted.
1080 </para>
1081
1082 <para>
1083 Host-only networking is particularly useful for preconfigured
1084 virtual appliances, where multiple virtual machines are shipped
1085 together and designed to cooperate. For example, one virtual
1086 machine may contain a web server and a second one a database, and
1087 since they are intended to talk to each other, the appliance can
1088 instruct &product-name; to set up a host-only network for the two.
1089 A second, bridged, network would then connect the web server to
1090 the outside world to serve data to, but the outside world cannot
1091 connect to the database.
1092 </para>
1093
1094 <para>
1095 To change a virtual machine's virtual network interface to Host
1096 Only mode, do either of the following:
1097 </para>
1098
1099 <itemizedlist>
1100
1101 <listitem>
1102 <para>
1103 Go to the <emphasis role="bold">Network</emphasis> page in the
1104 virtual machine's <emphasis role="bold">Settings</emphasis>
1105 dialog and select <emphasis role="bold">Host-Only
1106 Networking</emphasis>.
1107 </para>
1108 </listitem>
1109
1110 <listitem>
1111 <para>
1112 On the command line, enter <command>VBoxManage modifyvm
1113 <replaceable>"vmname</replaceable>
1114 --nic<replaceable>x</replaceable> hostonly</command>. See
1115 <xref
1116 linkend="vboxmanage-modifyvm" />.
1117 </para>
1118 </listitem>
1119
1120 </itemizedlist>
1121
1122 <para>
1123 Before you can attach a VM to a host-only network you have to
1124 create at least one host-only interface. You can use the
1125 VirtualBox Manager for this. Choose
1126 <emphasis role="bold">File</emphasis>,
1127 <emphasis role="bold">Preferences</emphasis>,
1128 <emphasis role="bold">Network</emphasis>,
1129 <emphasis role="bold">Host-Only Network</emphasis>,
1130 <emphasis role="bold">(+)Add Host-Only Network</emphasis>.
1131 </para>
1132
1133 <para>
1134 Alternatively, you can use the command line:
1135 </para>
1136
1137<screen>VBoxManage hostonlyif create</screen>
1138
1139 <para>
1140 See <xref linkend="vboxmanage-hostonlyif" />.
1141 </para>
1142
1143 <para>
1144 For host-only networking, as with internal networking, you may
1145 find the DHCP server useful that is built into &product-name;.
1146 This can be enabled to then manage the IP addresses in the
1147 host-only network since otherwise you would need to configure all
1148 IP addresses statically.
1149 </para>
1150
1151 <itemizedlist>
1152
1153 <listitem>
1154 <para>
1155 In the &product-name; graphical user interface, you can
1156 configure all these items in the global settings by choosing
1157 <emphasis role="bold">File</emphasis>,
1158 <emphasis role="bold">Preferences</emphasis>,
1159 <emphasis role="bold">Network</emphasis>. This lists all
1160 host-only networks which are presently in use. Click on the
1161 network name and then on
1162 <emphasis role="bold">Edit</emphasis>. You can then modify the
1163 adapter and DHCP settings.
1164 </para>
1165 </listitem>
1166
1167 <listitem>
1168 <para>
1169 Alternatively, you can use <command>VBoxManage
1170 dhcpserver</command> on the command line. See
1171 <xref
1172 linkend="vboxmanage-dhcpserver" />.
1173 </para>
1174 </listitem>
1175
1176 </itemizedlist>
1177
1178 <note>
1179 <para>
1180 On Linux and Mac OS X hosts the number of host-only interfaces
1181 is limited to 128. There is no such limit for Oracle Solaris and
1182 Windows hosts.
1183 </para>
1184 </note>
1185
1186 </sect1>
1187
1188 <sect1 id="network_udp_tunnel">
1189
1190 <title>UDP Tunnel Networking</title>
1191
1192 <para>
1193 This networking mode enables you to interconnect virtual machines
1194 running on different hosts.
1195 </para>
1196
1197 <para>
1198 Technically this is done by encapsulating Ethernet frames sent or
1199 received by the guest network card into UDP/IP datagrams, and
1200 sending them over any network available to the host.
