VBox networking

[wrooom]

Hello! I'm new to using VirtualBox and I'm having an issue.Have opted for NAT networking in my guest OS and while it's showing the expected behavior - the guest adapter is configured to use the 10.0.2.x subnet and everything works fine, the guest gets access to any of the networks in the Host OS.It seems traffic coming through the VBox virtual adapter gets forwarded to any of the existing host networks, which is not what I desire, nor expected and would like to know how to disable this.
Host OS is Windows 7 64bit and tried several guest OSes, they all exhibit this behavior.Currely using version 4.12.12 of VBox, which I think is latest.
Any help is appreciated.

P.S. I have asked about this on two occasions on freenode irc without any useful feedback.If there is a different, better place where I should ask about this, please let me know.

[Martin]

Can you specify a little bit more how you want to restrict the network traffic?
With NAT VBox uses the host networking like any other application running on the host, it just creates a network package and lets the host take care of anything like forwarding and routing.

[wrooom]

Hello! Thanks for the answer.
I would like to give VBox access to my LAN connection that is behind the router that provides internet access only, while restricting access to the rest of the subnets.
I guess I'm having a bit of trouble understating the packet flow in the VBox network implementation, as I would expect the packets from VBox to be routed just inside of the subnet where the Host virtual adapter is.Also, IP forwarding is disabled on the host OS.
I guess I could use different approaches in order to achieve what I'm trying to do, like using bridged networking, but I'd appreciate it if you could expain to me in a little more words why things happen the way they do now.
Thanks!

[Perryg]

From the hosts terminal/command window type VBoxManage showvminfo <VM Name> --details and post here. Replace <VM Name> with the actual name of the VM. Use " " if the name has a space in it.

Note if the host is Windows you need to be in the directory that has VBoxManage.exe for the command to work.

[noteirak]

It seems traffic coming through the VBox virtual adapter gets forwarded to any of the existing host networks

Yes, that's exactly how it is supposed to happen. Routing is done by the Host OS.

Virtualbox in NAT mode is the equivalent to a home internet modem connected to an ISP :
- The modem default's route is to the ISP, since it is the only exit point to any possible network, and alike, Virtualbox sends everything to the host IP stack
- The modem doesn't decide how things are routed, it's not evne its job, and alike, Virtualbox has no possiblity to provide any choice in the matter.

[noteirak]

I guess I'm having a bit of trouble understating the packet flow in the VBox network implementation

NAT : equivalent to a router with NAT capability, where the INSIDE interface is connected to the guest, and the OUSIDE interface is connected to the host internal IP stack
Bridged : equivalent to a Hub where the host & guest would be connected
Host-Only : equivalent to a switch with the host connected to it
Internal : equivalent to to a switch without the host connected to it
Generic Driver : whatever the driver is implementing

In your case, you would need to use:
- Host-Only mode + IP forwading (host) + firewalling (host) + masquerading
OR
- Bridged + firewalling on your switch layer 3 (e.g. home internet router)
OR
Bridged + VLAN tagging on your switch layer 2 to block specific access.

[wrooom]

Noteirak: Thanks for both the replies.I have a general understanding of NAT, but was not sure what exactly VBox does.I was expecting packets from the guest OS to be seen as coming through the VBox interface in the Host and do not see that with Wireshark.So, I'm guessing, as you say, VBox captures the packets on the guest interface and injects them in the Host IP stack.
So, I guess what I am trying to do would then mean would have to be handled by the routing engine in my Host OS.Not sure how easy that's gonna be, considering it's Windows.Also, I think the first step would be to see how the "translated" packets look when they are sent to the Host OS IP stack.Is there any easy way to do that?

Perryg: Thanks for pointing me to the vboxmanage information, the only relevant NIC information is :
"
NIC 1: MAC: 08002734C190, Attachment: NAT, Cable connected: on, Trace:
off (file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0, Prom
isc Policy: deny, Bandwidth group: none
NIC 1 Settings: MTU: 0, Socket (send: 64, receive: 64), TCP Window (send:64, re
ceive: 64)
"

[noteirak]

I was expecting packets from the guest OS to be seen as coming through the VBox interface in the Host and do not see that with Wireshark

In NAT mode, there is actually no interface involved, all the work is doing in the Virtualbox process, nothing is appearing to the host. You would see this kind of behaviour in Host-Only mode only.

I think the first step would be to see how the "translated" packets look when they are sent to the Host OS IP stack.Is there any easy way to do that?

They will look like they are going out from the interface that was elected as the OUT interface by the routing engine of the host, to reach the destination IP address.

From the host point-of-view, any traffic from a guest in NAT mode will appear to come from the VirtualBox process running that VM, so it's not even coming from outside the host, it is coming from a host process directly, and therefore there is only OUT routing - so no FORWARDING routing is actually done.

[wrooom]

I was expecting packets from the guest OS to be seen as coming through the VBox interface in the Host and do not see that with Wireshark

In NAT mode, there is actually no interface involved, all the work is doing in the Virtualbox process, nothing is appearing to the host. You would see this kind of behaviour in Host-Only mode only.

I think the first step would be to see how the "translated" packets look when they are sent to the Host OS IP stack.Is there any easy way to do that?

They will look like they are going out from the interface that was elected as the OUT interface by the routing engine of the host, to reach the destination IP address.

From the host point-of-view, any traffic from a guest in NAT mode will appear to come from the VirtualBox process running that VM, so it's not even coming from outside the host, it is coming from a host process directly, and therefore there is only OUT routing - so no FORWARDING routing is actually done.

Ah, I see.That clears up everything I encountered and had questions about so far.I guess in order to mess with that I'd have to play with the source code and while I have a little experience programming, I'm not sure I have the time and experience to get acquainted right now to the source of such a large project.I already have a couple of different approaches to isolate my VBox VM's from the rest of the networks.
Thanks again for the helpful answers.

[noteirak]

I am not sure if you saw, but I have proposed some solutions for you in a previous reply :

In your case, you would need to use:
- Host-Only mode + IP forwading (host) + firewalling (host) + masquerading
OR
- Bridged + firewalling on your switch layer 3 (e.g. home internet router)
OR
- Bridged + VLAN tagging on your switch layer 2 to block specific access.

I would recommend the first approach, really easy to put in place if you use iptables for the firewalling + masquerading

[wrooom]

I am not sure if you saw, but I have proposed some solutions for you in a previous reply :

In your case, you would need to use:
- Host-Only mode + IP forwading (host) + firewalling (host) + masquerading
OR
- Bridged + firewalling on your switch layer 3 (e.g. home internet router)
OR
- Bridged + VLAN tagging on your switch layer 2 to block specific access.

I would recommend the first approach, really easy to put in place if you use iptables for the firewalling + masquerading

Heh, I actually managed to miss that in my hurry.Unfortunately, my host OS will have to remain Windows 7 for now.I will have to try toying with the suggestions anyway, after I first have a look at the current capabilities of my router

[noteirak]

This might be far-fetched, but nothing stops you from putting another VM which would only act as firewall and would have bridged interface on the host, and would be on an internal network with your other VM.
This way, you could directly stop certain IP ranges from leaving all together.

[wrooom]

This might be far-fetched, but nothing stops you from putting another VM which would only act as firewall and would have bridged interface on the host, and would be on an internal network with your other VM.
This way, you could directly stop certain IP ranges from leaving all together.

Yes, that's an interesting option.It would probably allow me to get more familiar with the *NIX environment as well.I will probably try that, even if just for learning purposes.Let's see how soon I get the time to actually do it
Cheers!