VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Networking.xml@ 94209

Last change on this file since 94209 was 92534, checked in by vboxsync, 3 years ago

VBoxManage: Dashified the modifyvm options, the leaving the wordsoup options for legacy reasons of course.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 56.0 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4<!ENTITY % all.entities SYSTEM "all-entities.ent">
5%all.entities;
6]>
7<chapter id="networkingdetails">
8
9 <title>Virtual Networking</title>
10
11 <para>
12 As mentioned in <xref linkend="settings-network" />, &product-name;
13 provides up to eight virtual PCI Ethernet cards for each virtual
14 machine. For each such card, you can individually select the
15 following:
16 </para>
17
18 <itemizedlist>
19
20 <listitem>
21 <para>
22 The hardware that will be virtualized.
23 </para>
24 </listitem>
25
26 <listitem>
27 <para>
28 The virtualization mode that the virtual card operates in, with
29 respect to your physical networking hardware on the host.
30 </para>
31 </listitem>
32
33 </itemizedlist>
34
35 <para>
36 Four of the network cards can be configured in the
37 <emphasis role="bold">Network</emphasis> section of the
38 <emphasis role="bold">Settings</emphasis> dialog in the graphical
39 user interface of &product-name;. You can configure all eight
40 network cards on the command line using <command>VBoxManage
41 modifyvm</command>. See <xref linkend="vboxmanage-modifyvm" />.
42 </para>
43
44 <para>
45 This chapter explains the various networking settings in more
46 detail.
47 </para>
48
49 <sect1 id="nichardware">
50
51 <title>Virtual Networking Hardware</title>
52
53 <para>
54 For each card, you can individually select what kind of
55 <emphasis>hardware</emphasis> will be presented to the virtual
56 machine. &product-name; can virtualize the following types of
57 networking hardware:
58 </para>
59
60 <itemizedlist>
61
62 <listitem>
63 <para>
64 AMD PCNet PCI II (Am79C970A)
65 </para>
66 </listitem>
67
68 <listitem>
69 <para>
70 AMD PCNet FAST III (Am79C973), the default setting
71 </para>
72 </listitem>
73
74 <listitem>
75 <para>
76 Intel PRO/1000 MT Desktop (82540EM)
77 </para>
78 </listitem>
79
80 <listitem>
81 <para>
82 Intel PRO/1000 T Server (82543GC)
83 </para>
84 </listitem>
85
86 <listitem>
87 <para>
88 Intel PRO/1000 MT Server (82545EM)
89 </para>
90 </listitem>
91
92 <listitem>
93 <para>
94 Paravirtualized network adapter (virtio-net)
95 </para>
96 </listitem>
97
98 </itemizedlist>
99
100 <para>
101 The PCNet FAST III is the default because it is supported by
102 nearly all operating systems, as well as by the GNU GRUB boot
103 manager. As an exception, the Intel PRO/1000 family adapters are
104 chosen for some guest operating system types that no longer ship
105 with drivers for the PCNet card, such as Windows Vista.
106 </para>
107
108 <para>
109 The Intel PRO/1000 MT Desktop type works with Windows Vista and
110 later versions. The T Server variant of the Intel PRO/1000 card is
111 recognized by Windows XP guests without additional driver
112 installation. The MT Server variant facilitates OVF imports from
113 other platforms.
114 </para>
115
116 <para>
117 The Paravirtualized network adapter (virtio-net) is special. If
118 you select this adapter, then &product-name; does
119 <emphasis>not</emphasis> virtualize common networking hardware
120 that is supported by common guest operating systems. Instead,
121 &product-name; expects a special software interface for
122 virtualized environments to be provided by the guest, thus
123 avoiding the complexity of emulating networking hardware and
124 improving network performance. &product-name; provides support for
125 the industry-standard <emphasis>virtio</emphasis> networking
126 drivers, which are part of the open source KVM project.
127 </para>
128
129 <para>
130 The virtio networking drivers are available for the following
131 guest operating systems:
132 </para>
133
134 <itemizedlist>
135
136 <listitem>
137 <para>
138 Linux kernels version 2.6.25 or later can be configured to
139 provide virtio support. Some distributions have also
140 back-ported virtio to older kernels.
141 </para>
142 </listitem>
143
144 <listitem>
145 <para>
146 For Windows 2000, XP, and Vista, virtio drivers can be
147 downloaded and installed from the KVM project web page:
148 </para>
149
150 <para>
151 <ulink
152 url="http://www.linux-kvm.org/page/WindowsGuestDrivers" />.
153 </para>
154 </listitem>
155
156 </itemizedlist>
157
158 <para>
159 &product-name; also has limited support for <emphasis>jumbo
160 frames</emphasis>. These are networking packets with more than
161 1500 bytes of data, provided that you use the Intel card
162 virtualization and bridged networking. Jumbo frames are not
163 supported with the AMD networking devices. In those cases, jumbo
164 packets will silently be dropped for both the transmit and the
165 receive direction. Guest operating systems trying to use this
166 feature will observe this as a packet loss, which may lead to
167 unexpected application behavior in the guest. This does not cause
168 problems with guest operating systems in their default
169 configuration, as jumbo frames need to be explicitly enabled.
170 </para>
171
172 </sect1>
173
174 <sect1 id="networkingmodes">
175
176 <title>Introduction to Networking Modes</title>
177
178 <para>
179 Each of the networking adapters can be separately configured to
180 operate in one of the following modes:
181 </para>
182
183 <itemizedlist>
184
185 <listitem>
186 <para>
187 <emphasis role="bold">Not attached.</emphasis> In this mode,
188 &product-name; reports to the guest that a network card is
189 present, but that there is no connection. This is as if no
190 Ethernet cable was plugged into the card. Using this mode, it
191 is possible to <emphasis>pull</emphasis> the virtual Ethernet
192 cable and disrupt the connection, which can be useful to
193 inform a guest operating system that no network connection is
194 available and enforce a reconfiguration.
195 </para>
196 </listitem>
197
198 <listitem>
199 <para>
200 <emphasis role="bold">Network Address Translation
201 (NAT)</emphasis>. If all you want is to browse the Web,
202 download files, and view email inside the guest, then this
203 default mode should be sufficient for you, and you can skip
204 the rest of this section. Please note that there are certain
205 limitations when using Windows file sharing. See
206 <xref linkend="nat-limitations" />.
207 </para>
208 </listitem>
209
210 <listitem>
211 <para>
212 <emphasis role="bold">NAT Network.</emphasis> A NAT network is
213 a type of internal network that allows outbound connections.
