Technology and Software, Tips

VirtualBox 4: NAT + Bridged Networking

VirtualBox networking gives us several options. NAT is interesting because it protects our guest systems from the Internet but it’s annoying we need to setup port forwarding to access the guests from the host (I have servers on some guests). Bridged Networking solves that problem easily, but the guests are exposed (not acceptable) and it seems that the communication between guest and hosts is routed outside the machine: in my case the bytes go to the switch my ISP installed in my home and that’s does only 10 Mb/s. I can probably setup some manual routing to solve that problem but if I have to tinker with routing then I can get something better: the combination of both NAT and Bridged Networking.

My setup is:

  • Host system: Ubuntu 10.10 with VirtualBox 4.0.4 (update: I’m on 11.04 and 4.1.8 now and it still works)
  • Guest systems: two headless Debian 4 and Debian 6 servers, three Windows XP clients to run tests with IE6, IE7 and IE8 (all the other browsers run directly on Ubuntu with the exception of Safari.)

The desired network configuration is:

  • The host eth0 interface must be the only access to the Internet
  • A virtual interface inside the host system should NAT the guest systems
  • The guest systems should be able to access the Internet using the internal NAT
  • The guest systems should be able to communicate with the host system using the virtual interface
  • The guest systems should be able to communicate with each other using the virtual interface
Internet <--- eth0 ---> HOST <--- virt/if (NAT) ---+---> guest 1 (server)
                   (server & client)               |
                                                   +---> guest 2 (server)
                                                   |
                                                   +---> guest 3 (client)
                                                   |
                                                   +---> ...

With this configuration I can attach application servers to the address of the virtual interface and make them available to all the guest systems for testing, as well as to any application I run on the host system. I also want to access application servers on the guests so I’m going to use static addresses because I don’t want to setup a dynamic DNS for the internal network.

VirtualBox gives us a virtual interface called vboxnet0 which starts with the 198.162.56.1 IP address. I take advantage of that.

The problems to solve are

  • Start vboxnet0 at boot time, because that address must be always available even if no guest OS is running.
  • Setup the NAT.
  • Assign addresses to the guest systems.

The procedure is based on https://help.ubuntu.com/community/Internet/ConnectionSharing but there are some differences.
The most important one is that connection sharing must not be enabled with the procedure shown there because it will change the address of your eth0 after a reboot and you won’t be able to access the Internet.

Configure the host

First, we bring up the virtual interface

sudo ifconfig vboxnet0 192.168.56.1

Then we configure NAT.

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE

Update: You lose the configurations on the vboxnet0 device if you remove VirtualBox to update it to a newer release. You have two options: 1) reboot and get them back from the configuration file (I’ll make you generate in the next steps of the procedure) or 2) just repeat the two steps above. I tested option 2 with the upgrade from 4.0 to 4.1.

We want to make those changes permanent.

sudo iptables-save | sudo tee /etc/iptables.sav
sudo vi /etc/rc.local

We add these lines

iptables-restore < /etc/iptables.sav
ifconfig vboxnet0 192.168.56.1

and we enable IP forwarding

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo vi /etc/sysctl.conf

with these lines

# Internet connection sharing for VirtualBox VMs
# https://help.ubuntu.com/community/Internet/ConnectionSharing
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

Update: VirtualBox still works with that configuration after updating to Ubuntu 11.04 so you can safely chose to keep that file when the update process asks you whether to keep it or overwrite it with the standard one. By the way, it seems that IP forwarding is done with net.ipv4.ip_forward=1 in 11.04 but I didn’t tried it out.

We can restart the networking or reboot (it’s fast).

netstat -r should give something like this now:

Kernel IP routing table
Destination     Gateway              Genmask         Flags   MSS Window  irtt Iface
your.host.ip.addr *                  255.255.255.192 U         0 0          0 eth0
192.168.56.0      *                  255.255.255.0   U         0 0          0 vboxnet0
link-local        *                  255.255.0.0     U         0 0          0 eth0
default           your.gw.ip.addr    0.0.0.0         UG        0 0          0 eth0

Configure the guests

Start VirtualBox. Change the network of every guest OS to be Host Only Adapter, vboxnet0

Startup every VM in turn and change it’s network configuration.

DEBIAN

The configuration on the two Debian servers is a little complicated because they’re headless and everything must be done by command line.

sudo vi /etc/dhcp/dhclient.conf

Uncomment

prepend domain-name-servers comma_separated_list_of_DNS_ip_addresses;

Restart networking. That will update /etc/resolv.conf

sudo vi /etc/network/interfaces

Add a static address for eth0.

allow-hotplug eth0
iface eth0 inet static
address 192.168.56.x # x is any free address in the 192.161.56 network
netmask 255.255.255.0
gateway 192.168.56.1
up route add -net 192.168.56.0 netmask 255.255.255.0 gw 192.168.56.1
down route del -net 192.168.56.0 netmask 255.255.255.0 gw 192.168.56.1

Restart the networking or reboot.
You should be able to ping 192.168.56.1 and access the Internet. Check it with
telnet http://www.google.com 80
From the host system you should be able to ping and ssh this server.

WINDOWS XP

The configuration on the three Windows clients is easier, about as easy as on Ubuntu

Click Start, Control Panel, Network Connections.
Right click on the connection, Properties.
Select Internet Protocol (TCP/IP), click Properties.
Select Use the following IP address and enter
IP address: 192.168.56.x (x = an address you didn’t use yet)
Subnet mask: 255.255.255.0
Default gateway: 192.168.56.1
Preferred DNS server and Alternate DNS server: the addresses of the DNS of your provider.
Click OK and again OK.

You should be able to ping 192.168.56.1 and access the Internet. Start up a browser and check it.
From the host system you should be able to ping this machine.

Epilog

I can start my application servers on the host system and bind them to 192.168.56.1 even if VirtualBox is not started (remember to update the addresses in their configurations, probably from 127.0.0.1 to 192.168.56.1).
I can access the Internet from my guest systems, which is handy for downloading updates, but the Internet cannot access them thank to the internal NAT. Too bad VirtualBox doesn’t give us this setup out of the box. The closest option is Bridged Network but the guest systems are exposed on the Internet.

Advertisements
Standard

24 thoughts on “VirtualBox 4: NAT + Bridged Networking

  1. Lee Beckman says:

    Thank you so much for this, helped immensely.

    Also, just one small typo:

    sudo ifconfig vboxnet0 192.168.65.1
    should probably be
    sudo ifconfig vboxnet0 192.168.56.1

    • Johnk500 says:

      This is really interesting, You’re a very skilled blogger. I have joined your feed and look forward to seeking more of your magnificent post. Also, I have shared your web site in my social networks! kkbkkeekadbe

  2. Betillo says:

    Thanks for the tuto Paolo !!

    But I have a problem maybe you can help me with this ??

    I have installed VB 4.1.3 in a Ubuntu Server 11.04 host with 2 network cards on it, now I have a W2k3 R2 server running as guest.

    The problem is this …. When I installed the server I was using only 1 nic and configured VB in bridge mode example:

    host ip: 192.168.10.1
    guest ip: 192.168.10.2

    Everything was working fine, but now I configured the second nic on the host because it need to be conected to 2 different networks (using both cards), the example:

    host ip: 192.168.10.1 (eth0) and 192.168.50.1 (eth1)
    guest. 192.168.10.2

    After do this the guest SO stop reaching the outside network, I have comunication betwen host and guest (ping or html access from one to another and viceversa), also I can connect to the gues SO using the remote desktop (through the host ip), but when I try to ping the guest gateway or access the internet or wathever it doesn´t work.

    The host can reach both networks but the guest can’t even see it’s gateway, only reach the host.
    Any idea that wath I was missing.

    Regards
    Betillo

    PS. I disabled the firewall on the host and checking the network FW so it’s not a package blocking problem.

    • Betillo says:

      Thanks for the Reply Paolo !!

      Sorry for the late reply I was away from the office for a few days, now I’m back to continue with this topic !!

      I have found something interesting, I switched the network config. to NAT mode and everything went fine, I can reach my gateway, and of course the net, I can get uptades from microsoft and so on.

      So maybe I’m missing something in the configuration of the bridge in VB or maybe in Ubuntu, that’s weird because before I configured the 2nd nic the bridge function went working fine, any ideas ?

      I was thinking in backup the virtual machines and reinstall VB again but don’t know this could help.

      Thanks again for your time.

      Betillo

  3. This helped me immensely.

    After following all steps, I could get all I wanted but for an annoying thing: All accesses from internet to the VMs looked liked they originated from 192.168.56.1. This was annoying for website statistics and DNS zone transfers.

    I corrected it by changing the line
    iptables -A POSTROUTING -t nat -j MASQUERADE
    into:
    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

    I hope this helps

      • Oups, you are correct. I merged your tutorial with different informations to get a different setup.

        I added routing commands.

        For each VM, I have another public IP (1.2.3.4,1.2.3.5) which is provided by my hosting provider and is routed towards the host by my hosting provider. They call them “Failover IPs”.
        Then on the host’s /etc/network/interfaces I add a section like this:
        auto eth0:0
        iface eth0:0 inet static
        address 1.2.3.4
        netmask 255.255.255.255
        broadcast 1.2.3.4
        auto eth0:1
        iface eth0:1 inet static
        address 1.2.3.5
        netmask 255.255.255.255
        broadcast 1.2.3.5

        Then, before your iptables-save part, I add a routing command for each VM
        iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.4 -j DNAT –to-destination 192.168.56.x
        iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.5 -j DNAT –to-destination 192.168.56.y

        So the VM at private address 192.168.56.x is accessible from the internet on its public IP with ssh 1.2.3.4
        The one at private address 192.168.56.y is accessible with ping 1.2.3.5 (or with a browser).

        I realise you may think that may not quite fit in the scope of your page. I added it as a comment here because I used so much of your explanations that I thought you were presenting the same setup as mine. When I found I had to change this masquerading line I found here, I thought it would help to add a comment.

        I let you decide if it’s a useful comment or not. I will not complain or be bothered if you remove it.

  4. Betillo says:

    Hi people !!

    Just want to give some update about my problem !!

    I think it has to be with Virtualbox, after shutting down the program or restart the server it works fine again (restarting the nics don´t solve the problem), this problem also happens when I upload files via FTP to the server using Filezilla, don’t know why but if I upload files using the command line it works ok but if I use Filezila (don´t have chance to try another program) the network crash again, the problem is that I only have comunication between the virtual machines and the host but can’t reach the outside network, maybe is some kind of bug.

    Best wishes
    Betillo

  5. David says:

    Hi,

    Thanks for this tutorial. It really helped me to set up Vbox but I have a question. I want to be able to view my development sites hosted on Apache2 on my host machine (Ubuntu) through my V-Machine (XP) for cross browser testing. How would I do that?

  6. Pingback: Virtual Box Host-only network « MacHack

  7. Pingback: Starting the VirtualBox interface at 192.168.56.1 « Il connettivo

  8. You could certainly see your enthusiasm in the work you write.
    The world hopes for more passionate writers such as you who aren’t afraid to say how they believe. At all times go after your heart.

  9. Pretty section of content. I simply stumbled upon your web site and in
    accession capital to say that I get actually enjoyed account your blog posts.
    Any way I will be subscribing in your feeds or even I achievement you access persistently quickly.

  10. hello!,I really like your writing very so much! percentage we keep in touch
    extra about your article on AOL? I need an expert on this space to resolve my problem.
    Maybe that is you! Taking a look forward to look you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s