Ticket #1247 (closed defect: fixed)

Opened 10 years ago

Last modified 9 years ago

ping doesn't work with NAT network interfaces

Reported by: bvassche Owned by:
Priority: major Component: network
Version: VirtualBox 1.5.6 Keywords:
Cc: Guest type: other
Host type: other


Run a Windows XP guest on a Linux host, and configure the network interface as NAT. In the guest, run a ping command to a live host.

Expected: Windows guest reports that the host is alive.

Actual result: Windows guest reports that the request timed out.

Technical background: VirtualBox NAT translates the outgoing ICMP request in an UDP echo request (port 7). If the echo service is not enabled on this host (which is e.g. the case on OpenSolaris servers), that host will send back an ICMP error (destination unreachable). VirtualBox does not translate this ICMP error into an ICMP response for the guest. This can be easily verified by running Wireshark simultaneously on the guest OS and on the host OS.


host.snoop Download (320 bytes) - added by bvassche 10 years ago.
guest.snoop Download (114 bytes) - added by bvassche 10 years ago.

Change History

Changed 10 years ago by bvassche

Changed 10 years ago by bvassche

comment:1 Changed 10 years ago by Technologov

Yea, this bug came from the Qemu codebase.

This is because ICMP protocol, unlike TCP or UDP, has no "ports".

Technically it can be resolved, by doing NAT map, based on the "ICMP message number" rather than TCP/UDP port.

This way first stream may start with ICMP message #0, second stream may start with ICMP message #1000, and so on... so the NAT logic will have to remember map of all those things.


comment:2 Changed 10 years ago by klaus

Attributing this "bug" to QEMU doesn't isn't really accurate. It's slirp which has that what you call bug. Both VirtualBox and QEMU use slirp as their NAT engine, because it's so nicely portable.

The hinted solution however doesn't get us anywhere. I've read the relevant documentation up and down, and there is simply no way of receiving (leave alone sending, that would make the whole discussion redundant) ICMP messages from a process not running with root privileges. Which is something we resisted so far. So unless I'm completely wrong there (if I am please let me know), the suggestions are not implementable.

comment:3 Changed 10 years ago by bvassche

Do you know that it is possible to detect asynchronous errors (=ICMP errors) on connected UDP sockets from userspace ? See also Unix Network Programming: The Sockets Networking API (R. Stevens), pages 252-253.

comment:4 Changed 10 years ago by klaus

I know. But this is getting way too indirect for my taste, especially as the "destination unreachable" ICMP is pretty unreliable outside your nice and cozy LAN. Another aspect is that the slirp code will get even more complicated, because it requires distinguishing between UDP initiated by guests or by guest ICMP.

Just to fake success for ICMP echo which doesn't always work either. So far I'm not thrilled to say the least.

comment:5 Changed 10 years ago by xt4mhz

Hi guys.

I read this information from VirtualBox Manual.

Probably this is not a but, just the way it works.

"By default, virtual network cards are set up to use network address translation, which is well suited to standard networking needs (accessing the Internet from programs running in the guest and providing network services for machines in a local intranet). In particular, if all you want is to browse the Web, download files and view e-mail inside the guest then the default configuration of the NAT network should be sufficient for you, and you can safely skip the rest of this section. Please note that the ping utility does not work over NAT, and that there are certain limitations when using Windows file sharing." Source: Page 58 from Innotek VirtualBox User Manual. Version 1.5.4. December 29 2007.

comment:6 Changed 9 years ago by frank

  • Component changed from other to network

comment:7 Changed 9 years ago by sandervl73

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in 2.1.

Note: See TracTickets for help on using tickets.
ContactPrivacy policyTerms of Use