Network configuration for Server/Client environment

This is for discussing general topics about how to use VirtualBox.
Robidj
Posts: 5
Joined: 11. Jul 2019, 10:16

Network configuration for Server/Client environment

Post by Robidj »

Hi,

I'm new to the forum and I'm looking for some advice about how to configure the various networking options.

I'm trying to set up an environment where I have two virtual machines - one running Windows Server 2016 and another running Windows 10 Pro, so that I can practise using them together in a domain environment.

I'm unsure how to configure the network adapters, but what I'm after is that the two virtual machines can talk to each other, and I also have internet connectivity on both.

I have read a lot about "Bridged adapter", "Host-only adapter" and "NAT" for the individual virtual machines, and also about creating a "NAT Network" by clicking File->Preferences->Network in the VirtualBox Manager, as well as using a virtual router such as PfSense.

Would someone be able to explain the best way to set this up? Let me know if you need more information.

Thanks in advance
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

This is easy, and I have done it in the past. You will need at least three guests, one for the server, one (or more if you have room) for the client, and one running pfSense. You will route the internet traffic through the pfSense guest, and use a firewall rule inside the pfSense guest to block access to your physical LAN while allowing Internet through to the guest. We'll set this up later.

For the LAN-blocking firewall rule to work, your test environment's ip address range needs to be different from your physical LAN's ip address range. For example, if your host PC's physical LAN ip range is 192.168.1.###, then you need to pick a different range for the guests' network. 192.168.any-other-valid-number.### will work, so will 10.0.33.###, etc. See wikipedia private ip addresses for some ideas of what to pick. Just use one of the valid private ip address ranges, and make at least one of the first three numbers different than what your physical LAN is set to. For this tutorial, let's pretend your physical LAN is 192.168.1.###, and we'll pick 10.0.33.### for the test network. Both have a subnet mask of 255.255.255.0, so only the last ### number changes. Change the numbers to your numbers when you run your tests.

pfSense does not need much RAM. Their website says 512MB minimum, but I remember running it on 256. Do tests to see what pfSense will let you get by with, the load on this guest won't be really strong.

The pfSense will have two network adapters. The first adapter will be set to "Bridged" and will be connected to the "WAN" side of pfSense. Let this WAN adapter get its IP address from your physical LAN's DHCP, not static. The second adapter will be an "Internal" network. If your server guest will be handling DHCP, then turn off DHCP on the LAN side of pfSense, and set the ip address of the LAN adapter in the pfSense OS to 10.0.33.1, so it can be the gateway for the Internal LAN. (pfSense has a plug/unplug setup procedure to enable pfSense to figure out which adapter should be WAN and which should be LAN. Familiarize yourself with Virtualbox's "Devices menu > Network > Connect Network Adapter #" and the little icons in the menu so you can "plug & unplug" the correct "ethernet cables" to the pfSense guest as needed.)

Your guests will each have one network adapter, and both adapters will be attached to the same "Internal" network the pfSense LAN adapter is connected to. Internal networks are generated by the name of the network. Type a different name, you get a different Internal network. So be sure all three adapters going on your Internal network have exactly the same name. Cut & paste if you decide to call the Internal network something else besides the default 'intnet'.

Once you get your Internal network set up, you can see pfSense firewall rule for how to set up your firewall rule. Substitute your physical LAN's ip address range for the range the rule will block. Your guests will be able to see the internet, but they will not be able to access anything on your physical LAN.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Network configuration for Server/Client environment

Post by mpack »

I have to ask: this information is in the user manual, provided as a PDF with the VirtualBox install. Have you looked inside that? Chapter 6 is quite extensive.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

Here's a picture:
sandboxed guest network.png
sandboxed guest network.png (36.99 KiB) Viewed 11540 times
Robidj
Posts: 5
Joined: 11. Jul 2019, 10:16

Re: Network configuration for Server/Client environment

Post by Robidj »

Thank you very much for the detailed help scottgus1.

The diagram was really useful in helping me visualise what's going on.

Thanks also mpack, yes I had read all of Chapter 6 in the user manual, but I needed more detailed guidance to help me to understand.

Unfortunately I'm still having some issues.

I have set up the guest machines on an internal network as you described, and have PfSense running with a bridged adapter for the WAN and an internal network adapter for the LAN.

I have set my server guest with a static IP address as the DHCP controller and my client guest gets an IP from the server guest ok.

I can ping the default gateway (PfSense) from both the server guest and the client guest - I set it to 10.0.33.1 as you suggested.

The client guest can ping the server guest, but when I try to ping the client guest from the server guest I get a "Request timed out".

Both guests have "No internet access" symbols in the system tray.

When I try to ping 8.8.8.8 from the server guest I get:

Reply from 10.0.33.1: Destination host unreachable.

