Virtual Box network topology and port forwarding

[ANDROIDWORLD]

I am not so experienced in networking, so I need advice.
I want to make my local home server more secure and maintainable.


Here you can see desired topology.

I have PC at home and Wifi router. Router is connected to the ISP via PPPoE.
I have static external IP in the internet, so I can connect to my PC from outside the world.

But after installing every service (vpn,mysql ...) on one server, it becomes like a ball of mud very soon, because everything is installed on one OS.

I decided somehow to improve topology.

But I have not enough experience in Virtual Box networking.

My idea is to have my physical PC in Router network but all nodes installed on this PC inside another network 192.168.56.0/24. Using Host Only Adapter to communicate with host.
But I want to get port forwarding between this networks.

Consider for example Apache and port 80.

I want to make request from the internet to my external IP -> Router forwards all traffic with 80 port to my physical PC with local IP 192.168.0.107 -> My PC should forward traffic to the virtual machine inside VBox network - 192.168.56.3.

Is it possible to get following topology working ?

I understand that I can configure Bridged Network Adapter so all my nodes will be in the same network (Router local network), but for the sake of security I want to use some other topology.

Please suggest what is the best option to implement ?

[socratis]

Using Host Only Adapter to communicate with host. But I want to get port forwarding between this networks.

Host-Only, means what it says. Host-Only. So part #2 (the forwarding) won't work easily. Only with the NAT-Network option you would be able to do what you want from within VirtualBox. But, then you're getting into what's called double-NAT. I have one at home (a physical one), good luck troubleshooting accessing that from the Internet

I understand that I can configure Bridged Network Adapter so all my nodes will be in the same network (Router local network), but for the sake of security I want to use some other topology.

The sake of security? What security? What you're proposing is to put your host in the front line. Not bypassing it, but in fact making it your "proxy" for all your external operations.

In your case I would use wired bridged and forward straight from the router to the VM. Done. Your host won't even be in the loop. BTW, I'm not the expert in networking, so I'd wait for a second opinion...

Finally, since this is not a "Suggestion", I'm moving it to the "Using VirtualBox" sub-forum.

[BillG]

Your router can only forward traffic to a machine which is in the same IP subnet as its private interface (in your case that is 192.168.0.0/24). You cannot port forward again to a different subnet through another device.

To be able to port forward to your Apache server you would need to use bridged networking. The vms would get their network config from DHCP in your router (as the host machine does) and perform as if they were additional physical machines on your home network.

What were you planning to do with a DNS server?

[ANDROIDWORLD]

Thanks everyone. I decided to use Bridged Network but has another problem

Here is diagram of my network.


1. I have WIFI Router connected to the internet, I have order static IP from my ISP so I can access my local PC via the internet.
2. My router creates network 192.168.0.0/24
3. I have some ports forwared to my Local PC server (192.168.0.101)

4. I have virtual box installed on my local PC
5. There two nodes created and maintained through vagrant, but we are interested in first node.
6. Each VM has two NIC first is NAT for Vagrant communication second is Bridged adapter through Local PC interface enp3s0.
7. All nodes has specific MAC addresses that are binded in Router DHCP settings to give them static IP (192.168.0.110 and 192.168.0.111)
8. Everything works inside the local network, nodes receive correct IP addresses, and I can access any node port through local network
9. My node with ip 192.168.0.110 runs Apache server and inside local network it works fine.
10. I want to access my this node apache server from the outside so I forwarded external port 8888 to local port 80 to machine with IP 192.168.0.110 as you can see in the screenshot above.

But the problem is that I cannot access node apache from the outside. Connection is timed out or reset. I have tried to capture traffic using Wireshark and I can see following errors.



Is it possible to get this working ? Or only one solution is to
forward ports to 192.168.0.101 PC than forward packets to the Node using NAT with port forwarding ?

Please help to solve this problem.
Thanks.

[ANDROIDWORLD]

I have spent whole day trying to fix this, but it still not working.
I captured all traffic. And inside local network everything works fine. I can connect to any port of Bridged adapter in my VM.
But when it comes to external connection to the VM, it cannot reach the VM. Port forwarding on my router works fine, I can capture traffic on my PC which is directed to the VM, but still the same everything ends with TCP Retransmission. So the problem is in my HOST PC or Virtual Box.

Please help to solve this problem (( I have no idea what to do.

[ANDROIDWORLD]

From any device in local network bridge connection works perfectly. not only from HOST PC, but any device connected to the router over wifi or ethernet.
So maybe problem in host itself, but everything is like out of the box (Ubuntu 14.04). I have disabled all firewalls and flushed iptables.

[socratis]

Take Vagrant out of the equation. Take NAT out of the equation. Just leave Bridged with standalone VirtualBox.

[ANDROIDWORLD]

Take Vagrant out of the equation. Take NAT out of the equation. Just leave Bridged with standalone VirtualBox.

Thanks a lot , man !!! It seems to work, I tired yesterday to do similar manipulation, but it didn't work, I have just tried to run simple virtual box without NAT adapter and set first adapter as a Bridge Adapter. And finally it works.
Than I've started to investigate problem with vagrant and found following question http://superuser.com/questions/752954/n ... ant-no-nat
It seems that by default box is configured to use NAT network adapter as a gateway, and because of that as I can guess response from server is sent to this gateway and finally dropped.

I followed suggestion added this lines into my Vagrant file

Code: Select all

# default router
config.vm.provision "shell",
  run: "always",
  inline: "route add default gw 192.168.0.1"

# default router ipv6
config.vm.provision "shell",
  run: "always",
  inline: "route -A inet6 add default gw fc00::1 eth1"

# delete default gw on eth0
config.vm.provision "shell",
  run: "always",
  inline: "eval `route -n | awk '{ if ($8 ==\"eth0\" && $2 != \"0.0.0.0\") print \"route del default gw \" $2; }'`"

And now route output looks like this

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
default         10.0.2.2        0.0.0.0         UG    0      0        0 eth0
10.0.2.0        *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

Finally, I cannot believe my eyes it seems to work, but sometimes a bit weird, first request can be dropped.

So now, I want to get rid of Vagrant because of this issue. Is there any alternative you can suggest to use for provisioning and more flexible configuration in terms of network ?

Thanks again

[socratis]

And this is EXACTLY why we don't support Vagrant, or any other 3rd party application that modifies the VirtualBox core, in these forums.

I can't recommend any network specific management tools, because I don't use any. Take a look at the 3rd party applications. There is one called GNS3 Graphical Network Simulator.

[ANDROIDWORLD]

Thanks for answer. I have no need to build network complex network topologies only the reason why I've used vagrant is that because of provisioning which is in case using this problematic NAT interface in order to connect to VM box.

I am thinking about just automate using plain old bash scripts to emulate Vagrant behavior but with pure VM.

Also to note, that first request with described vagrant configuration is reset, all next request works properly until long delay.
With pure virtual box there is no such problem.

Thanks again, any help or advice would be highly appreciated.

[socratis]

Why exactly do you need NAT when you have bridged up and running? I don't understand the need for it, you could do just fine without it in your scenario. Do you care to explain?