No switch back to NAT from Bridged Network

[Linux.On.Mac]

Hi,

I'm currently running VirtualBox 5.2.6-r120293 on a Mac with OpenSuse/Linux Guest.

To separate the VM from my Network I usually use NAT. To exchange data with a local computer I switched to bridged network, exchanged data, an tried to switch back to NAT to separate it again. But still I can ping / access my local network. Also rebooted, setting is NAT, and still have connection to local network.

E.g.

$:> ping 192.168.0.233
PING 192.168.0.233 (192.168.0.233) 56(84) bytes of data.
64 bytes from 192.168.0.233: icmp_seq=1 ttl=63 time=0.001 ms
64 bytes from 192.168.0.233: icmp_seq=2 ttl=63 time=6.34 ms
64 bytes from 192.168.0.233: icmp_seq=3 ttl=63 time=3.21 ms

Regards,

[Linux.On.Mac]

next:

now I switched to another VM with another different openSuse release installed. Network is still set to NAT, but within the VM I also have access to my local network

Not good !!

[Valery Ushakov]

You seems to have wrong impression. NAT attachment doesn't preclude your VM from connecting to the host, or your local network, or the internet. You don't have to use bridged for that.

We usually have bugs filed when people cannot connect from the VM to the local network :)

[Linux.On.Mac]

sorry for opening a discussion - am I completly wrong at the moment?

What is the right setting for having a separate network inside the VM (with own ip range) that has access to the internet (and vice versa) but not to the local network. That's what NAT is all about - I thought.

see: https://www.virtualbox.org/manual/ch06.html#network_nat

Table 6.1. Overview
 	  VM ↔ Host	VM1 ↔ VM2	VM → Internet	VM ← Internet
Host-only         +	        +	       –	–
Internal          –	        +	       –	–
Bridged           +	        +	       +	+
NAT               –	        –	       +	Port forwarding
NAT Network       –	        +	       +	Port forwarding

Network Address Translation (NAT) is the simplest way of accessing an external network from a virtual machine. Usually, it does not require any configuration on the host network and guest system. For this reason, it is the default networking mode in VirtualBox.

A virtual machine with NAT enabled acts much like a real computer that connects to the Internet through a router. The "router", in this case, is the VirtualBox networking engine, which maps traffic from and to the virtual machine transparently. In VirtualBox this router is placed between each virtual machine and the host. This separation maximizes security since by default virtual machines cannot talk to each other.

The disadvantage of NAT mode is that, much like a private network behind a router, the virtual machine is invisible and unreachable from the outside internet; you cannot run a server this way unless you set up port forwarding (described below).

The network frames sent out by the guest operating system are received by VirtualBox's NAT engine, which extracts the TCP/IP data and resends it using the host operating system. To an application on the host, or to another computer on the same network as the host, it looks like the data was sent by the VirtualBox application on the host, using an IP address belonging to the host. VirtualBox listens for replies to the packages sent, and repacks and resends them to the guest machine on its private network.

(THE ABOVE IS MY PROBLEM!!: HOW CAN I BLOCK ACCESSING THE LOCAL NETWORK as described in Table 6.1 VM <-> Host NAT = '-' )

The virtual machine receives its network address and configuration on the private network from a DHCP server integrated into VirtualBox. The IP address thus assigned to the virtual machine is usually on a completely different network than the host. As more than one card of a virtual machine can be set up to use NAT, the first card is connected to the private network 10.0.2.0, the second card to the network 10.0.3.0 and so on. If you need to change the guest-assigned IP range for some reason, . . .

MAYBE THIS WAY:

9.11.1. Configuring the address of a NAT network interface

In NAT mode, the guest network interface is assigned to the IPv4 range 10.0.x.0/24 by default where x corresponds to the instance of the NAT interface +2. So x is 2 when there is only one NAT instance active. In that case the guest is assigned to the address 10.0.2.15, the gateway is set to 10.0.2.2 and the name server can be found at 10.0.2.3.

If, for any reason, the NAT network needs to be changed, this can be achieved with the following command:

VBoxManage modifyvm "VM name" --natnet1 "192.168/16"

This command would reserve the network addresses from 192.168.0.0 to 192.168.254.254 for the first NAT network instance of "VM name". The guest IP would be assigned to 192.168.0.15 and the default gateway could be found at 192.168.0.2.

[Valery Ushakov]

that has access to the internet (and vice versa) but not to the local network - there is no difference between the internet and the local network, except the address range. If you want advanced firewalling and filtering, you have to do it yourself, sorry.