How-to: VirtualBox Networking NAT Mode (2021)

Continuing our VirtualBox series, here's how-to: VirtualBox NAT Network Mode updated for 2021. This is taken from The VirtualBox Networking Primer in paperback and Kindle Ebook formats on Amazon as well as ebooks on Kobo and Apple Books.

Let's take a look at VirtualBox Networking Modes beginning with Not Attached and Network Address Translation (NAT).

Not attached

A virtual network adapter is installed in the virtual machine, but is running no network protocols – which means no connection. The virtual machine will see a network card enabled and present but non-responsive.

This is a useful mode for testing or temporarily changing a virtual machine’s networking set up. Not attached will take the virtual machine off the network. You could ‘park’ this network adapter in the Not attached mode while you test the Guest’s behaviour with other network adapters in different modes or settings.

The alternative to Not attached is to plug or unplug the virtual network cable by changing the Cable Connected checkbox status. You can tick or untick the Cable Connected checkbox when a virtual machine is in the running state which will take it off the network instantly without needing to shutdown the virtual machine. Cable Connected can be used in any network mode.

Figure 7: Network adapter Not attached

Figure 7: Network adapter Not attached

Practice: Not Attached

Setting an adapter to Not Attached renders it invisible to the virtual network. The the virtual machine will list it as a component under device settings, but will not list it under network interfaces.

Network Address Translation (NAT)

This network mode is enabled for a virtual network adapter by default.

NAT enables the Guest machine to see out onto the Internet, but via a private IP address that cannot be seen either from the Host, or the rest of your physical network. It will allow you to browse the web, download files and view e-mail inside the Guest, but the outside world will never be able to communicate with the Guest machine directly.

The Guest machine is not accessible from the Host machine, or from other machines in the network using the NAT mode. This is sufficient for Guests that only need to access the Internet but need no sharing or services exposed to other machines on the Host network.

VirtualBox has a built-in DHCP server and NAT engine. The virtual NAT device uses the physical network adapter of the VirtualBox host as an external network interface.

Figure 8: Default NAT mode

Figure 8: Default NAT mode

The default address of the virtual DHCP server used in the NAT mode is 10.0.2.2, which is the IP address of the default gateway for virtual machine Guests. The network mask is 255.255.255.0.

When the Guest machine boots, it requests an IP address from the VirtualBox DHCP server on the Host.

The Host machine has an IP address of 192.168.1.1, but is registered in the VirtualBox NAT device as 10.0.2.1. VirtualBox will assign the Guest an IP address and the gateway address for routing outbound connections. In NAT mode, every virtual machine is assigned the same IP address, 10.0.2.15, because each virtual machine sits on its’ own isolated network.

When a Guest machine sends an IP packet to some remote machine via the gateway, 10.0.2.2, the VirtualBox NAT service will intercept the packet, extract the TCP/IP segments, change the IP address to make them appear as though they originated from the Host on 192.168.1.1, then send it on. The outside world only sees the IP address of the Host machine – whatever dynamic or static address is assigned to the Host on the physical network by the ISP.

When the response comes back, VirtualBox translates the packets to route them to the correct Guest machine.

This allows the Guest to carry on accessing the outside world even as the Host moves from network to network, for example; a laptop moving between locations, and between wireless to wired connections.

By default, connecting to VirtualBox virtual machines whose network adapters are set to operate in the NAT or NAT Network modes is impossible from a VirtualBox Host and other hosts in the local network. NAT mode provides no route into the Guest virtual machine.

Under the default NAT mode you cannot initiate SSH, TCP or FTP connections to a Guest virtual machine.

This doesn’t support our primary use case of having a Guest virtual web server accessible from the Host. This requires either a different networking mode or port forwarding rules which we will examine shortly.

On your home network, your Host and other physical machines will typically have addresses starting in the 192.168.x.x range. In VirtualBox, NAT adapters will be begin at 10.0.2.1, incrementing addresses up to 10.0.2.24 in what's called a subnet. This is not usually routed onto the main network, so this subnet will be inaccessible from your host. Hence your Guest is able to see out onto the Internet for software updates and web surfing, but is invisible to the rest of your network.

NAT is the useful default setting for looking outward onto the Internet for software updates and other services. You will need to do more configuration when you need to forward traffic or expose services like a web-server to the outside world, or to enable file and folder sharing over the network.

NAT is ideal for running a Linux or a Windows desktop operating system; for example, where you want to take updates or install additional programmes. You could even run a self-contained server accessed only from a browser on the Host machine for development and testing purposes. Just remember, no other machine will be able to access it.

If you configure the network adapters of two or more virtual machines to use NAT mode on the same Host, each virtual machine will obtain the 10.0.2.15 IP address in its own isolated network. IP addresses of the network used in NAT network mode cannot be changed in the VirtualBox Manager.

As the simplest, ‘out-of-the-box’ networking option, each Guest sits on its’ own private local area network (LAN), with VirtualBox acting as a DHCP Server assigning IP addresses. The VirtualBox NAT engine translates addresses with no configuration needed on Host or Guest. Outside servers see traffic originating from the VirtualBox Host but know nothing of the Guest machine within. It is ideal for using Guests as isolated clients, but not for guests as servers.

Practice: Default NAT Connection

As the simplest of the VirtualBox networking types, you just have to select an adapter, check Enable Network Adapter, choose NAT from the Attached to list, accept the default Adapter Type and make sure the Cable Connected checkbox is filled. This will provide the Guest with external access out over the Internet as long as the Host itself has a connection.

Figure 9: NAT adapter default settings

Figure 9: NAT adapter default settings

NAT with Port Forwarding

By default, connecting to VirtualBox virtual machines whose network adapters are set to operate in the NAT or NAT Network mode is impossible from a VirtualBox host and other hosts in the LAN. While the main drawback of NAT is not being able to connect to the Guest virtual machine from another machine on the network, there is a workaround to this issue.

Port forwarding is a process of intercepting traffic addressed to a combination of IP address and port, then redirecting that traffic to a different IP address and/or port.

Port forwarding checks the inbound packets and forwards them to the Guest virtual machine based on the IP address and port numbers. The combination of source and destination IP addresses with port numbers are defined using rules that you create in the Port Forwarding Rules.

After configuring port forwarding rules, clients can access the appropriate services from outside by connecting to the router’s (Host’s) external IP address and specified port.

Practice: NAT with Port Forwarding

You can find Port Forwarding in the virtual machine Network Adapter panel under Settings. Select the Network tab, then select Advanced and Port Forwarding. Click the green ‘+’ icon on the right to add a new rule. All the form fields except for the protocol drop-list are free text which you can directly type into. Clicking the red ‘x’ icon will delete the highlighted (selected) rule.

A common example is to add a rule for Secure Shell access (SSH) to support remote log in to the Guest. You need to install an SSH server on the Guest machine, and create an user name in order to provide SSH access.

There is no set choice of Host port to set as the listener, we could choose from 2000, 2222 or 3032 or others. SSH servers by default listen to port 22, so the Guest SSH server is addressed as port 22 in our forwarding rule.

Click on the green ‘+’ icon in right side and add port forwarding rules for SSH and HTTP.

Figure 10: Setting SSH rule for NAT with port forwarding

Figure 10: Setting SSH rule for NAT with port forwarding

This is asking the idle port 2222 of our Host machine to listen to the port 22 of the virtual machine Guest. So through the localhost of our Host machine, we can ‘remotely’ log in to the Guest.

With this in place, the Guest will accept SSH connections via terminal commands on the Host via the standard log in command (inserting your Guest user and Guest IP address):

ssh user1@127.0.0.1

The VirtualBox port forward rule directs the SSH traffic only from the Host local address 127.0.0.1 to the Guest via the NAT adapter address 10.0.2.15.

The other common example is to add a rule for TCP forwarding from the Host port 8888, 8000 or 8080 to Guest port 80 or 88. Again, no fixed choice of Host ports, these are common selections, but the defaults for HTTP listeners on the server are ports 80 and 88.

This will forward HTTP requests intended for a web server such as Apache or IIS (Microsoft’s Internet Information Services) to serve up a web page, for example. In this case you need to install a web server such as Apache2 or IIS on the Guest machine.

Figure 11: Setting HTTP rule for NAT with port forwarding

Figure 11: Setting HTTP rule for NAT with port forwarding

Similarly for HTTP requests, by navigating to http://localhost:8000, we can view anything served by the Guest through port 80.

We can write several port mapping rules for different protocols; for example, you can also create similar rules for accessing a virtual machine via RDP (remote desktop), FTP (file transfer) and other protocols.

Port Forwarding Using Blank Addresses

Be aware that you can set Port Forwarding Rules with blank addresses. This doesn’t ordinarily matter for the Guest IP as VirtualBox will route to the default to the Guest IP of the first network adapter to use the Port Forwarding Rules.

It does, however, matter for the Host IP. Leaving this blank is fundamentally insecure and means that any machine can make requests against that port. Consider this in your use case.

Figure 12: Port forwarding with blank addresses
Figure 12: Port forwarding with blank addresses

Alternatives to Port Forwarding

Port forwarding is not the only answer. It is possible to connect a virtual machine in several network modes for different purposes, say, to access different services on different servers – both virtual and physical. You could even connect to separate networks in the same network mode, each through its own adapter (we have up to eight to play with).

You could imagine creating a development environment mirroring production. A couple of servers provide specific services to a couple of clients, but the servers are secured on different networks and don’t need to see each other. The clients have limited access to those services via different networks. VirtualBox is perfectly capable of providing this kind of set up, assuming you have sufficient resources on the Host to support it.

You could connect the clients via separate networks, each through a different adapter. Each adapter could have different port forwarding rules. Be aware this will apply the port forwarding rules of each adapter in order. This creates the possibility of conflicting port forwarding rules being applied and the virtual machine’s network access not behaving as expected where two sets of port forwarding rules override or cancel each other out.

Comments