Question About Local Host Networking

[saberman]

Host: Windows 10 Pro x64
Guest: Windows 10 Pro x64
VB: 5.2.10 r122406

When the host is docked I have three network connections defined:
1. NAT
2. Host Only
3. Ethernet

When out of the dock I disable 3.

The VM has a number of network connections: a few to shares on the host and a couple to other machines on the network (which should not work with 3 disabled).

I ran into some problems running out of the dock so I decided to test the VM with the host in the dock but with 3 disabled.

I noticed two peculiar things in Explorer:

Explorer

Filemanager.png (11.27 KiB) Viewed 2922 times

The first was that the VM had access to a share on a machine on the network: Media (\\NYW7-0010) (N:)
Yes, I checked and was able to drill down into directories and open files.
That should not be possible with only NAT and Host Only Networking.

The second was that the host (NYW10-0016) was not listed under Network. The VM did have access to connections to shares on the host.

Can someone please explain what is going on?

[Martin]

Where did you get the idea that NAT wouldn't have access to everything the host can reach?
It is perfectly normal that a VM with NAT can reach ressources on the network.

[saberman]

>It is perfectly normal that a VM with NAT can reach ressources on the network.
Then why didn't the VM have access to the second connection: Media2 (\\NYW7-0010) (R:)?

Why isn't the host listed under Network?

[socratis]

3. Ethernet

By "3. Ethernet" I take it you mean Bridged, Bridged-over-Ethernet to be exact. So, let's work on that assumption.

Start by reading the following: User Manual, ch. 6.2. Introduction to networking modes including the Overview table, which shows quickly what kind of connection you get with different modes.

the VM had access to a share on a machine on the network ... That should not be possible with only NAT and Host Only Networking.

Take a look at the table again. Now, you may not think of your LAN as "the Internet", but you should be thinking of it as "not my host". It's something that for your scenario works equally well.

So, if your LAN is 192.168.1.0/24 based, and your host is 192.168.1.100, then with NAT (or NATservice/NATnetwork), you get access to ALL of your LAN machines with 192.168.1.x. Except one address; that of your host. NAT essentially translates calls to outside of your host without allowing access to your host. So a call to another computer on the LAN is perfectly allowed with NAT.

Bridged works by putting your VM just like another computer on the network. So, you can see everything, including your host.

HostOnly, as it is obvious by the name, gives you access to one thing and one thing only; your host. So, with NAT+HostOnly? You can pretty much see everything.

The second was that the host was not listed under Network. The VM did have access to connections to shares on the host.

Were they true shares (SMB) or were they VirtualBox shared folders? Huge difference under the hood, not too much different at the Explorer level.

Then why didn't the VM have access to the second connection: Media2 (\\NYW7-0010) (R:)?

Also, the mysteries of SMB discovery, are still unknown. One thing they don't do, is to find each other easily. Microsoft should definitely include the ZeroConf protocol and make it part of their networking. Gates only knows what's going on in there with: elections, who's keeping score, who's the master browser, and so on, and so on. Count your blessings that NetBIOS over TCP/IP still works.

[Martin]

So, if your LAN is 192.168.1.0/24 based, and your host is 192.168.1.100, then with NAT (or NATservice/NATnetwork), you get access to ALL of your LAN machines with 192.168.1.x. Except one address; that of your host. NAT essentially translates calls to outside of your host without allowing access to your host. So a call to another computer on the LAN is perfectly allowed with NAT.

In this part your interpretation of the overview table is wrong. With NAT nothing on the local LAN is "filtered", you can easily reach your host because it is also "on the local LAN".
The overview table in the manual doesn't show this case because it only lists bidirectional access and NAN only allows guest -> host and not (without additional port forwarding) host -> guest.

[socratis]

With NAT nothing on the local LAN is "filtered", you can easily reach your host because it is also "on the local LAN".

I stand corrected Martin! I should have definitely tested this before making that statement!

So, let's see if we can improve things in the Overview table. I had a part in this (ticket #16912) and I feel kind of a fool for leaving the LAN out of the table. So, from this:

+------------+-------------+-------------+----------------+----------------+
|            | VM <-> Host | VM1 <-> VM2 | VM -> Internet | VM <- Internet |
+------------+-------------+-------------+----------------+----------------+
| HostOnly   |     Yes     |     Yes     |      No        |       No       |
| Internal   |     No      |     Yes     |      No        |       No       |
| Bridged    |     Yes     |     Yes     |      Yes       |       Yes      |
| NAT        |     No      |     No      |      Yes       |  Port forward  |
| NATService |     No      |     Yes     |      Yes       |  Port forward  |
+------------+-------------+-------------+----------------+----------------+

We should make it into this:

+------------+-------------+-------------+----------------+----------------+
|            | VM <-> Host | VM1 <-> VM2 | VM -> Internet | VM <- Internet |
+------------+-------------+-------------+----------------+----------------+
| HostOnly   |     Yes     |     Yes     |      No        |       No       |
| Internal   |     No      |     Yes     |      No        |       No       |
| Bridged    |     Yes     |     Yes     |      Yes       |       Yes      |
| NAT        | VM->LAN [1] |     No      |      Yes       |  Port forward  |
| NATService | VM->LAN [1] |     Yes     |      Yes       |  Port forward  |
+------------+-------------+-------------+----------------+----------------+

[1]: NAT/NATService gives your VM one-way access, "VM -> Host/LAN" by default.
     For the reverse "Host/LAN -> VM", see port forwarding for NAT or NATService.

Your thoughts? Is that a better summary? You can see that the "changes" involve only the "VM <-> Host" column in the "NAT" and "NATservice" cases.

[Martin]

Maybe even just a remark that "Internet" in this table also includes your local LAN and the host would be sufficient...

[socratis]

No, the host has to be on its own, primarily to cover the HostOnly scenario. It could be something like that then:

+------------+-------------+-------------+----------------+----------------+
|            | VM <-> Host | VM1 <-> VM2 | VM -> LAN/Int. | VM <- LAN/Int. |
+------------+-------------+-------------+----------------+----------------+
| HostOnly   |     Yes     |     Yes     |      No        |       No       |
| Internal   |     No      |     Yes     |      No        |       No       |
| Bridged    |     Yes     |     Yes     |      Yes       |       Yes      |
| NAT        | VM->Host [1]|     No      |      Yes       |  Port forward  |
| NATService | VM->Host [1]|     Yes     |      Yes       |  Port forward  |
+------------+-------------+-------------+----------------+----------------+

[1]: NAT/NATService gives your VM one-way access, "VM -> Host" by default.
     For the reverse "Host -> VM", see port forwarding for NAT or NATService.

We could substitute "Int." (short for Internet) with "WAN", but I'm not too sure that many people would get it...

[Martin]

Host-Only adds a new network adapter to the host for VM <-> Host networking without connectivity to the outside.
With NAT you con reach everything the host can reach (including the host itself) from the guest, using all network connections the host has available.

So the "No" in the firest column for the NAT lines is correct because this column is for connections in both directions between guest and guest.
The possiblle one-way connection from guest to host is already in the "Yes" in the third column.

[socratis]

I hear you. The "VM <-> Host" for the "NAT*" pretty much repeats what the 3rd column "VM -> LAN/Int." says. But people are interested about Host/Guest communications a lot more. Plus the 3rd column doesn't cover the "HostOnly" case, so it's got to be on its own.

Or we could split the "VM <-> Host" in two columns; One "VM <- Host" and a second one "VM -> Host". Got to think how to make it as simple, yet informative, as possible.

[socratis]

Current version

+------------+-------------+-------------+----------------+----------------+
|            | VM <-> Host | VM1 <-> VM2 | VM -> Internet | VM <- Internet |
+------------+-------------+-------------+----------------+----------------+
| HostOnly   |     Yes     |     Yes     |      No        |       No       |
| Internal   |     No      |     Yes     |      No        |       No       |
| Bridged    |     Yes     |     Yes     |      Yes       |       Yes      |
| NAT        |     No      |     No      |      Yes       |  Port forward  |
| NATService |     No      |     Yes     |      Yes       |  Port forward  |
+-----------+-------------+-------------+----------------+----------------+

New version

+------------+------------+--------------+-------------+----------------+----------------+
|            | VM -> Host |  VM <- Host  | VM1 <-> VM2 | VM -> LAN/Int. | VM <- LAN/Int. |
+------------+------------+--------------+-------------+----------------+----------------+
| HostOnly   |    Yes     |     Yes      |     Yes     |      No        |       No       |
| Internal   |    No      |     No       |     Yes     |      No        |       No       |
| Bridged    |    Yes     |     Yes      |     Yes     |      Yes       |       Yes      |
| NAT        |    Yes     | Port forward |     No      |      Yes       |  Port forward  |
| NATService |    Yes     | Port forward |     Yes     |      Yes       |  Port forward  |
+------------+------------+--------------+-------------+----------------+----------------+

"Reds" indicate the changes that need to happen. I cannot make a URL red, so I made it "bold". The corrections need to be done in the manual as well.

So, pretty much the "VM<->Host" column is broken in two. It's almost identical to the "VM -> LAN/Int." and the "VM <- LAN/Int.", except the HostOnly network option. That *needs* to stay separate, that's the big difference.

[saberman]

>Were they true shares (SMB) or were they VirtualBox shared folders? Huge difference under the hood, not too much different at the Explorer level.
They were true shares.

[socratis]

Maybe it got mapped with the IP of the Bridged adapter, and now that the IP is not there, it fails. Try to remap it while Bridged is deactivated, while NAT and HostOnly are activated. Otherwise I can't say for sure what Windows chose to map the share under...

[saberman]

>Maybe it got mapped with the IP of the Bridged adapter, and now that the IP is not there, it fails. Try to remap it while Bridged is deactivated, while NAT and HostOnly are activated.
I tried it out of the dock with just Nat and HostOnly defined. The Nat connection was marked Public and was connected to a public hotspot and the HostOnly connection was marked Private.
I unmapped all shares and remapped them.
The host is not listed under network but VBOXSHR is even though I do not have any shared folders defined. Note the host name in the mapped shares.

Filemanager2.png (26.08 KiB) Viewed 2770 times