Friday, July 27, 2018

VirtualBox networking explained

VirtualBox networking is extremely flexible. With this flexibility comes the challenge of making the correct choices. In this blog, the different options are explained and some example cases are elaborated. Access between guests, host and other members of the network is explained and the required configuration is shown. This information is also available in the following presentation here.


Internal network

Overview

VirtualBox makes available a network interface inside a guest. If multiple guests share the same interface name, they are connected like a switch and can access each other.

Benefits
  • Easy to use. Little configuration required
  • No VirtualBox virtual host network interface (device + driver) required
  • Guests can access each other
  • Secure (access from outside the host is not possible)
Drawbacks
  • The host can’t access the guests
  • Guests can’t access the host
  • Guests can’t access the internet
  • The VirtualBox internal DHCP server has no GUI support, only a CLI
Configuration


NAT


Overview

VirtualBox makes available a single virtual isolated NAT router on a network interface inside a guest. Every guest gets his own virtual router and can’t access other guests.

DHCP (Dynamic Host Configuration Protocol) requests on the interface are answered with an IP for the guest and address of the NAT router as gateway. The DHCP server can be configured using a CLI (no GUI support).

The NAT router uses the hosts network interface. No specific VirtualBox network interface needs to be created. External parties only see a single host interface.

The NAT router opens a port on the hosts interface. The internal address is translated to the hosts IP. The request to the destination IP is done. The response is forwarded back towards the guest (a table of external port to internal IP is kept by the router).

Port mappings can be made to allow requests to the host on a specific port to be forwarded to the guest.

Benefits

  • Easy to use. Little configuration required
  • Isolated. Every guest their own virtual router
  • No VirtualBox virtual host network interface (device + driver) required
  • Internet access
  • Fixed IP possible

Drawbacks

  • Guests can’t access each other or the host
  • The virtual NAT router DHCP server can be configured using a CLI only
  • To access the guest from the host requires port forwarding configuration and might require an entry in the hosts hosts file for specific web interfaces 

Configuration

NAT network


Overview

VirtualBox makes available a virtual NAT router on a network interface for all guests using the NAT network. Guests can access each other. The NAT network needs to be created.

DHCP (Dynamic Host Configuration Protocol) requests on the interface are answered with an IP for the guest and address of the NAT router as gateway. The DHCP server can be configured.

The NAT router uses the hosts network interface. No specific VirtualBox network interface needs to be created. External parties only see a single host interface.

The NAT router opens a port on the hosts interface. The internal address is translated to the hosts IP to a specific port per host. The request to the destination IP is done. The response is forwarded back towards the guest (a table of external port to internal IP is kept by the router).

Port mappings can be made to allow requests to the host on a specific port to be forwarded to a guest.

Benefits

  • Guests can access each other
  • No VirtualBox virtual host network interface (device + driver) required
  • DHCP server can be configured using the GUI
  • Internet access
  • Fixed IP possible

Drawbacks

  • To access the guest from the host requires port forwarding configuration and might require an entry in the hosts hosts file for specific webinterfaces
  • Requires additional VirtualBox configuration to define the network / DHCP server
Configuration

Host only



Overview

VirtualBox creates a host interface (a virtual device visible on the host). This interface can be shared amongst guests. Guests can access each other.

DHCP (Dynamic Host Configuration Protocol) requests on the interface are answered with an IP for the guest and address of the Host only adapter. The DHCP server can be configured using the VirtualBox GUI

The virtual host interface is not visible outside of the host. The internet cannot be accessed via this interface from the guest.

The host can access the guests by IP. Port mappings are not needed.

Benefits

  • Guests can access each other
  • You can create separate guest networks
  • DHCP server can be configured using the GUI
  • Fixed IP possible

Drawbacks

  • To access the guest from the host requires port forwarding configuration and might require an entry in the hosts hosts file for specific webinterfaces
  • Requires additional VirtualBox configuration to define the network / DHCP server
  • VirtualBox virtual host network interface (device + driver) required
  • No internet access

Configuration


Bridged


Overview

The guest uses a host interface. On the host interface a net filter driver is applied to allow VirtualBox to send data to the guest. This requires a so-called promiscuous mode to be used by the adapter. Promiscuous mode means the adapter can have multiple MAC addresses. Most wireless adapters do not support this. In that case VirtualBox replaces the MAC address of packages which are visible to the adapter.

An external DHCP server is used. Same way the host gets its IP / gateway. No additional configuration required. It might not work if the DHCP server only allows registered MACs (some company networks)

Easy access. The guest is directly available from the network (every host) the host is connected to. Port mappings are not required. The host can access the guests by IP. Guests can access the host by IP.

Benefits

  • Guests can access each other
  • Host can access guests and guests can access the host. Anyone on the host network can access the guests
  • No virtual DHCP server needed
  • Easy to configure / use
  • Same access to internet as the host has

Drawbacks

  • Guests can’t be split into separate networks (not isolated)
  • Sometimes doesn’t work; dependent on external DHCP server and ability to filter packets on a host network interface. Company networks might block your interface
  • No easy option for a fixed IP since host network is a variable
  • Not secure. The guest is exposed on the hosts network

Configuration


Use case examples

Case 1: ELK stack

I’m trying out the new version of the ELK stack (Elasticsearch, Logstash, Kibana)

Requirements:

  • I do not require internet access inside the guest
  • I want to access my guest from my host
  • I do not want my guest to be accessible outside of my host
  • I do not want to manually configure port mappings
Solution: Host only adapter 

Case 2:  SOA Suite for security workshop

I’m using Oracle SOA Suite for a security workshop. SOA Suite consists of 3 separate VMs, DB, Admin Server, Managed Server

Requirements:
  • The VMs require fixed (internal) IPs
  • The VMs need to be able to access each other
  • Course participants need to call my services from the same network
  • I only want to expose specific ports
Solution: NAT + Host only (possibly NAT network)

Case 3: VM for distribution during course

I’ve created an Ubuntu / Spring Tool Suite VM for a course. The VM will be distributed to participants.

Requirements:
  • The VM to distribute requires internet access. During the course several things will need to be downloaded
  • I am unaware of the VirtualBox created interfaces present on the host machines and don’t want the participants to manually have to select an adapter
  • I want the participants to do as little networking configuration as possible. VirtualBox networking is not the purpose of this course.
Solution: NAT

Case 4: Server hosting application

I’ve created a server inside a VM which hosts an application. 

Requirements:
  • The MAC of the VM is configured inside the routers DHCP server so it will always get the same IP. Use the external DHCP server to obtain an IP
  • The application will be used by (and thus needs to be accessible for) different people on the network.
  • The application uses many different ports for different features. These ports change regularly. Some features use random ports. Manual port mappings are not an option
  • The application accesses different resources (such as a print server) on the hosts network
Solution: Bridged

No comments:

Post a Comment