VirtualBox Networking Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 172: Line 172:
This topology is appropriate when guests need external IP access, they want direct access to their interface from processes running on the host and a minimal number of network interfaces (one).
This topology is appropriate when guests need external IP access, they want direct access to their interface from processes running on the host and a minimal number of network interfaces (one).


[[HostOnlyDHCPServer.png]]
[[File:HostOnlyDHCPServer.png]]


=Network Attachment Types and Performance=
=Network Attachment Types and Performance=

Revision as of 01:58, 26 May 2017

External

Internal

Relevance

This article was written with VirtualBox 5.0.4.

Adapter Type

VirtualBox provides a number of virtual network adapters: Paravirtualized Nework (virtio-net), Intel PRO/1000 MT Server (82545EM), PCnet-FAST III , etc.

Performance-wise, virtio adapter is preferable to Intel PRO/1000, which is preferable to PCnet. virtio and Intel PRO/1000 offer segmentation and checksum offloading. Segmentation offloading is essential for high performance. In order to take advantage of it, make sure segmentation offloading is enabled in guest OS. For more details see

Segmentation Offloading

Routing

The typical method of allowing guest external network access is to configure a NAT adapter on the guest. If the guests must be accessible from the host, a second Host-only adapter can be configured for this purpose.

The advantage of this approach is that you set static address for the host-only interfaces, which is a requirement when building topologies for purpose, and the guest VMs can be accessed directly on their interface from processes running on the guest.

HostOnlyNAT.png

If assigning static addresses to host-only network interface is not important, and you want the guest to have external IP access, an alternative is to use a DHCP server with the host-only network. In this case, the guest VMs can still be accessed directly on their interface from processes running on the guest. For a diagram of this topology see Host-only Network and DHCP Server section.

NAT

This is the default and the simplest way to give your guest external access.

Each VM comes pre-configured with a NAT Adapter and its a good idea to leave it in place even if configuring other types of adapters. It will be configured automatically and it will be giving your guest access to internet without opening any inbound access.

This is how a guest configured with NAT and host-only access looks like. eth0 is the internal network interface and eth1 is the NAT adapter all publicly-outbound traffic goes over.

...

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:80:d5:77 brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.3/24 brd 192.168.7.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe80:d577/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:6b:33:aa brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic eth1
       valid_lft 86382sec preferred_lft 86382sec
    inet6 fe80::a00:27ff:fe6b:33aa/64 scope link 
       valid_lft forever preferred_lft forever
...

NAT Advantage over Bridged Network

NAT give the guest access to external internet, handling routing, etc., same as bridged network. However, the bridge is tied to a specific network interface, and if that does not have connectivity, the guest does not have connectivity (consider the case when the bridge was attached to a wired interface, and the machine finds itself connecting over a wireless interface). From this perspective, NAT is more convenient, as it handles these details transparently.

NAT Service

A NAT service is a virtual NAT router, that allows creating an internal network, and allowing all guests on the internal network external access and to communicate with each over. A NAT service is attached to an internal network. At the time of the writing (5.0.4) this service is experimental but it seems very useful.

Bridged Networking

Bridged Networking Overview

With bridged networking, the guest connects to the host network similar to how the host does, gets the same kind of host network address, and the host and guest can talk amongst themselves using host network addresses. A host's physical network interface is used for this.

Bridged Networking Details

With bridged networking, VirtualBox installs a net filter driver on the host system that "filters" data from an existing physical network adapter on the host. This allows VirtualBox to intercept and inject data from/to the physical network interface, effectively creating a new network interface in software. This network interface is visible to the guest: if a guest is configured to use a "Bridged Adapter", that results in the guest "seeing" a network interface that behaves as being connected to the same network as the physical network adapter it latched onto. If a DHCP server is available on the host's network, the new bridged network interface will automatically get a dynamic IP address. The interface can be used to connect into the guest from the network and can be used by the guest to connect to the network.

The existing physical interface is used to attach virtual machines to.

VirtualBoxBridgedNetworking.png

As an example, the physical network interface on a MacOS guest we used is en7:

en7: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
	ether 0c:4d:e9:a8:68:f4 
	inet6 fe80::e4d:e9ff:fea8:68f4%en7 prefixlen 64 scopeid 0x4 
	inet 192.168.1.134 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=1<PERFORMNUD>
	media: autoselect (1000baseT <full-duplex,flow-control>)
	status: active

and the newly created virtual interface on a Linux host is enp0s3:

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:f7:35:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.147/24 brd 192.168.1.255 scope global dynamic enp0s3
       valid_lft 85686sec preferred_lft 85686sec
    inet6 fe80::a00:27ff:fef7:357d/64 scope link 
       valid_lft forever preferred_lft forever

Note the different IP address in the same subnet.

Bridging to Wireless Interfaces

Bridging to a wireless interface is done differently from bridging to a wired interface, because most wireless adapters do not support promiscuous mode. All traffic has to use the MAC address of the host’s wireless adapter, and therefore VirtualBox needs to replace the source MAC address in the Ethernet header of an outgoing packet to make sure the reply will be sent to the host interface. When VirtualBox sees an incoming packet with a destination IP address that belongs to one of the virtual machine adapters it replaces the destination MAC address in the Ethernet header with the VM adapter’s MAC address and passes it on. VirtualBox examines ARP and DHCP packets in order to learn the IP addresses of virtual machines.

Bridged Networking Configuration

VirtualBox Bridged Networking Configuration

Internal Networking

Internal Networking

With internal networking, the guests can talk amongst themselves over non-routed traffic and private IP addresses, but the host cannot talk to the guest and vice-versa. A host's physical network interface need not be present.

Internal Networking Details

VirtualBox offers multiple virtual Ethernet switches that can be used by its VMs to communicate amongst themselves. An Ethernet switch supports broadcast, multicast and promiscuous mode. Each virtual Ethernet switch supports an internal network and must have an unique name. In order to "connect" to such a switch, a VM adapter must be configured as "Internal Network" and given the network name.

Internal networks are created automatically as needed. There is no central configuration. Every internal network is identified by its name. Once there is more than one active virtual network cards configured with the same internal network name, VirtualBox will automatically "wire" the card into the virtual network switch.

The virtual network interfaces such created can be configured to use static IP addresses or to use the DHCP server that is built into VirtualBox. The configuration procedures are specific to the guest OS. By default, the traffic on the internal network is isolated from anything else (host or host's network).

VirtualBoxInternalNetworking.png

Internal Networking and Linux

On Linux, only the VMs running under the same user ID can establish an internal network.

Bridged Network vs. Internal Network

Everything that can be done using internal network can also be achieved with bridged networking. However, there's an essential difference: for bridged networking, the traffic goes through the physical interface of the host, so it is possible to attach a package sniffer to the host interface and log all the traffic. For this reason, if you prefer two or more VMs on the same machine to communicate privately, with their traffic hidden from both the host system and the host network, use internal network.

Internal Networking Configuration

VirtualBox Internal Networking Configuration

Host-only Networking

Host-only Networking Overview

Host-only networking is similar to internal networking, in that guests talk to an internal virtual Ethernet switch. However, the host can also connect to the switch over a special virtual network interface - and the name of the network interface is the "network name". A host's physical network interface need not be present. In host-only configuration alone, the guests cannot talk to the outside world.

Host-only Networking Details

In order to enable the Host-only networking, a special software interface needs to be created in the VirtualBox environment (VirtualBox -> Preferences -> Network -> Host-only networks -.> +). This will create a "network" and a virtual interface on the host. The name of that network interface, by default vboxnet0, is the same as the name of the "internal network"/virtual Ethernet switch this interface and the guest's interfaces will connect to.

Since the "host-only networking" traffic goes through an interface exposed on the host, it can be intercepted with a network sniffer. Note that the host will be also accessible from the internal network, so for example, if a sshd server runs on the host it listens on the internal network interface, ssh connections can be initiated from guests to the host.

On Linux and MacOS hosts, the number of host-only interfaces is limited to 128. There's no limit on Windows.

HostOnlyNetworking.png

Host-Only Networking Configuration

VirtualBox Host-Only Networking Configuration

Host-Ony Network and DHCP Server

This topology is appropriate when guests need external IP access, they want direct access to their interface from processes running on the host and a minimal number of network interfaces (one).

HostOnlyDHCPServer.png

Network Attachment Types and Performance

Internal networking, bridged networking and host-only networking have nearly identical performance, with internal being a bit faster and using less CPU cycles because the packets never reach the host's network stack. The NAT attachment is the slowest and the safest. The number of CPUs assigned to the VM does not improve network performance.

Internal DHCP Server

TODO