214 See <xref linkend="network_nat_service"/>.
215 </para>
216 </listitem>
217
218 <listitem>
219 <para>
220 <emphasis role="bold">Bridged networking.</emphasis> This is
221 for more advanced networking needs, such as network
222 simulations and running servers in a guest. When enabled,
223 &product-name; connects to one of your installed network cards
224 and exchanges network packets directly, circumventing your
225 host operating system's network stack.
226 </para>
227 </listitem>
228
229 <listitem>
230 <para>
231 <emphasis role="bold">Internal networking.</emphasis> This can
232 be used to create a different kind of software-based network
233 which is visible to selected virtual machines, but not to
234 applications running on the host or to the outside world.
235 </para>
236 </listitem>
237
238 <listitem>
239 <para>
240 <emphasis role="bold">Host-only networking.</emphasis> This
241 can be used to create a network containing the host and a set
242 of virtual machines, without the need for the host's physical
243 network interface. Instead, a virtual network interface,
244 similar to a loopback interface, is created on the host,
245 providing connectivity among virtual machines and the host.
246 </para>
247 </listitem>
248
249 <listitem>
250 <para>
251 <emphasis role="bold"> Generic networking.</emphasis> Rarely
252 used modes which share the same generic network interface, by
253 allowing the user to select a driver which can be included
254 with &product-name; or be distributed in an extension pack.
255 </para>
256
257 <para>
258 The following sub-modes are available:
259 </para>
260
261 <itemizedlist>
262
263 <listitem>
264 <para>
265 <emphasis role="bold">UDP Tunnel:</emphasis> Used to
266 interconnect virtual machines running on different hosts
267 directly, easily, and transparently, over an existing
268 network infrastructure.
269 </para>
270 </listitem>
271
272 <listitem>
273 <para>
274 <emphasis role="bold">VDE (Virtual Distributed Ethernet)
275 networking:</emphasis> Used to connect to a Virtual
276 Distributed Ethernet switch on a Linux or a FreeBSD host.
277 At the moment this option requires compilation of
278 &product-name; from sources, as the Oracle packages do not
279 include it.
280 </para>
281 </listitem>
282
283 </itemizedlist>
284 </listitem>
285
286 </itemizedlist>
287
288 <para>
289 The following table provides an overview of the most important
290 networking modes.
291 </para>
292
293 <table id="table-networking-modes" tabstyle="oracle-all">
294 <title>Overview of Networking Modes</title>
295 <tgroup cols="6">
296 <colspec align="left" />
297 <colspec align="center" />
298 <colspec align="center" />
299 <colspec align="center" />
300 <colspec align="center" />
301 <colspec align="center" />
302 <thead valign="middle">
303 <row>
304 <entry><emphasis role="bold">Mode</emphasis></entry>
305 <entry><para>
306 <emphasis role="bold">VM&rarr;Host</emphasis>
307 </para></entry>
308 <entry><para>
309 <emphasis role="bold">VM&larr;Host</emphasis>
310 </para></entry>
311 <entry><para>
312 <emphasis role="bold">VM1&harr;VM2</emphasis>
313 </para></entry>
314 <entry><para>
315 <emphasis role="bold">VM&rarr;Net/LAN</emphasis>
316 </para></entry>
317 <entry><para>
318 <emphasis role="bold">VM&larr;Net/LAN</emphasis>
319 </para></entry>
320 </row>
321 </thead>
322 <tbody valign="middle">
323 <row>
324 <entry><para>
325 Host-only
326 </para></entry>
327 <entry><para>
328 <emphasis role="bold">+</emphasis>
329 </para></entry>
330 <entry><para>
331 <emphasis role="bold">+</emphasis>
332 </para></entry>
333 <entry align="center"><para>
334 <emphasis role="bold">+</emphasis>
335 </para></entry>
336 <entry><para>
337 &ndash;
338 </para></entry>
339 <entry><para>
340 &ndash;
341 </para></entry>
342 </row>
343 <row>
344 <entry><para>
345 Internal
346 </para></entry>
347 <entry><para>
348 &ndash;
349 </para></entry>
350 <entry><para>
351 &ndash;
352 </para></entry>
353 <entry><para>
354 <emphasis role="bold">+</emphasis>
355 </para></entry>
356 <entry><para>
357 &ndash;
358 </para></entry>
359 <entry><para>
360 &ndash;
361 </para></entry>
362 </row>
363 <row>
364 <entry><para>
365 Bridged
366 </para></entry>
367 <entry><para>
368 <emphasis role="bold">+</emphasis>
369 </para></entry>
370 <entry><para>
371 <emphasis role="bold">+</emphasis>
372 </para></entry>
373 <entry><para>
374 <emphasis role="bold">+</emphasis>
375 </para></entry>
376 <entry><para>
377 <emphasis role="bold">+</emphasis>
378 </para></entry>
379 <entry><para>
380 <emphasis role="bold">+</emphasis>
381 </para></entry>
382 </row>
383 <row>
384 <entry><para>
385 NAT
386 </para></entry>
387 <entry><para>
388 <emphasis role="bold">+</emphasis>
389 </para></entry>
390 <entry><para>
391 <link linkend="natforward">Port forward</link>
392 </para></entry>
393 <entry><para>
394 &ndash;
395 </para></entry>
396 <entry><para>
397 <emphasis role="bold">+</emphasis>
398 </para></entry>
399 <entry><para>
400 <link linkend="natforward">Port forward</link>
401 </para></entry>
402 </row>
403 <row>
404 <entry><para>
405 NATservice
406 </para></entry>
407 <entry><para>
408 <emphasis role="bold">+</emphasis>
409 </para></entry>
410 <entry><para>
411 <link linkend="network_nat_service">Port forward</link>
412 </para></entry>
413 <entry><para>
414 <emphasis role="bold">+</emphasis>
415 </para></entry>
416 <entry><para>
417 <emphasis role="bold">+</emphasis>
418 </para></entry>
419 <entry><para>
420 <link linkend="network_nat_service">Port forward</link>
421 </para></entry>
422 </row>
423 </tbody>
424 </tgroup>
425 </table>
426
427 <para>
428 The following sections describe the available network modes in
429 more detail.
430 </para>
431
432 </sect1>
433
434 <sect1 id="network_nat">
435
436 <title>Network Address Translation (NAT)</title>
437
438 <para>
439 Network Address Translation (NAT) is the simplest way of accessing
440 an external network from a virtual machine. Usually, it does not
441 require any configuration on the host network and guest system.
442 For this reason, it is the default networking mode in
443 &product-name;.