1201 </para>
1202
1203 <para>
1204 UDP Tunnel mode has the following parameters:
1205 </para>
1206
1207 <itemizedlist>
1208
1209 <listitem>
1210 <para>
1211 <emphasis role="bold">Source UDP port:</emphasis> The port on
1212 which the host listens. Datagrams arriving on this port from
1213 any source address will be forwarded to the receiving part of
1214 the guest network card.
1215 </para>
1216 </listitem>
1217
1218 <listitem>
1219 <para>
1220 <emphasis role="bold">Destination address:</emphasis> IP
1221 address of the target host of the transmitted data.
1222 </para>
1223 </listitem>
1224
1225 <listitem>
1226 <para>
1227 <emphasis role="bold">Destination UDP port:</emphasis> Port
1228 number to which the transmitted data is sent.
1229 </para>
1230 </listitem>
1231
1232 </itemizedlist>
1233
1234 <para>
1235 When interconnecting two virtual machines on two different hosts,
1236 their IP addresses must be swapped. On a single host, source and
1237 destination UDP ports must be swapped.
1238 </para>
1239
1240 <para>
1241 In the following example, host 1 uses the IP address 10.0.0.1 and
1242 host 2 uses IP address 10.0.0.2. To configure using the
1243 command-line:
1244 </para>
1245
1246<screen> VBoxManage modifyvm "VM 01 on host 1" --nic&lt;x&gt; generic
1247 VBoxManage modifyvm "VM 01 on host 1" --nicgenericdrv&lt;x&gt; UDPTunnel
1248 VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; dest=10.0.0.2
1249 VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; sport=10001
1250 VBoxManage modifyvm "VM 01 on host 1" --nicproperty&lt;x&gt; dport=10002</screen>
1251
1252<screen> VBoxManage modifyvm "VM 02 on host 2" --nic&lt;y&gt; generic
1253 VBoxManage modifyvm "VM 02 on host 2" --nicgenericdrv&lt;y&gt; UDPTunnel
1254 VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; dest=10.0.0.1
1255 VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; sport=10002
1256 VBoxManage modifyvm "VM 02 on host 2" --nicproperty&lt;y&gt; dport=10001</screen>
1257
1258 <para>
1259 Of course, you can always interconnect two virtual machines on the
1260 same host, by setting the destination address parameter to
1261 127.0.0.1 on both. It will act similarly to an internal network in
1262 this case. However, the host can see the network traffic which it
1263 could not in the normal internal network case.
1264 </para>
1265
1266 <note>
1267 <para>
1268 On UNIX-based hosts, such as Linux, Oracle Solaris, and Mac OS
1269 X, it is not possible to bind to ports below 1024 from
1270 applications that are not run by <literal>root</literal>. As a
1271 result, if you try to configure such a source UDP port, the VM
1272 will refuse to start.
1273 </para>
1274 </note>
1275
1276 </sect1>
1277
1278 <sect1 id="network_vde">
1279
1280 <title>VDE Networking</title>
1281
1282 <para>
1283 Virtual Distributed Ethernet (VDE) is a flexible, virtual network
1284 infrastructure system, spanning across multiple hosts in a secure
1285 way. It enables L2/L3 switching, including spanning-tree protocol,
1286 VLANs, and WAN emulation. It is an optional part of &product-name;
1287 which is only included in the source code.
1288 </para>
1289
1290 <para>
1291 VDE is a project developed by Renzo Davoli, Associate Professor at
1292 the University of Bologna, Italy.
1293 </para>
1294
1295 <para>
1296 The basic building blocks of the infrastructure are VDE switches,
1297 VDE plugs, and VDE wires which interconnect the switches.
1298 </para>
1299
1300 <para>
1301 The &product-name; VDE driver has a single parameter: VDE network.
1302 This is the name of the VDE network switch socket to which the VM
1303 will be connected.
1304 </para>
1305
1306 <para>
1307 The following basic example shows how to connect a virtual machine
1308 to a VDE switch.
1309 </para>
1310
1311 <orderedlist>
1312
1313 <listitem>
1314 <para>
1315 Create a VDE switch:
1316 </para>
1317
1318<screen>vde_switch -s /tmp/switch1</screen>
1319 </listitem>
1320
1321 <listitem>
1322 <para>
1323 Configure VMs using the command-line:
1324 </para>
1325
1326<screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; generic</screen>
1327
1328<screen>VBoxManage modifyvm "VM name" --nicgenericdrv&lt;x&gt; VDE</screen>
1329
1330 <para>
1331 To connect to an automatically allocated switch port:
1332 </para>
1333
1334<screen>VBoxManage modifyvm "VM name" --nicproperty&lt;x&gt; network=/tmp/switch1</screen>
1335
1336 <para>
1337 To connect to a specific switch port
1338 <replaceable>n</replaceable>:
1339 </para>
1340
1341<screen>VBoxManage modifyvm "VM name" --nicproperty&lt;x&gt; network=/tmp/switch1[&lt;n&gt;]</screen>
1342
1343 <para>
1344 This command can be useful for VLANs.
1345 </para>
1346 </listitem>
1347
1348 <listitem>
1349 <para>
1350 (Optional) Map between a VDE switch port and a VLAN.
1351 </para>
1352
1353 <para>
1354 Using the switch command line:
1355 </para>
1356
1357<screen>vde$ vlan/create &lt;VLAN&gt;</screen>
1358
1359<screen>vde$ port/setvlan &lt;port&gt; &lt;VLAN&gt;</screen>
1360 </listitem>
1361
1362 </orderedlist>
1363
1364 <para>
1365 VDE is available on Linux and FreeBSD hosts only. It is only
1366 available if the VDE software and the VDE plugin library from the
1367 VirtualSquare project are installed on the host system.
1368 </para>
1369
1370 <note>
1371 <para>
1372 For Linux hosts, the shared library libvdeplug.so must be
1373 available in the search path for shared libraries.
1374 </para>
1375 </note>
1376
1377 <para>
1378 For more information on setting up VDE networks, please see the
1379 documentation accompanying the software. See also
1380 <ulink
1381 url="http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking" />.
1382 </para>
1383
1384 </sect1>
1385
1386 <sect1 id="network_bandwidth_limit">
1387
1388 <title>Limiting Bandwidth for Network Input/Output</title>
1389
1390 <para>
1391 &product-name; supports limiting of the maximum bandwidth used for
1392 network transmission. Several network adapters of one VM may share
1393 limits through bandwidth groups. It is possible to have more than
1394 one such limit.
1395 </para>
1396
1397 <note>
1398 <para>
1399 &product-name; shapes VM traffic only in the transmit direction,
1400 delaying the packets being sent by virtual machines. It does not
1401 limit the traffic being received by virtual machines.
1402 </para>
1403 </note>
1404
1405 <para>
1406 Limits are configured through <command>VBoxManage</command>. The
1407 following example creates a bandwidth group named Limit, sets the
1408 limit to 20 Mbps and assigns the group to the first and second
1409 adapters of the VM:
1410 </para>
1411
1412<screen>VBoxManage bandwidthctl "VM name" add Limit --type network --limit 20m
1413VBoxManage modifyvm "VM name" --nicbandwidthgroup1 Limit
1414VBoxManage modifyvm "VM name" --nicbandwidthgroup2 Limit</screen>
1415
1416 <para>
1417 All adapters in a group share the bandwidth limit, meaning that in
1418 the example above the bandwidth of both adapters combined can
1419 never exceed 20 Mbps. However, if one adapter does not require
1420 bandwidth the other can use the remaining bandwidth of its group.
1421 </para>
1422
1423 <para>
1424 The limits for each group can be changed while the VM is running,
1425 with changes being picked up immediately. The following example
1426 changes the limit for the group created in the previous example to
1427 100 Kbps:
1428 </para>
1429
1430<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 100k</screen>
1431
1432 <para>
1433 To completely disable shaping for the first adapter of VM use the
1434 following command:
1435 </para>
1436
1437<screen>VBoxManage modifyvm "VM name" --nicbandwidthgroup1 none</screen>
1438
1439 <para>
1440 It is also possible to disable shaping for all adapters assigned
1441 to a bandwidth group while VM is running, by specifying the zero
1442 limit for the group. For example, for the bandwidth group named
1443 Limit:
1444 </para>
1445
1446<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 0</screen>
1447
1448 </sect1>
1449
1450 <sect1 id="network_performance">
1451
1452 <title>Improving Network Performance</title>
1453
1454 <para>
1455 &product-name; provides a variety of virtual network adapters that
1456 can be attached to the host's network in a number of ways.
1457 Depending on which types of adapters and attachments are used the
1458 network performance will be different. Performance-wise the virtio
1459 network adapter is preferable over Intel PRO/1000 emulated
1460 adapters, which are preferred over the PCNet family of adapters.
1461 Both virtio and Intel PRO/1000 adapters enjoy the benefit of
1462 segmentation and checksum offloading. Segmentation offloading is
1463 essential for high performance as it allows for less context
1464 switches, dramatically increasing the sizes of packets that cross
1465 the VM/host boundary.
1466 </para>
1467
1468 <note>
1469 <para>
1470 Neither virtio nor Intel PRO/1000 drivers for Windows XP support
1471 segmentation offloading. Therefore Windows XP guests never reach
1472 the same transmission rates as other guest types. Refer to MS
1473 Knowledge base article 842264 for additional information.
1474 </para>
1475 </note>
1476
1477 <para>
1478 Three attachment types: Internal, Bridged, and Host-Only, have
1479 nearly identical performance. The Internal type is a little bit
1480 faster and uses less CPU cycles as the packets never reach the
1481 host's network stack. The NAT attachment type is the slowest and
1482 most secure of all attachment types, as it provides network
1483 address translation. The generic driver attachment is special and
1484 cannot be considered as an alternative to other attachment types.
1485 </para>
1486
1487 <para>
1488 The number of CPUs assigned to VM does not improve network
1489 performance and in some cases may hurt it due to increased
1490 concurrency in the guest.
1491 </para>
1492
1493 <para>
1494 Here is a short summary of things to check in order to improve
1495 network performance:
1496 </para>
1497
1498 <itemizedlist>
1499
1500 <listitem>
1501 <para>
1502 Whenever possible use the virtio network adapter. Otherwise,
1503 use one of the Intel PRO/1000 adapters.
1504 </para>
1505 </listitem>
1506
1507 <listitem>
1508 <para>
1509 Use a Bridged attachment instead of NAT.
1510 </para>
1511 </listitem>
1512
1513 <listitem>
1514 <para>
1515 Make sure segmentation offloading is enabled in the guest OS.
1516 Usually it will be enabled by default. You can check and
1517 modify offloading settings using the
1518 <command>ethtool</command> command on Linux guests.
1519 </para>
1520 </listitem>
1521
1522 <listitem>
1523 <para>
1524 Perform a full detailed analysis of network traffic on the
1525 VM's network adaptor using a third party tool such as
1526 Wireshark. To do this, a promiscuous mode policy needs to be
1527 used on the VM's network adaptor. Use of this mode is only
1528 possible on the following network types: NAT Network, Bridged
1529 Adapter, Internal Network, and Host-Only Adapter.
1530 </para>
1531
1532 <para>
1533 To setup a promiscuous mode policy, either select from the
1534 drop down list located in the <emphasis role="bold">Network
1535 Settings</emphasis> dialog for the network adaptor or use the
1536 command line tool <command>VBoxManage</command>. See
1537 <xref linkend="vboxmanage-modifyvm" />.
1538 </para>
1539
1540 <para>
1541 Promiscuous mode policies are as follows:
1542 </para>
1543
1544 <itemizedlist>
1545
1546 <listitem>
1547 <para>
1548 <literal>deny</literal>, which hides any traffic not
1549 intended for the VM's network adaptor. This is the default
1550 setting.
1551 </para>
1552 </listitem>
1553
1554 <listitem>
1555 <para>
1556 <literal>allow-vms</literal>, which hides all host traffic
1557 from the VM's network adaptor, but allows it to see
1558 traffic from and to other VMs.
1559 </para>
1560 </listitem>
1561
1562 <listitem>
1563 <para>
1564 <literal>allow-all</literal>, which removes all
1565 restrictions. The VM's network adaptor sees all traffic.
1566 </para>
1567 </listitem>
1568
1569 </itemizedlist>
1570 </listitem>
1571
1572 </itemizedlist>
1573
1574 </sect1>
1575
1576</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette