Double NAT?

[memilanuk]

Hello,

I've been reading a little bit about double NAT... where you have a network NAT'd behind another network that is NAT'd to the 'Net, or similar. Supposedly it causes some problems with packets in certain circumstances.

I've seen a few references to it here someone hooked a router to a cable modem, and I can kinda see how that could cause headaches. Other examples I've seen are where network A is behind a NAT firewall/router, and one of the machines on that network acts as a gateway/router to *another* network. Sometimes the IPs overlap, which again I could see as being a massive problem, and other times they don't. In the end... I'm not really sure when it is and isn't a huge issue or not.

Whats this have to do with Virtualbox? Well, if I use a NAT connection for my network adapter on a virtual machine, it connects to an internal NAT scheme, does it not? ( I realize that being software it may not behave exactly as a physical LAN would) So is that machine then double NAT'd? I haven't experienced any major problems with just using a guest vm over a NAT connection; they can connect to the LAN and the Internet, get updates, surf the web, etc. I've not yet tried port forwarding or anything like that, so I don't know how well that works out.

And then there's the scenario where I create a virtual LAN, by having several guest VMs all attached to 'intnet', and one of them has two NICs and eth0 is connected to the physical LAN via a bridged connection - essentially acting as a gateway/router for between that internal network and the physical LAN... is that considered 'double NAT' as well? Are there serious pitfalls that I'm headed for going that route? I primarily want to have a 'sandbox' that I can run the guest OSs through their paces while being somewhat isolated from the physical LAN - so I can cut that tie if needed and keep the outside world out, and any mistakes I make in

Here' is a drawing of what I'm envisioning:

[mpack]

Most VBox users will be using a double NAT scheme like you describe, as it's the default - and for simple web browsing it won't cause any problems. NAT can have problems not receiving unsolicited packets, but I'm not sure that double NAT makes that any worse.

If you want to create an isolated virtual network of VMs then the best option is host only mode. If you like, one of the VMs could be given a second NIC with a connection to the host physical NIC, with internet connection sharing enabled on that connection. That way the other VMs only get internet access when that server VM is running.

[memilanuk]

Hello,

Thanks for replying! Looking at the manual, I'm not sure I see the benefit of host-only mode vs. internal network - if I don't need to 'see' the guest VMs from the host OS... what does it gain me over internal networking? I'm not disagreeing with you; merely seeking enlightenment as I seem to be missing the key point there.

Thanks,

Monte

[mpack]

Looking at the manual, I'm not sure I see the benefit of host-only mode vs. internal network

The host-only mode provides access to the host, and therefore also access to host resources such as network shared folders and printers.

[memilanuk]

Ah. Well, I think thats why I went the other route (intnet) as my plan was to have the virtual LAN completely isolated from the outside network... including the host (other than the bridged connection).

Thanks,

Monte

[vbox4me2]

For the datacenter I've build I've made a double virtual firewall to seperate DC lan segments, it uses 1 bridge and 1 internal connection, all other VM connect to the internal lan. The VM double FW routes between the external router and its internal lan. The FW is based on ipsec whitelist filters; one for each virtual lan card, squid whitelist proxy and additional routing rules to protect the Host. The FW also uses dualdnsdhcp server to serve the local lan, effectively doing double NAT on the local lan side and the NAT from the external router, this works fine as long as you keep track which port/protocol is going where.