444 </para>
445
446 <para>
447 A virtual machine with NAT enabled acts much like a real computer
448 that connects to the Internet through a router. The router, in
449 this case, is the &product-name; networking engine, which maps
450 traffic from and to the virtual machine transparently. In
451 &product-name; this router is placed between each virtual machine
452 and the host. This separation maximizes security since by default
453 virtual machines cannot talk to each other.
454 </para>
455
456 <para>
457 The disadvantage of NAT mode is that, much like a private network
458 behind a router, the virtual machine is invisible and unreachable
459 from the outside internet. You cannot run a server this way unless
460 you set up port forwarding. See <xref linkend="natforward"/>.
461 </para>
462
463 <para>
464 The network frames sent out by the guest operating system are
465 received by &product-name;'s NAT engine, which extracts the TCP/IP
466 data and resends it using the host operating system. To an
467 application on the host, or to another computer on the same
468 network as the host, it looks like the data was sent by the
469 &product-name; application on the host, using an IP address
470 belonging to the host. &product-name; listens for replies to the
471 packages sent, and repacks and resends them to the guest machine
472 on its private network.
473 </para>
474
475 <note>
476 <para>
477 Even though the NAT engine separates the VM from the host, the
478 VM has access to the host's loopback interface and the network
479 services running on it. The host's loopback interface is
480 accessible as IP address 10.0.2.2. This access to the host's
481 loopback interface can be extremely useful in some cases, for
482 example when running a web application under development in the
483 VM and the database server on the loopback interface on the
484 host.
485 </para>
486 </note>
487
488 <para>
489 The virtual machine receives its network address and configuration
490 on the private network from a DHCP server integrated into
491 &product-name;. The IP address thus assigned to the virtual
492 machine is usually on a completely different network than the
493 host. As more than one card of a virtual machine can be set up to
494 use NAT, the first card is connected to the private network
495 10.0.2.0, the second card to the network 10.0.3.0 and so on. If
496 you need to change the guest-assigned IP range, see
497 <xref linkend="changenat" />.
498 </para>
499
500 <sect2 id="natforward">
501
502 <title>Configuring Port Forwarding with NAT</title>
503
504 <para>
505 As the virtual machine is connected to a private network
506 internal to &product-name; and invisible to the host, network
507 services on the guest are not accessible to the host machine or
508 to other computers on the same network. However, like a physical
509 router, &product-name; can make selected services available to
510 the world outside the guest through <emphasis>port
511 forwarding</emphasis>. This means that &product-name; listens to
512 certain ports on the host and resends all packets which arrive
513 there to the guest, on the same or a different port.
514 </para>
515
516 <para>
517 To an application on the host or other physical or virtual
518 machines on the network, it looks as though the service being
519 proxied is actually running on the host. This also means that
520 you cannot run the same service on the same ports on the host.
521 However, you still gain the advantages of running the service in
522 a virtual machine. For example, services on the host machine or
523 on other virtual machines cannot be compromised or crashed by a
524 vulnerability or a bug in the service, and the service can run
525 in a different operating system than the host system.
526 </para>
527
528 <para>
529 To configure port forwarding you can use the graphical
530 <emphasis role="bold">Port Forwarding</emphasis> editor which
531 can be found in the <emphasis role="bold">Network
532 Settings</emphasis> dialog for network adaptors configured to
533 use NAT. Here, you can map host ports to guest ports to allow
534 network traffic to be routed to a specific port in the guest.
535 </para>
536
537 <para>
538 Alternatively, the command line tool
539 <command>VBoxManage</command> can be used. See
540 <xref linkend="vboxmanage-modifyvm" />.
541 </para>
542
543 <para>
544 You will need to know which ports on the guest the service uses
545 and to decide which ports to use on the host. You may want to
546 use the same ports on the guest and on the host. You can use any
547 ports on the host which are not already in use by a service. For
548 example, to set up incoming NAT connections to an
549 <command>ssh</command> server in the guest, use the following
550 command:
551 </para>
552
553<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"</screen>
554
555 <para>
556 In the above example, all TCP traffic arriving on port 2222 on
557 any host interface will be forwarded to port 22 in the guest.
558 The protocol name <literal>tcp</literal> is a mandatory
559 attribute defining which protocol should be used for forwarding,
560 <literal>udp</literal> could also be used. The name
561 <literal>guestssh</literal> is purely descriptive and will be
562 auto-generated if omitted. The number after
563 <option>--nat-pf</option> denotes the network card, as with other
564 <command>VBoxManage</command> commands.
565 </para>
566
567 <para>
568 To remove this forwarding rule, use the following command:
569 </para>
570
571<screen>VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</screen>
572
573 <para>
574 If for some reason the guest uses a static assigned IP address
575 not leased from the built-in DHCP server, it is required to
576 specify the guest IP when registering the forwarding rule, as
577 follows:
578 </para>
579
580<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</screen>
581
582 <para>
583 This example is identical to the previous one, except that the
584 NAT engine is being told that the guest can be found at the
585 10.0.2.19 address.
586 </para>
587
588 <para>
589 To forward <emphasis>all</emphasis> incoming traffic from a
590 specific host interface to the guest, specify the IP of that
591 host interface as follows:
592 </para>
593
594<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</screen>
595
596 <para>
597 This example forwards all TCP traffic arriving on the localhost
598 interface at 127.0.0.1 through port 2222 to port 22 in the
599 guest.
600 </para>
601
602 <para>
603 It is possible to configure incoming NAT connections while the
604 VM is running, see <xref linkend="vboxmanage-controlvm"/>.
605 </para>
606
607 </sect2>
608
609 <sect2 id="nat-tftp">
610
611 <title>PXE Booting with NAT</title>
612
613 <para>
614 PXE booting is now supported in NAT mode. The NAT DHCP server
615 provides a boot file name of the form
616 <filename><replaceable>vmname</replaceable>.pxe</filename> if
617 the directory <literal>TFTP</literal> exists in the directory
618 where the user's <filename>VirtualBox.xml</filename> file is
619 kept. It is the responsibility of the user to provide
620 <filename><replaceable>vmname</replaceable>.pxe</filename>.
621 </para>
622
623 </sect2>
624
625 <sect2 id="nat-limitations">
626
627 <title>NAT Limitations</title>
628
629 <para>
630 There are some limitations of NAT mode which users should be
631 aware of, as follows:
632 </para>
633
634 <itemizedlist>
635
636 <listitem>
637 <para>
638 <emphasis role="bold">ICMP protocol limitations.</emphasis>
639 Some frequently used network debugging tools, such as
640 <command>ping</command> or <command>traceroute</command>,
641 rely on the ICMP protocol for sending and receiving
642 messages. &product-name; ICMP support has some limitations,
643 meaning <command>ping</command> should work but some other
644 tools may not work reliably.
645 </para>
646 </listitem>
647
648 <listitem>
649 <para>
650 <emphasis role="bold">Receiving of UDP
651 broadcasts.</emphasis> The guest does not reliably receive
652 UDP broadcasts. In order to save resources, it only listens
653 for a certain amount of time after the guest has sent UDP
654 data on a particular port. As a consequence, NetBios name
655 resolution based on broadcasts does not always work, but
656 WINS always works. As a workaround, you can use the numeric
657 IP of the desired server in the
658 <filename>\\<replaceable>server</replaceable>\<replaceable>share</replaceable></filename>
659 notation.
660 </para>
661 </listitem>
662
663 <listitem>
664 <para>
665 <emphasis role="bold">Some protocols are not
666 supported.</emphasis> Protocols other than TCP and UDP are
667 not supported. GRE is not supported. This means some VPN
668 products, such as PPTP from Microsoft, cannot be used. There
669 are other VPN products which use only TCP and UDP.
670 </para>
671 </listitem>
672
673 <listitem>
674 <para>
675 <emphasis role="bold">Forwarding host ports below
676 1024.</emphasis> On UNIX-based hosts, such as Linux, Oracle
677 Solaris, and Mac OS X, it is not possible to bind to ports
678 below 1024 from applications that are not run by
679 <literal>root</literal>. As a result, if you try to
680 configure such a port forwarding, the VM will refuse to
681 start.
682 </para>
683 </listitem>
684
685 </itemizedlist>
686
687 <para>
688 These limitations normally do not affect standard network use.
689 But the presence of NAT has also subtle effects that may
690 interfere with protocols that are normally working. One example
691 is NFS, where the server is often configured to refuse
692 connections from non-privileged ports, which are those ports not
693 below 1024.
694 </para>
695
696 </sect2>
697
698 </sect1>
699
700 <sect1 id="network_nat_service">
701
702 <title>Network Address Translation Service</title>
703
704 <para>
705 The Network Address Translation (NAT) service works in a similar
706 way to a home router, grouping the systems using it into a network
707 and preventing systems outside of this network from directly
708 accessing systems inside it, but letting systems inside
709 communicate with each other and with systems outside using TCP and
710 UDP over IPv4 and IPv6.
711 </para>
712
713 <para>
714 A NAT service is attached to an internal network. Virtual machines
715 which are to make use of it should be attached to that internal
716 network. The name of internal network is chosen when the NAT
717 service is created and the internal network will be created if it
718 does not already exist. The following is an example command to
719 create a NAT network:
720 </para>
721
722<screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable</screen>
723
724 <para>
725 Here, natnet1 is the name of the internal network to be used and
726 192.168.15.0/24 is the network address and mask of the NAT service
727 interface. By default in this static configuration the gateway
728 will be assigned the address 192.168.15.1, the address following
729 the interface address, though this is subject to change. To attach
730 a DHCP server to the internal network, modify the example command
731 as follows:
732 </para>
733
734<screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable --dhcp on</screen>
735
736 <para>
737 To add a DHCP server to an existing network, use the following
738 command:
739 </para>
740
741<screen>VBoxManage natnetwork modify --netname natnet1 --dhcp on</screen>
742
743 <para>
744 To disable the DHCP server, use the following command:
745 </para>
746
747<screen>VBoxManage natnetwork modify --netname natnet1 --dhcp off</screen>
748
749 <para>
750 A DHCP server provides a list of registered nameservers, but does
751 not map servers from the 127/8 network.
752 </para>
753
754 <para>
755 To start the NAT service, use the following command:
756 </para>
757
758<screen>VBoxManage natnetwork start --netname natnet1</screen>
759
760 <para>
761 If the network has a DHCP server attached then it will start
762 together with the NAT network service.
763 </para>
764
765 <para>
766 To stop the NAT network service, together with any DHCP server:
767 </para>
768
769<screen>VBoxManage natnetwork stop --netname natnet1</screen>
770
771 <para>
772 To delete the NAT network service:
773 </para>
774
775<screen>VBoxManage natnetwork remove --netname natnet1</screen>
776
777 <para>
778 This command does not remove the DHCP server if one is enabled on
779 the internal network.
780 </para>
781
782 <para>
783 Port-forwarding is supported, using the
784 <option>--port-forward-4</option> switch for IPv4 and
785 <option>--port-forward-6</option> for IPv6. For example:
786 </para>
787
788<screen>VBoxManage natnetwork modify \
789 --netname natnet1 --port-forward-4 "ssh:tcp:[]:1022:[192.168.15.5]:22"</screen>
790
791 <para>
792 This adds a port-forwarding rule from the host's TCP 1022 port to
793 the port 22 on the guest with IP address 192.168.15.5. Host port,
794 guest port and guest IP are mandatory. To delete the rule, use the
795 following command:
796 </para>
797
798<screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 delete ssh</screen>
799
800 <para>
801 It is possible to bind a NAT service to specified interface. For
802 example:
803 </para>
804
805<screen>VBoxManage setextradata global "NAT/win-nat-test-0/SourceIp4" 192.168.1.185</screen>
806
807 <para>
808 To see the list of registered NAT networks, use the following
809 command:
810 </para>
811
812<screen>VBoxManage list natnetworks</screen>
813
814 <para>
815 NAT networks can also be created, deleted, and configured using
816 the VirtualBox Manager. Click
817 <emphasis role="bold">File</emphasis>,<emphasis role="bold">
818 Preferences</emphasis> and select the
819 <emphasis role="bold">Network</emphasis> page.
820 </para>
821
822 <note>
823 <para>
824 Even though the NAT service separates the VM from the host, the
825 VM has access to the host's loopback interface and the network
826 services running on it. The host's loopback interface is
827 accessible as IP address 10.0.2.2 (assuming the default
828 configuration, in other configurations it's the respective
829 address in the configured IPv4 or IPv6 network range). This
830 access to the host's loopback interface can be extremely useful
831 in some cases, for example when running a web application under
832 development in the VM and the database server on the loopback
833 interface on the host.
834 </para>
835 </note>
836
837 </sect1>
838
839 <sect1 id="network_bridged">
840
841 <title>Bridged Networking</title>
842
843 <para>
844 With bridged networking, &product-name; uses a device driver on
845 your <emphasis>host</emphasis> system that filters data from your
846 physical network adapter. This driver is therefore called a
847 <emphasis>net filter</emphasis> driver. This enables
848 &product-name; to intercept data from the physical network and
849 inject data into it, effectively creating a new network interface
850 in software. When a guest is using such a new software interface,
851 it looks to the host system as though the guest were physically
852 connected to the interface using a network cable. The host can
853 send data to the guest through that interface and receive data
854 from it. This means that you can set up routing or bridging
855 between the guest and the rest of your network.
856 </para>
857
858 <note>
859 <para>
860 Even though TAP interfaces are no longer necessary on Linux for
861 bridged networking, you <emphasis>can</emphasis> still use TAP
862 interfaces for certain advanced setups, since you can connect a
863 VM to any host interface.
864 </para>
865 </note>
866
867 <para>
868 To enable bridged networking, open the
869 <emphasis role="bold">Settings</emphasis> dialog of a virtual
870 machine, go to the <emphasis role="bold">Network</emphasis> page
871 and select <emphasis role="bold">Bridged Network</emphasis> in the
872 drop-down list for the <emphasis role="bold">Attached
873 To</emphasis> field. Select a host interface from the list at the
874 bottom of the page, which contains the physical network interfaces
875 of your systems. On a typical MacBook, for example, this will
876 allow you to select between en1: AirPort, which is the wireless
877 interface, and en0: Ethernet, which represents the interface with
878 a network cable.
879 </para>
880
881 <note>
882 <para>
883 Bridging to a wireless interface is done differently from
884 bridging to a wired interface, because most wireless adapters do
885 not support promiscuous mode. All traffic has to use the MAC
886 address of the host's wireless adapter, and therefore
887 &product-name; needs to replace the source MAC address in the
888 Ethernet header of an outgoing packet to make sure the reply
889 will be sent to the host interface. When &product-name; sees an
890 incoming packet with a destination IP address that belongs to
891 one of the virtual machine adapters it replaces the destination
892 MAC address in the Ethernet header with the VM adapter's MAC
893 address and passes it on. &product-name; examines ARP and DHCP
894 packets in order to learn the IP addresses of virtual machines.
895 </para>
896 </note>
897
898 <para>
899 Depending on your host operating system, the following limitations
900 apply:
901 </para>
902
903 <itemizedlist>
904
905 <listitem>
906 <para>
907 <emphasis role="bold">Mac OS X hosts.</emphasis> Functionality
908 is limited when using AirPort, the Mac's wireless networking
909 system, for bridged networking. Currently, &product-name;
910 supports only IPv4 and IPv6 over AirPort. For other protocols,
911 such as IPX, you must choose a wired interface.
912 </para>
913 </listitem>
914
915 <listitem>
916 <para>
917 <emphasis role="bold">Linux hosts.</emphasis> Functionality is
918 limited when using wireless interfaces for bridged networking.
919 Currently, &product-name; supports only IPv4 and IPv6 over
920 wireless. For other protocols, such as IPX, you must choose a
921 wired interface.
922 </para>
923
924 <para>
925 Also, setting the MTU to less than 1500 bytes on wired
926 interfaces provided by the sky2 driver on the Marvell Yukon II
927 EC Ultra Ethernet NIC is known to cause packet losses under
928 certain conditions.
929 </para>
930
931 <para>
932 Some adapters strip VLAN tags in hardware. This does not allow
933 you to use VLAN trunking between VM and the external network
934 with pre-2.6.27 Linux kernels, or with host operating systems
935 other than Linux.
936 </para>
937 </listitem>
938
939 <listitem>
940 <para>
941 <emphasis role="bold">Oracle Solaris hosts.</emphasis> There
942 is no support for using wireless interfaces. Filtering guest
943 traffic using IPFilter is also not completely supported due to
944 technical restrictions of the Oracle Solaris networking
945 subsystem. These issues may be addressed in later releases of
946 Oracle Solaris 11.
947 </para>
948
949 <para>
950 On Oracle Solaris 11 hosts build 159 and above, it is possible
951 to use Oracle Solaris Crossbow Virtual Network Interfaces
952 (VNICs) directly with &product-name; without any additional
953 configuration other than each VNIC must be exclusive for every
954 guest network interface.
955 </para>
956
957 <para>
958 When using VLAN interfaces with &product-name;, they must be
959 named according to the PPA-hack naming scheme, such as
960 e1000g513001. Otherwise, the guest may receive packets in an
961 unexpected format.
962 </para>
963 </listitem>
964
965 </itemizedlist>
966
967 </sect1>
968
969 <sect1 id="network_internal">
970
971 <title>Internal Networking</title>
972
973 <para>
974 Internal Networking is similar to bridged networking in that the
975 VM can directly communicate with the outside world. However, the
976 outside world is limited to other VMs on the same host which
977 connect to the same internal network.
978 </para>
979
980 <para>
981 Even though technically, everything that can be done using
982 internal networking can also be done using bridged networking,
983 there are security advantages with internal networking. In bridged
984 networking mode, all traffic goes through a physical interface of
985 the host system. It is therefore possible to attach a packet
986 sniffer such as Wireshark to the host interface and log all
987 traffic that goes over it. If, for any reason, you prefer two or
988 more VMs on the same machine to communicate privately, hiding
989 their data from both the host system and the user, bridged
990 networking therefore is not an option.
991 </para>
992
993 <para>
994 Internal networks are created automatically as needed. There is no
995 central configuration. Every internal network is identified simply
996 by its name. Once there is more than one active virtual network
997 card with the same internal network ID, the &product-name; support
998 driver will automatically <emphasis>wire</emphasis> the cards and
999 act as a network switch. The &product-name; support driver
1000 implements a complete Ethernet switch and supports both
1001 broadcast/multicast frames and promiscuous mode.
1002 </para>
1003
1004 <para>
1005 In order to attach a VM's network card to an internal network, set
1006 its networking mode to Internal Networking. There are two ways to
1007 accomplish this:
1008 </para>
1009
1010 <itemizedlist>
1011
1012 <listitem>
1013 <para>
1014 Use the VM's <emphasis role="bold">Settings</emphasis> dialog
1015 in the VirtualBox Manager. In the
1016 <emphasis role="bold">Network</emphasis> category of the
1017 settings dialog, select <emphasis role="bold">Internal
1018 Network</emphasis> from the drop-down list of networking
1019 modes. Select the name of an existing internal network from
1020 the drop-down list below, or enter a new name into the
1021 <emphasis role="bold">Name</emphasis> field.
1022 </para>
1023 </listitem>
1024
1025 <listitem>
1026 <para>
1027 Use the command line, for example:
1028 </para>
1029
1030<screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; intnet</screen>
1031
1032 <para>
1033 Optionally, you can specify a network name with the command:
1034 </para>
1035
1036<screen>VBoxManage modifyvm "VM name" --intnet&lt;x&gt; "network name"</screen>
1037
1038 <para>
1039 If you do not specify a network name, the network card will be
1040 attached to the network <literal>intnet</literal> by default.
1041 </para>
1042 </listitem>
1043
1044 </itemizedlist>
1045
1046 <para>
1047 Unless you configure the virtual network cards in the guest
1048 operating systems that are participating in the internal network
1049 to use static IP addresses, you may want to use the DHCP server
1050 that is built into &product-name; to manage IP addresses for the
1051 internal network. See <xref linkend="vboxmanage-dhcpserver" />.
1052 </para>
1053
1054 <para>
1055 As a security measure, by default, the Linux implementation of
1056 internal networking only allows VMs running under the same user ID
1057 to establish an internal network. However, it is possible to
1058 create a shared internal networking interface, accessible by users
1059 with different user IDs.
1060 </para>
1061
1062 </sect1>
1063
1064 <sect1 id="network_hostonly">
1065
1066 <title>Host-Only Networking</title>
1067
1068 <para>
1069 Host-only networking can be thought of as a hybrid between the
1070 bridged and internal networking modes. As with bridged networking,
1071 the virtual machines can talk to each other and the host as if
1072 they were connected through a physical Ethernet switch. As with
1073 internal networking, a physical networking interface need not be
1074 present, and the virtual machines cannot talk to the world outside
1075 the host since they are not connected to a physical networking
1076 interface.
1077 </para>
1078
1079 <para>
1080 When host-only networking is used, &product-name; creates a new
1081 software interface on the host which then appears next to your
1082 existing network interfaces. In other words, whereas with bridged
1083 networking an existing physical interface is used to attach
1084 virtual machines to, with host-only networking a new
1085 <emphasis>loopback</emphasis> interface is created on the host.
1086 And whereas with internal networking, the traffic between the
1087 virtual machines cannot be seen, the traffic on the loopback
1088 interface on the host can be intercepted.
1089 </para>
1090
1091 <note>
1092 <para>
1093 Hosts running recent Mac OS X versions do not support host-only
1094 adapters. These adapters are replaced by host-only networks,
1095 which definine a network mask and an IP address range, where the
1096 host network interface receives the lowest address in the range.
1097 </para>
1098 <para>
1099 The host network interface gets added and removed dynamically
1100 by the operating system, whenever a host-only network is used
1101 by virtual machines.
1102 </para>
1103 </note>
1104
1105 <para>
1106 Host-only networking is particularly useful for preconfigured
1107 virtual appliances, where multiple virtual machines are shipped
1108 together and designed to cooperate. For example, one virtual
1109 machine may contain a web server and a second one a database, and
1110 since they are intended to talk to each other, the appliance can
1111 instruct &product-name; to set up a host-only network for the two.
1112 A second, bridged, network would then connect the web server to
1113 the outside world to serve data to, but the outside world cannot
1114 connect to the database.
1115 </para>
1116
1117 <para>
1118 To enable a host-only network interface for a virtual machine, do
1119 either of the following:
1120 </para>
1121
1122 <itemizedlist>
1123
1124 <listitem>
1125 <para>
1126 Go to the <emphasis role="bold">Network</emphasis> page in the
1127 virtual machine's <emphasis role="bold">Settings</emphasis>
1128 dialog and select an <emphasis role="bold">Adapter</emphasis>
1129 tab. Ensure that the <emphasis role="bold">Enable Network
1130 Adapter</emphasis> check box is selected and choose
1131 <emphasis role="bold">Host-Only Adapter</emphasis> for the
1132 <emphasis role="bold">Attached To</emphasis> field.
1133 </para>
1134 </listitem>
1135
1136 <listitem>
1137 <para>
1138 On the command line, use <command>VBoxManage modifyvm
1139 <replaceable>"vmname</replaceable>
1140 --nic<replaceable>x</replaceable> hostonly</command>. See
1141 <xref linkend="vboxmanage-modifyvm" />.
1142 </para>
1143 </listitem>
1144
1145 </itemizedlist>
1146
1147 <para>
1148 For host-only networking, as with internal networking, you may
1149 find the DHCP server useful that is built into &product-name;.
1150 This is enabled by default and manages the IP addresses in the
1151 host-only network. Without the DHCP server you would need to
1152 configure all IP addresses statically.
1153 </para>
1154
1155 <itemizedlist>
1156
1157 <listitem>
1158 <para>
1159 In the VirtualBox Manager you can configure the DHCP server by
1160 choosing <emphasis role="bold">File</emphasis>,
1161 <emphasis role="bold">Host Network Manager</emphasis>. The
1162 Host Network Manager lists all host-only networks which are
1163 presently in use. Select the network name and then use the
1164 <emphasis role="bold">DHCP Server</emphasis> tab to configure
1165 DHCP server settings.
1166 </para>
1167 </listitem>
1168
1169 <listitem>
1170 <para>
1171 Alternatively, you can use the <command>VBoxManage
1172 dhcpserver</command> command. See
1173 <xref linkend="vboxmanage-dhcpserver" />.
1174 </para>
1175 </listitem>
1176
1177 </itemizedlist>
1178
1179 <note>
1180 <para>
1181 On Linux and Mac OS X hosts the number of host-only interfaces
1182 is limited to 128. There is no such limit for Oracle Solaris and
1183 Windows hosts.
1184 </para>
1185 </note>
1186
1187 <para>
1188 On Linux, Mac OS X and Solaris &product-name; will only allow IP
1189 addresses in 192.168.56.0/21 range to be assigned to host-only
1190 adapters. For IPv6 only link-local addresses are allowed. If other
1191 ranges are desired, they can be enabled by creating
1192 <filename>/etc/vbox/networks.conf</filename> and specifying allowed
1193 ranges there. For example, to allow 10.0.0.0/8 and 192.168.0.0/16
1194 IPv4 ranges as well as 2001::/64 range put the following lines into
1195 <filename>/etc/vbox/networks.conf</filename>:
1196 <screen>
1197 * 10.0.0.0/8 192.168.0.0/16
1198 * 2001::/64
1199 </screen>
1200 Lines starting with the hash <command>#</command> are ignored. Next
1201 example allows any addresses, effectively disabling range control:
1202 <screen>
1203 * 0.0.0.0/0 ::/0
1204 </screen>
1205 If the file exists, but no ranges are specified in it, no addresses
1206 will be assigned to host-only adapters. The following example
1207 effectively disables all ranges:
1208 <screen>
1209 # No addresses are allowed for host-only adapters
1210 </screen>
1211 </para>
1212
1213 </sect1>
1214
1215 <sect1 id="network_udp_tunnel">
1216
1217 <title>UDP Tunnel Networking</title>
1218
1219 <para>
1220 This networking mode enables you to interconnect virtual machines
1221 running on different hosts.
1222 </para>
1223
1224 <para>
1225 Technically this is done by encapsulating Ethernet frames sent or
1226 received by the guest network card into UDP/IP datagrams, and
1227 sending them over any network available to the host.
1228 </para>
1229
1230 <para>
1231 UDP Tunnel mode has the following parameters:
1232 </para>
1233
1234 <itemizedlist>
1235
1236 <listitem>
1237 <para>
1238 <emphasis role="bold">Source UDP port:</emphasis> The port on
1239 which the host listens. Datagrams arriving on this port from
1240 any source address will be forwarded to the receiving part of
1241 the guest network card.
1242 </para>
1243 </listitem>
1244
1245 <listitem>
1246 <para>
1247 <emphasis role="bold">Destination address:</emphasis> IP
1248 address of the target host of the transmitted data.
1249 </para>
1250 </listitem>
1251
1252 <listitem>
1253 <para>
1254 <emphasis role="bold">Destination UDP port:</emphasis> Port
1255 number to which the transmitted data is sent.
1256 </para>
1257 </listitem>
1258
1259 </itemizedlist>
1260
1261 <para>
1262 When interconnecting two virtual machines on two different hosts,
1263 their IP addresses must be swapped. On a single host, source and
1264 destination UDP ports must be swapped.
1265 </para>
1266
1267 <para>
1268 In the following example, host 1 uses the IP address 10.0.0.1 and
1269 host 2 uses IP address 10.0.0.2. To configure using the
1270 command-line:
1271 </para>
1272
1273<screen> VBoxManage modifyvm "VM 01 on host 1" --nic&lt;x&gt; generic
1274 VBoxManage modifyvm "VM 01 on host 1" --nic-generic-drv&lt;x&gt; UDPTunnel
1275 VBoxManage modifyvm "VM 01 on host 1" --nic-property&lt;x&gt; dest=10.0.0.2
1276 VBoxManage modifyvm "VM 01 on host 1" --nic-property&lt;x&gt; sport=10001
1277 VBoxManage modifyvm "VM 01 on host 1" --nic-property&lt;x&gt; dport=10002</screen>
1278
1279<screen> VBoxManage modifyvm "VM 02 on host 2" --nic&lt;y&gt; generic
1280 VBoxManage modifyvm "VM 02 on host 2" --nic-generic-drv&lt;y&gt; UDPTunnel
1281 VBoxManage modifyvm "VM 02 on host 2" --nic-property&lt;y&gt; dest=10.0.0.1
1282 VBoxManage modifyvm "VM 02 on host 2" --nic-property&lt;y&gt; sport=10002
1283 VBoxManage modifyvm "VM 02 on host 2" --nic-property&lt;y&gt; dport=10001</screen>
1284
1285 <para>
1286 Of course, you can always interconnect two virtual machines on the
1287 same host, by setting the destination address parameter to
1288 127.0.0.1 on both. It will act similarly to an internal network in
1289 this case. However, the host can see the network traffic which it
1290 could not in the normal internal network case.
1291 </para>
1292
1293 <note>
1294 <para>
1295 On UNIX-based hosts, such as Linux, Oracle Solaris, and Mac OS
1296 X, it is not possible to bind to ports below 1024 from
1297 applications that are not run by <literal>root</literal>. As a
1298 result, if you try to configure such a source UDP port, the VM
1299 will refuse to start.
1300 </para>
1301 </note>
1302
1303 </sect1>
1304
1305 <sect1 id="network_vde">
1306
1307 <title>VDE Networking</title>
1308
1309 <para>
1310 Virtual Distributed Ethernet (VDE) is a flexible, virtual network
1311 infrastructure system, spanning across multiple hosts in a secure
1312 way. It enables L2/L3 switching, including spanning-tree protocol,
1313 VLANs, and WAN emulation. It is an optional part of &product-name;
1314 which is only included in the source code.
1315 </para>
1316
1317 <para>
1318 VDE is a project developed by Renzo Davoli, Associate Professor at
1319 the University of Bologna, Italy.
1320 </para>
1321
1322 <para>
1323 The basic building blocks of the infrastructure are VDE switches,
1324 VDE plugs, and VDE wires which interconnect the switches.
1325 </para>
1326
1327 <para>
1328 The &product-name; VDE driver has a single parameter: VDE network.
1329 This is the name of the VDE network switch socket to which the VM
1330 will be connected.
1331 </para>
1332
1333 <para>
1334 The following basic example shows how to connect a virtual machine
1335 to a VDE switch.
1336 </para>
1337
1338 <orderedlist>
1339
1340 <listitem>
1341 <para>
1342 Create a VDE switch:
1343 </para>
1344
1345<screen>vde_switch -s /tmp/switch1</screen>
1346 </listitem>
1347
1348 <listitem>
1349 <para>
1350 Configure VMs using the command-line:
1351 </para>
1352
1353<screen>VBoxManage modifyvm "VM name" --nic&lt;x&gt; generic</screen>
1354
1355<screen>VBoxManage modifyvm "VM name" --nic-generic-drv&lt;x&gt; VDE</screen>
1356
1357 <para>
1358 To connect to an automatically allocated switch port:
1359 </para>
1360
1361<screen>VBoxManage modifyvm "VM name" --nic-property&lt;x&gt; network=/tmp/switch1</screen>
1362
1363 <para>
1364 To connect to a specific switch port
1365 <replaceable>n</replaceable>:
1366 </para>
1367
1368<screen>VBoxManage modifyvm "VM name" --nic-property&lt;x&gt; network=/tmp/switch1[&lt;n&gt;]</screen>
1369
1370 <para>
1371 This command can be useful for VLANs.
1372 </para>
1373 </listitem>
1374
1375 <listitem>
1376 <para>
1377 (Optional) Map between a VDE switch port and a VLAN.
1378 </para>
1379
1380 <para>
1381 Using the switch command line:
1382 </para>
1383
1384<screen>vde$ vlan/create &lt;VLAN&gt;</screen>
1385
1386<screen>vde$ port/setvlan &lt;port&gt; &lt;VLAN&gt;</screen>
1387 </listitem>
1388
1389 </orderedlist>
1390
1391 <para>
1392 VDE is available on Linux and FreeBSD hosts only. It is only
1393 available if the VDE software and the VDE plugin library from the
1394 VirtualSquare project are installed on the host system.
1395 </para>
1396
1397 <note>
1398 <para>
1399 For Linux hosts, the shared library libvdeplug.so must be
1400 available in the search path for shared libraries.
1401 </para>
1402 </note>
1403
1404 <para>
1405 For more information on setting up VDE networks, please see the
1406 documentation accompanying the software. See also
1407 <ulink url="http://wiki.virtualsquare.org" />.
1408 </para>
1409
1410 </sect1>
1411
1412 <sect1 id="network_bandwidth_limit">
1413
1414 <title>Limiting Bandwidth for Network Input/Output</title>
1415
1416 <para>
1417 &product-name; supports limiting of the maximum bandwidth used for
1418 network transmission. Several network adapters of one VM may share
1419 limits through bandwidth groups. It is possible to have more than
1420 one such limit.
1421 </para>
1422
1423 <note>
1424 <para>
1425 &product-name; shapes VM traffic only in the transmit direction,
1426 delaying the packets being sent by virtual machines. It does not
1427 limit the traffic being received by virtual machines.
1428 </para>
1429 </note>
1430
1431 <para>
1432 Limits are configured through <command>VBoxManage</command>. The
1433 following example creates a bandwidth group named Limit, sets the
1434 limit to 20 Mbps and assigns the group to the first and second
1435 adapters of the VM:
1436 </para>
1437
1438<screen>VBoxManage bandwidthctl "VM name" add Limit --type network --limit 20m
1439VBoxManage modifyvm "VM name" --nicbandwidthgroup1 Limit
1440VBoxManage modifyvm "VM name" --nicbandwidthgroup2 Limit</screen>
1441
1442 <para>
1443 All adapters in a group share the bandwidth limit, meaning that in
1444 the example above the bandwidth of both adapters combined can
1445 never exceed 20 Mbps. However, if one adapter does not require
1446 bandwidth the other can use the remaining bandwidth of its group.
1447 </para>
1448
1449 <para>
1450 The limits for each group can be changed while the VM is running,
1451 with changes being picked up immediately. The following example
1452 changes the limit for the group created in the previous example to
1453 100 Kbps:
1454 </para>
1455
1456<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 100k</screen>
1457
1458 <para>
1459 To completely disable shaping for the first adapter of VM use the
1460 following command:
1461 </para>
1462
1463<screen>VBoxManage modifyvm "VM name" --nicbandwidthgroup1 none</screen>
1464
1465 <para>
1466 It is also possible to disable shaping for all adapters assigned
1467 to a bandwidth group while VM is running, by specifying the zero
1468 limit for the group. For example, for the bandwidth group named
1469 Limit:
1470 </para>
1471
1472<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 0</screen>
1473
1474 </sect1>
1475
1476 <sect1 id="network_performance">
1477
1478 <title>Improving Network Performance</title>
1479
1480 <para>
1481 &product-name; provides a variety of virtual network adapters that
1482 can be attached to the host's network in a number of ways.
1483 Depending on which types of adapters and attachments are used the
1484 network performance will be different. Performance-wise the virtio
1485 network adapter is preferable over Intel PRO/1000 emulated
1486 adapters, which are preferred over the PCNet family of adapters.
1487 Both virtio and Intel PRO/1000 adapters enjoy the benefit of
1488 segmentation and checksum offloading. Segmentation offloading is
1489 essential for high performance as it allows for less context
1490 switches, dramatically increasing the sizes of packets that cross
1491 the VM/host boundary.
1492 </para>
1493
1494 <note>
1495 <para>
1496 Neither virtio nor Intel PRO/1000 drivers for Windows XP support
1497 segmentation offloading. Therefore Windows XP guests never reach
1498 the same transmission rates as other guest types. Refer to MS
1499 Knowledge base article 842264 for additional information.
1500 </para>
1501 </note>
1502
1503 <para>
1504 Three attachment types: Internal, Bridged, and Host-Only, have
1505 nearly identical performance. The Internal type is a little bit
1506 faster and uses less CPU cycles as the packets never reach the
1507 host's network stack. The NAT attachment type is the slowest and
1508 most secure of all attachment types, as it provides network
1509 address translation. The generic driver attachment is special and
1510 cannot be considered as an alternative to other attachment types.
1511 </para>
1512
1513 <para>
1514 The number of CPUs assigned to VM does not improve network
1515 performance and in some cases may hurt it due to increased
1516 concurrency in the guest.
1517 </para>
1518
1519 <para>
1520 Here is a short summary of things to check in order to improve
1521 network performance:
1522 </para>
1523
1524 <itemizedlist>
1525
1526 <listitem>
1527 <para>
1528 Whenever possible use the virtio network adapter. Otherwise,
1529 use one of the Intel PRO/1000 adapters.
1530 </para>
1531 </listitem>
1532
1533 <listitem>
1534 <para>
1535 Use a Bridged attachment instead of NAT.
1536 </para>
1537 </listitem>
1538
1539 <listitem>
1540 <para>
1541 Make sure segmentation offloading is enabled in the guest OS.
1542 Usually it will be enabled by default. You can check and
1543 modify offloading settings using the
1544 <command>ethtool</command> command on Linux guests.
1545 </para>
1546 </listitem>
1547
1548 <listitem>
1549 <para>
1550 Perform a full detailed analysis of network traffic on the
1551 VM's network adaptor using a third party tool such as
1552 Wireshark. To do this, a promiscuous mode policy needs to be
1553 used on the VM's network adaptor. Use of this mode is only
1554 possible on the following network types: NAT Network, Bridged
1555 Adapter, Internal Network, and Host-Only Adapter.
1556 </para>
1557
1558 <para>
1559 To setup a promiscuous mode policy, either select from the
1560 drop down list located in the <emphasis role="bold">Network
1561 Settings</emphasis> dialog for the network adaptor or use the
1562 command line tool <command>VBoxManage</command>. See
1563 <xref linkend="vboxmanage-modifyvm" />.
1564 </para>
1565
1566 <para>
1567 Promiscuous mode policies are as follows:
1568 </para>
1569
1570 <itemizedlist>
1571
1572 <listitem>
1573 <para>
1574 <literal>deny</literal>, which hides any traffic not
1575 intended for the VM's network adaptor. This is the default
1576 setting.
1577 </para>
1578 </listitem>
1579
1580 <listitem>
1581 <para>
1582 <literal>allow-vms</literal>, which hides all host traffic
1583 from the VM's network adaptor, but allows it to see
1584 traffic from and to other VMs.
1585 </para>
1586 </listitem>
1587
1588 <listitem>
1589 <para>
1590 <literal>allow-all</literal>, which removes all
1591 restrictions. The VM's network adaptor sees all traffic.
1592 </para>
1593 </listitem>
1594
1595 </itemizedlist>
1596 </listitem>
1597
1598 </itemizedlist>
1599
1600 </sect1>
1601
1602</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette