VirtualBox Networking Concepts: Difference between revisions
Line 166: | Line 166: | ||
=Network Attachment Types and Performance= | =Network Attachment Types and Performance= | ||
[Internal networking | [[#Internal_Networking|Internal networking]], [bridged networking|VirtualBoxNetworkingConcepts#BridgedNetworking] and [host-only networking|VirtualBoxNetworkingConcepts#HostOnlyNetworking] have nearly identical performance, with internal being a bit faster and using less CPU cycles because the packets never reach the host's network stack. The [NAT|VirtualBoxNetworkingConcepts#NAT] attachment is the slowest and the safest. | ||
The number of CPUs assigned to the VM does not improve network performance. | The number of CPUs assigned to the VM does not improve network performance. |
Revision as of 22:55, 7 January 2016
External
- User Manual Chapter 6 Virtual Networking https://www.virtualbox.org/manual/ch06.html
- https://technology.amis.nl/2014/01/27/a-short-guide-to-networking-in-virtual-box-with-oracle-linux-inside/
Internal
Relevance
This article was written with VirtualBox 5.0.4.
Adapter Type
VirtualBox provides a number of virtual network adapters: Paravirtualized Nework (virtio-net), Intel PRO/1000 MT Server (82545EM), PCnet-FAST III , etc.
Performance-wise, virtio adapter is preferable to Intel PRO/1000, which is preferable to PCnet. virtio and Intel PRO/1000 offer segmentation and checksum offloading. Segmentation offloading is essential for high performance. In order to take advantage of it, make sure segmentation offloading is enabled in guest OS. For more details see Segmentation Offloading.
Routing
It should be possible to give guest external access by setting an internal network and a bridged network adapter on just one of them, then appropriately configuring routing. When I figure this out, update this section. The alternative is to configure a NAT adapter on each guest.
NAT
This is the default and the simplest way to give your guest external access.
Each VM comes pre-configured with a NAT Adapter and its a good idea to leave it in place even if configuring other types of adapters. It will be configured automatically and it will be giving your guest access to internet without opening any inbound access.
This is how a guest configured with NAT and host-only access looks like. eth0 is the internal network interface and eth1 is the NAT adapter all publicly-outbound traffic goes over.
... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:80:d5:77 brd ff:ff:ff:ff:ff:ff inet 192.168.7.3/24 brd 192.168.7.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe80:d577/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:6b:33:aa brd ff:ff:ff:ff:ff:ff inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic eth1 valid_lft 86382sec preferred_lft 86382sec inet6 fe80::a00:27ff:fe6b:33aa/64 scope link valid_lft forever preferred_lft forever ...
NAT Advantage over Bridged Network
NAT give the guest access to external internet, handling routing, etc., same as bridged network. However, the bridge is tied to a specific network interface, and if that does not have connectivity, the guest does not have connectivity (consider the case when the bridge was attached to a wired interface, and the machine finds itself connecting over a wireless interface). From this perspective, NAT is more convenient, as it handles these details transparently.
NAT Service
A NAT service is a virtual NAT router, that allows creating an internal network, and allowing all guests on the internal network external access and to communicate with each over. A NAT service is attached to an internal network. At the time of the writing (5.0.4) this service is experimental but it seems very useful.
Bridged Networking
Bridged Networking Overview
With bridged networking, the guest connects to the host network similar to how the host does, gets the same kind of host network address, and the host and guest can talk amongst themselves using host network addresses. A host's physical network interface is used for this.
Bridged Networking Details
With bridged networking, VirtualBox installs a net filter driver on the host system that "filters" data from an existing physical network adapter on the host. This allows VirtualBox to intercept and inject data from/to the physical network interface, effectively creating a new network interface in software. This network interface is visible to the guest: if a guest is configured to use a "Bridged Adapter", that results in the guest "seeing" a network interface that behaves as being connected to the same network as the physical network adapter it latched onto. If a DHCP server is available on the host's network, the new bridged network interface will automatically get a dynamic IP address. The interface can be used to connect into the guest from the network and can be used by the guest to connect to the network.
The existing physical interface is used to attach virtual machines to.
As an example, the physical network interface on a MacOS guest we used is en7:
en7: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV> ether 0c:4d:e9:a8:68:f4 inet6 fe80::e4d:e9ff:fea8:68f4%en7 prefixlen 64 scopeid 0x4 inet 192.168.1.134 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=1<PERFORMNUD> media: autoselect (1000baseT <full-duplex,flow-control>) status: active
and the newly created virtual interface on a Linux host is enp0s3:
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:f7:35:7d brd ff:ff:ff:ff:ff:ff inet 192.168.1.147/24 brd 192.168.1.255 scope global dynamic enp0s3 valid_lft 85686sec preferred_lft 85686sec inet6 fe80::a00:27ff:fef7:357d/64 scope link valid_lft forever preferred_lft forever
Note the different IP address in the same subnet.
Bridging to Wireless Interfaces
Bridging to a wireless interface is done differently from bridging to a wired interface, because most wireless adapters do not support promiscuous mode. All traffic has to use the MAC address of the host’s wireless adapter, and therefore VirtualBox needs to replace the source MAC address in the Ethernet header of an outgoing packet to make sure the reply will be sent to the host interface. When VirtualBox sees an incoming packet with a destination IP address that belongs to one of the virtual machine adapters it replaces the destination MAC address in the Ethernet header with the VM adapter’s MAC address and passes it on. VirtualBox examines ARP and DHCP packets in order to learn the IP addresses of virtual machines.
Bridged Networking Configuration
Internal Networking
Internal Networking
With internal networking, the guests can talk amongst themselves over non-routed traffic and private IP addresses, but the host cannot talk to the guest and vice-versa. A host's physical network interface need not be present.
Internal Networking Details
VirtualBox offers multiple virtual Ethernet switches that can be used by its VMs to communicate amongst themselves. An Ethernet switch supports broadcast, multicast and promiscuous mode. Each virtual Ethernet switch supports an internal network and must have an unique name. In order to "connect" to such a switch, a VM adapter must be configured as "Internal Network" and given the network name.
Internal networks are created automatically as needed. There is no central configuration. Every internal network is identified by its name. Once there is more than one active virtual network cards configured with the same internal network name, VirtualBox will automatically "wire" the card into the virtual network switch.
The virtual network interfaces such created can be configured to use static IP addresses or to use the DHCP server that is built into VirtualBox. The configuration procedures are specific to the guest OS. By default, the traffic on the internal network is isolated from anything else (host or host's network).
Internal Networking and Linux
On Linux, only the VMs running under the same user ID can establish an internal network.
Bridged Network vs. Internal Network
Everything that can be done using internal network can also be achieved with bridged networking. However, there's an essential difference: for bridged networking, the traffic goes through the physical interface of the host, so it is possible to attach a package sniffer to the host interface and log all the traffic. For this reason, if you prefer two or more VMs on the same machine to communicate privately, with their traffic hidden from both the host system and the host network, use internal network.
Internal Networking Configuration
Host-only Networking
Host-only Networking Overview
Host-only networking is similar to [[#InternalNetworking|internal networking], in that guests talk to an internal virtual Ethernet switch. However, the host can also connect to the switch over a special virtual network interface - and the name of the network interface is the "network name". A host's physical network interface need not be present. In host-only configuration alone, the guests cannot talk to the outside world.
Host-only Networking Details
In order to enable the Host-only networking, a special software interface needs to be created in the VirtualBox environment (VirtualBox -> Preferences -> Network -> Host-only networks -.> +). This will create a "network" and a virtual interface on the host. The name of that network interface, by default vboxnet0, is the same as the name of the "internal network"/virtual Ethernet switch this interface and the guest's interfaces will connect to.
Since the "host-only networking" traffic goes through an interface exposed on the host, it can be intercepted with a network sniffer. Note that the host will be also accessible from the internal network, so for example, if a sshd server runs on the host it listens on the internal network interface, ssh connections can be initiated from guests to the host.
On Linux and MacOS hosts, the number of host-only interfaces is limited to 128. There's no limit on Windows.
Host-Only Networking Configuration
Network Attachment Types and Performance
Internal networking, [bridged networking|VirtualBoxNetworkingConcepts#BridgedNetworking] and [host-only networking|VirtualBoxNetworkingConcepts#HostOnlyNetworking] have nearly identical performance, with internal being a bit faster and using less CPU cycles because the packets never reach the host's network stack. The [NAT|VirtualBoxNetworkingConcepts#NAT] attachment is the slowest and the safest.
The number of CPUs assigned to the VM does not improve network performance.
!!!Internal DHCP Server