virtualbox.org

I am fed up with port forwarding, I would like to have a separate network where guests could communicate with each other, receiving network settings via vbox dhcpd.
So that guests have internet access.
So that I can access guests from the host by ip address without port forwarding. Host is Windows 7, guests are mostly linux

Bridge is good but not a choice for security reason.
In every variant but NAT and NAT-net guests can't access outside.
In NAT I sholud add countless port-forwarding rules.

Why the hell I can't ping 10.0.2.3 guest address from a host?

Please see Virtualbox Networks: In Pictures.

Xoid666 wrote: I would like to have a separate network where guests could communicate with each other, receiving network settings via vbox dhcpd.
So that guests have internet access.
So that I can access guests from the host by ip address without port forwarding.

Bridged covers all this.

Xoid666 wrote:Why the hell I can't ping 10.0.2.3 guest address from a host?

NAT behaves like a router, and routers need port forwarding to allow unsolicited internet traffic into a PC.

Xoid666 wrote:Bridge is good but not a choice for security reason.

What is this reason?

Thank you for the picture

"NAT behaves like a router, and routers need port forwarding to allow unsolicited internet traffic into a PC."

well, not excactly. From usual NAT router I can ping home network machines, vbox dosnt allow that.

"Bridge security"

I sometime give ssh access to other people throught reverse-ssh-tunnel on guest-vm and I dont want them to be in my home network.

Xoid666 wrote:From usual NAT router I can ping home network machines

I'm assuming that you mean you have a way to do this from out on the internet, and I'd be curious to learn how you do it.

I won't be dogmatic, but it's been my understanding that internet-sourced pings can only get access to the router's public WAN-side IP address.

Example: I have a PC at 192.168.1.10 in my LAN. I can ping 192.168.1.10 from my other LAN PCs. However I cannot ping 192.168.1.10 from the internet, because the router blocks view of 192.168.#.# from the internet. To get access to 192.168.1.10 for internet-sourced traffic, I'd have to open a port for the traffic. But ping does not go through a port. So the only way that I know of to ping 192.168.1.10 from the internet is if the router had a special function to ping 192.168.1.10 itself, then forward the results to the internet IP address I'm pinging from. Virtualbox NAT does not have this function.

Now, why all this talk of pinging from the internet? Because NAT behaves like a basic router. The private LAN side is connected to the VM, and the WAN "internet" side is connected to the host. So the host is part of the "internet" for the NAT connection's purposes. And since NAT, behaving like a router, hides the LAN from the WAN, you can't access the 10.0.2.# IP in the VM from the host, just like I can't access 192.168.1.10 from the internet. Unless ports are opened, of course, but ping doesn't use a port.

Xoid666 wrote:"Bridge security"

I sometime give ssh access to other people ... I dont want them to be in my home network.

There may be other tools to give people VPN-like access to the VM directly without digging through routers. But you may be stuck between Scylla and Charybdis on this one:
Bridged doesn't require port forwarding but does allow LAN access.
NAT doesn't allow complete* LAN access but does require port forwarding.
( * NAT actually does allow LAN access via direct IP address usage, since the host and LAN are part of the WAN side "internet", and LAN-side outward access through a router is always allowed. See "Sandbox" in the Pictures tutorial for a method to allow internet but completely block the LAN from the VM.)