I'm not sure what's going on, or if the information I've included is of any use, but could anyone help, or suggest some troubleshooting techniques?

Thanks in advance
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

If the host adapter you are Bridging to is wifi, Bridged may not always work with a Wifi adapter, due to to-the-letter implementation of the Wifi protocols by either the wifi adapter driver or the access point firmware.. Technically Wifi cannot Bridge, but some combinations of wifi adapter drivers and access point firmware implement these protocols in a lax fashion so Bridged can squeeze through. If it works where you are, good. If you can't get a good network trying to Bridge with a wifi adapter, you'll have to go to wired Ethernet on the host.

What is the ip address of your physical network's router, your host's ip address, and the ip address of the WAN adapter in the pfSense guest? The pfSense WAN should get ip address in the same ip range as the host and the router. I don't remember if pfSense allows to ping on the WAN side, but if it does, test the Bridge by trying to ping 8.8.8.8 from within pfSense.

If your gateway is set to 10.0.33.1, your server should be static ip on the 10.0.33.### range and it should hand out a 10.0.33.### ip address to the client. Is this happening? Also the server should expect to see the gateway at 10.0.33.1 to find internet. The client should get this gateway info automatically from the server's DHCP. This assumes the Bridge is working.
when I try to ping the client guest from the server guest I get a "Request timed out".
Windows defaults to not allowing ping. Did you allow ping in the guest firewall? Pinging guest to server should indicate the network is good. Try to set up file & printer sharing in both server and client, then share a folder in each OS and see if you can pass files back and forth. That will be a good network.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

I just set up a similar lab, Windows server 2016 as domain controller & DHCP server, Windows 10 Enterprise as client, pfSense as router/gateway, just as in the picture above. pfSense WAN side Bridged to the host's physical ethernet card. pfSense LAN side on the Internal network 'intnet' along with the Server 2016 & 10 guests. I was able to set up a domain in Server 2016 and have W10 join the domain
Robidj wrote:when I try to ping the client guest from the server guest I get a "Request timed out"
I got the same thing. The client OS's firewall blocks ping. Enabling the client OS's firewall "File and Printer Sharing (Echo Request - ICMPv4-In)" rule for the domain allowed ping to succeed. If you have not made a domain, enable the 'private/public' rule.
Robidj wrote:Both guests have "No internet access" symbols
Mine both have internet. At first they didn't, but then in the pfSense guest I had to use Option 2 "Set interface(s) IP addresses":

> I set the pfSense WAN interface to DHCP so pfSense gets an IP address from the host's physical network. Once this is in place I was able to use Option 8 "Shell" to ping 8.8.8.8. (It will keep pinging, Ctrl-C cancels the ping, and the command 'exit' closes out of the Shell and back to the number menu.)

> I also set the pfSense LAN interface to 10.0.33.1/24 (/24 = subnet mask 255.255.255.0). I was going to have Server 2016 handle DHCP so I made sure the pfSense LAN DHCP server was off.

I also had to set the Server 2016 to a static IP address. I chose 10.0.33.2, subnet mask 255.255.255.0, gateway 10.0.33.1 (and DNS server 127.0.0.1 as required for a domain controller). At this point Server 2016 found the internet. Then I told it to be a domain controller per an internet tutorial.

When I set up the DHCP server in Server 2016, I also to set it to hand out a router ip address of 10.0.33.1 to any clients. (The first time I tried to set 2016's DHCP I skipped the router setting and the client was not told there was a gateway at 10.0.33.1, and had no internet. I retried the DHCP with the router setting and the client got the gateway address and internet.)
Robidj
Posts: 5
Joined: 11. Jul 2019, 10:16

Re: Network configuration for Server/Client environment

Post by Robidj »

Once again, thank you scottgus1 for your detailed and really useful responses.

I'll try to answer your questions in as much detail as possible, I think I've managed to narrow down what is causing the issue.

I've been trying to set this up on wired Ethernet on the host. I am on a University network (at work), which owns a class B public IP address range (147.188.x.x).

The physical network router ip address is 147.188.31.1.
The host's ip address is 147.188.31.216.
The ip address of the WAN adapter in the pfSense guest is returning 0.0.0.0, so this is obviously where the problem lies.

I think although the WAN adapter in pfSense is set to DHCP, my host is assigned a static ip address (as far as I'm aware, does that sound likely?).

With regards to the "intnet" Internal Network, I think everything is set up correctly and working fine.
The gateway is set to 10.0.33.1, the guest server is static ip 10.0.33.2 with the correct gateway info, and it hands out an ip address of 10.0.33.3 to the client via DHCP, with the gateway info being correct too.

I managed to allow ping in the guest firewall, so I'm now able to ping between guest server and guest client in both directions.
I also successful set up File & Printer sharing and shared files both ways, so the network is good.

So I think the problem lies with the WAN adapter in pfSense - not getting an ip address, due to the type of network I'm on.
I tried pinging 8.8.8.8 from within pfSense and obviously got 100% packet loss.
I tried switching to the wireless network on the host which then gave me an ip address for the WAN adapter in pfSense, and I was able to ping the host and gateway from within pfSense, but not able to ping the DNS server or 8.8.8.8.
Is this something to do with firewall settings on the University wireless network perhaps?

Once again, thank you so much for your help!
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

Sounds like you have the internal network going well, good!
Robidj wrote:The ip address of the WAN adapter in the pfSense guest is returning 0.0.0.0, so this is obviously where the problem lies....the WAN adapter in pfSense is set to DHCP
I concur: this is why your internal network has no internet. However, having a static IP on the host's physical network adapter would not interfere with the pfSense WAN adapter getting an IP address. (never has for me, that is)
Robidj wrote:Is this something to do with firewall settings on the University wireless network perhaps?
This could very well be the problem. You could let them know what you're trying and ask them if this is an issue.

There could also be an issue with Bridged on your host PC. You could try a command:
vboxmanage list bridgedifs
to see if the Bridged protocol is connected properly to your host adapters. Also, many PCs have more than one ethernet port. Are you sure you have Bridged to the port that is plugged in? :lol: I've got the wrong port before...
Robidj
Posts: 5
Joined: 11. Jul 2019, 10:16

Re: Network configuration for Server/Client environment

Post by Robidj »

Yeah I'm confident the internal network is working correctly, thanks for the advice with how to test that.

I actually tried this out on my home PC, and both guest OS's had internet connectivity (despite my host only being connected over wifi), so at least I know it does work!

Now I need to get to the bottom of how to get it working here at work on the University network.

The main thing that I don't understand now is...

My work host PC has a static ip address, and I think it needs to use this ip address so it can be authenticated in Active Directory (that's my understanding anyway).

If I set the ip address to a static ip, then effectively I am "turning off" DHCP to my physical network adapter aren't I?

So therefore my pfSense WAN adapter won't be able to get an ip address via DHCP...? Or am I wrong?

I tried the command:
vboxmanage list bridgedifs
And got the following result...
C:\Program Files\Oracle\VirtualBox>VBoxManage list bridgedifs
Name:            Realtek USB GbE Family Controller
GUID:            8d3e7f8d-eaa0-4e42-ad6d-6dbf6e1d878d
DHCP:            Disabled
IPAddress:       147.188.31.216
NetworkMask:     255.255.255.0
IPV6Address:
IPV6NetworkMaskPrefixLength: 0
HardwareAddress: c8:f7:50:c0:78:01
MediumType:      Ethernet
Wireless:        No
Status:          Up
VBoxNetworkName: HostInterfaceNetworking-Realtek USB GbE Family Controller
I noticed that DHCP is listed as disabled. When I changed my physical network adapter to "Obtain an IP Address automatically", DHCP was then enabled when I ran the same command.

Thanks again for your help, I'm pleased that I now have it working at least on my home PC :)
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

Robidj wrote:If I set the ip address to a static ip, then effectively I am "turning off" DHCP to my physical network adapter aren't I?
Negative. At most you's be telling your network card to 'ignore' DHCP, not turn it off. As I see it the report of DHCP 'disabled' does not mean that virtual adapters Bridged to that physical adapter can't get IP addresses from the physical DHCP. Here's my computer's 'list bridgedifs' for my active network adapter:
Name:            Intel(R) 82578DC Gigabit Network Connection
GUID:            7dfb0459-7316-4fde-afe0-ad092947e357
DHCP:            Disabled
IPAddress:       192.168.0.116
NetworkMask:     255.255.255.0
IPV6Address:     fe80::b0c1:ed32:9d05:5db0
IPV6NetworkMaskPrefixLength: 64
HardwareAddress: 00:30:67:28:f1:74
MediumType:      Ethernet
Wireless:        No
Status:          Up
VBoxNetworkName: HostInterfaceNetworking-Intel(R) 82578DC Gigabit Network Connection
I was Bridging to this adapter when I made my lab above. The pfSense WAN got an IP address from my router's DHCP despite static IP on this host adapter. So your static IP should not be interfering with your pfSense getting an IP address.
Robidj wrote:When I changed my physical network adapter to "Obtain an IP Address automatically", DHCP was then enabled when I ran the same command.
Did you try to access your university network while on automatic IP address? If you were successful, did you try the pfSense guest to see if it could get an IP?
Robidj wrote:how to get it working here at work on the University network.
This is probably what is interfering. Bridged works, as far as I have heard, by allowing multiple IP addresses onto the physical adapter's one MAC address. (This is where strict wifi falls down: wifi technically only allows one IP per MAC) If your University network is set to not allow multiple IPs on one MAC, or some other filter, then you may not get traffic, including DHCP, to the extra IP addresses. You may have to ask them to allow what you're trying.

I have one other idea if the U IT staff is unwilling. I'll try it here over the weekend to see if it would work then let you know.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Network configuration for Server/Client environment

Post by fth0 »

A very interesting discussion right from the beginning! :)

Here are some additional thoughts, which may help addressing some of the open questions:

1. The physical network adapter can either be an Ethernet adapter or a wifi adapter. If it is an Ethernet adapter, the packets originating form the guest keep their own MAC address when being sent to the University network (this can be verified by using Wireshark on the host). If it is a wifi adapter, the packets originating from the guest are sent with the MAC address of the wifi adapter (as documented in the VirtualBox manual). I'm not sure if and how VirtualBox handles more complicated wifi adapter cases (topic: wifi 4-address mode).

2. The host and the guest each can either use a static IPv4 address or request an IPv4 address by DHCP (this gives 4 possible combinations). A DHCP negotiation is generally initiated by the (host's or guest's) DHCP client. When the DHCP client requests an IPv4 address, the DHCP server has to identify the DHCP client by information contained in the DHCP request payload. This information can be any combination of: the mandatory MAC address of the DHCP client, an optional IPv4 address proposed by the DHCP client, and lots of other mandatory or optional information. In any case the MAC address is part of this information, and the university network will probably accept only one MAC address from you.
BillG
Volunteer
Posts: 5102
Joined: 19. Sep 2009, 04:44
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10,7 and earlier
Location: Sydney, Australia

Re: Network configuration for Server/Client environment

Post by BillG »

Some commercial and institutional networks have network controls which limit network ports to one IP address per port for security reasons. VirtualBox bridged mode will fail on such a network.
Bill
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network configuration for Server/Client environment

Post by scottgus1 »

If the University IT have such a filter as BillG and fth0 suggest, and they won't relax it for you, there may be a way to allow just the pfSense guest to Bridge to the host Ethernet card. Here's how you might try this:

Virtualbox Bridged is one of the various "bindings" that attach to a network card, as shown here in the network card's Properties box:
ethernet bindings box.png
ethernet bindings box.png (55.97 KiB) Viewed 11315 times
If you uncheck all the other bindings but leave only Virtualbox Bridged checked:
ethernet bindings box only Bridged.png
ethernet bindings box only Bridged.png (47.19 KiB) Viewed 11315 times
then only Virtualbox can use that card. The host won't be able to. I tried this on a second Ethernet port on my host, and I got internet and LAN access in a guest, but no LAN or internet on the host. I also unplugged the wire from the Ethernet card's port while making these changes, so the card wouldn't be actively communicating and get confused. I don't know if such would have been required, but I figured it a safe step. Note that the IPv4 binding is unchecked too, so this card may only send packets with one IP address and one MAC, which may satisfy the University filters.

I would recommend taking notes or screenshots of the bindings box to be able to put the bindings back the way they were when your experiment is done.

If you have two Ethernet ports and two active wall jacks available, you can make the bindings change on the second port, Bridge the pfSense guest to the second port, and plug that port into the other wall jack. Hopefully to the U it will look like you have two computers.

If you do not have a second Ethernet port or a second wall jack available, you may have to make the bindings changes to your presently-used Ethernet port and take your host offline while letting the pfSense guest use the port during your experiments. As mentioned above take notes or screenshots so you can undo the changes later on.
Robidj
Posts: 5
Joined: 11. Jul 2019, 10:16

Re: Network configuration for Server/Client environment

Post by Robidj »

Wow you guys are all so helpful, thanks.

So, I tried what you said scottgus1...

I disconnected my ethernet cable (unfortunately I only have access to one port).
I disabled the wifi adapter too to be sure nothing would interfere (I am using a laptop connected to a docking station).
I unchecked all bindings except the Virtualbox Bridged one.
I then re-connected my ethernet cable, and as expected the host then had no internet connectivity.
I opened the guest pfSense router and assigned the WAN interface the ip address that my host was using - 147.188.31.216/24, and set the upstream gateway to 147.188.31.1 which was the gateway my host was using.

When I tried to ping, pfSense was able to ping itself 147.188.31.216, the gateway 147.188.31.1, and the dns server 147.188.187.250.
However, I was unable to ping 8.8.8.8 or www.google.co.uk.

I also opened the guest server, which showed no internet connectivity, and tried to ping.
The server was able to ping the pfSense gateway 10.0.33.1.
I tried to ping the pfSense WAN upstream gateway 147.188.31.1 without success.

So I'm not sure now what is happening, but it's not getting an internet connection. Gggrrrr... :? :D

Thanks for the useful tips though, it's still helping me to learn!
Post Reply