user_Networking.xml@ 64529

最後變更在這個檔案從64529是 62335,由 vboxsync 提交於 8 年前
bugref:6417 further checkins
檔案大小: 48.8 KB

行
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3	"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4	<chapter id="networkingdetails">
5	<title>Virtual networking</title>
6
7	<para>As briefly mentioned in <xref linkend="settings-network" />,
8	VirtualBox provides up to eight virtual PCI Ethernet cards for each virtual
9	machine. For each such card, you can individually select<orderedlist>
10	<listitem>
11	<para>the hardware that will be virtualized as well as</para>
12	</listitem>
13
14	<listitem>
15	<para>the virtualization mode that the virtual card will be operating
16	in with respect to your physical networking hardware on the
17	host.</para>
18	</listitem>
19	</orderedlist></para>
20
21	<para>Four of the network cards can be configured in the "Network" section
22	of the settings dialog in the graphical user interface of VirtualBox. You
23	can configure all eight network cards on the command line via VBoxManage
24	modifyvm; see <xref linkend="vboxmanage-modifyvm" />.</para>
25
26	<para>This chapter explains the various networking settings in more
27	detail.</para>
28
29	<sect1 id="nichardware">
30	<title>Virtual networking hardware</title>
31
32	<para>For each card, you can individually select what kind of
33	<emphasis>hardware</emphasis> will be presented to the virtual machine.
34	VirtualBox can virtualize the following six types of networking
35	hardware:<itemizedlist>
36	<listitem>
37	<para>AMD PCNet PCI II (Am79C970A);</para>
38	</listitem>
39
40	<listitem>
41	<para>AMD PCNet FAST III (Am79C973, the default);</para>
42	</listitem>
43
44	<listitem>
45	<para>Intel PRO/1000 MT Desktop (82540EM);</para>
46	</listitem>
47
48	<listitem>
49	<para>Intel PRO/1000 T Server (82543GC);</para>
50	</listitem>
51
52	<listitem>
53	<para>Intel PRO/1000 MT Server (82545EM);</para>
54	</listitem>
55
56	<listitem>
57	<para>Paravirtualized network adapter (virtio-net).</para>
58	</listitem>
59	</itemizedlist></para>
60
61	<para>The PCNet FAST III is the default because it is supported by nearly
62	all operating systems out of the box, as well as the GNU GRUB boot
63	manager. As an exception, the Intel PRO/1000 family adapters are chosen
64	for some guest operating system types that no longer ship with drivers for
65	the PCNet card, such as Windows Vista.</para>
66
67	<para>The Intel PRO/1000 MT Desktop type works with Windows Vista and
68	later versions. The T Server variant of the Intel PRO/1000 card is
69	recognized by Windows XP guests without additional driver installation.
70	The MT Server variant facilitates OVF imports from other platforms.</para>
71
72	<para>The <emphasis role="bold">"Paravirtualized network adapter
73	(virtio-net)"</emphasis> is special. If you select this, then VirtualBox
74	does <emphasis>not</emphasis> virtualize common networking hardware (that
75	is supported by common guest operating systems out of the box). Instead,
76	VirtualBox then expects a special software interface for virtualized
77	environments to be provided by the guest, thus avoiding the complexity of
78	emulating networking hardware and improving network performance. Starting
79	with version 3.1, VirtualBox provides support for the industry-standard
80	"virtio" networking drivers, which are part of the open-source KVM
81	project.</para>
82
83	<para>The "virtio" networking drivers are available for the following
84	guest operating systems:</para>
85
86	<para><itemizedlist>
87	<listitem>
88	<para>Linux kernels version 2.6.25 or later can be configured to
89	provide virtio support; some distributions also back-ported virtio
90	to older kernels.</para>
91	</listitem>
92
93	<listitem>
94	<para>For Windows 2000, XP and Vista, virtio drivers can be
95	downloaded and installed from the KVM project web page.<footnote>
96	<para><ulink
97	url="http://www.linux-kvm.org/page/WindowsGuestDrivers">http://www.linux-kvm.org/page/WindowsGuestDrivers</ulink>.</para>
98	</footnote></para>
99	</listitem>
100	</itemizedlist></para>
101
102	<para>VirtualBox also has limited support for so-called <emphasis
103	role="bold">jumbo frames</emphasis>, i.e. networking packets with more
104	than 1500 bytes of data, provided that you use the Intel card
105	virtualization and bridged networking. In other words, jumbo frames are
106	not supported with the AMD networking devices; in those cases, jumbo
107	packets will silently be dropped for both the transmit and the receive
108	direction. Guest operating systems trying to use this feature will observe
109	this as a packet loss, which may lead to unexpected application behavior
110	in the guest. This does not cause problems with guest operating systems in
111	their default configuration, as jumbo frames need to be explicitly
112	enabled.</para>
113	</sect1>
114
115	<sect1 id="networkingmodes">
116	<title>Introduction to networking modes</title>
117
118	<para>Each of the eight networking adapters can be separately configured
119	to operate in one of the following modes:<glosslist>
120	<glossentry>
121	<glossterm>Not attached</glossterm>
122
123	<glossdef>
124	<para>In this mode, VirtualBox reports to the guest that a network
125	card is present, but that there is no connection -- as if no
126	Ethernet cable was plugged into the card. This way it is possible
127	to "pull" the virtual Ethernet cable and disrupt the connection,
128	which can be useful to inform a guest operating system that no
129	network connection is available and enforce a
130	reconfiguration.</para>
131	</glossdef>
132	</glossentry>
133
134	<glossentry>
135	<glossterm>Network Address Translation (NAT)</glossterm>
136
137	<glossdef>
138	<para>If all you want is to browse the Web, download files and
139	view e-mail inside the guest, then this default mode should be
140	sufficient for you, and you can safely skip the rest of this
141	section. Please note that there are certain limitations when using
142	Windows file sharing (see <xref linkend="nat-limitations" /> for
143	details).</para>
144	</glossdef>
145	</glossentry>
146
147	<glossentry>
148	<glossterm>NAT Network</glossterm>
149
150	<glossdef>
151	<para>The NAT network is a new NAT flavour introduced in
152	VirtualBox 4.3. See
153	<xref linkend="network_nat_service" xrefstyle="template: %n" />
154	for details.</para>
155	</glossdef>
156	</glossentry>
157
158	<glossentry>
159	<glossterm>Bridged networking</glossterm>
160
161	<glossdef>
162	<para>This is for more advanced networking needs such as network
163	simulations and running servers in a guest. When enabled,
164	VirtualBox connects to one of your installed network cards and
165	exchanges network packets directly, circumventing your host
166	operating system's network stack.</para>
167	</glossdef>
168	</glossentry>
169
170	<glossentry>
171	<glossterm>Internal networking</glossterm>
172
173	<glossdef>
174	<para>This can be used to create a different kind of
175	software-based network which is visible to selected virtual
176	machines, but not to applications running on the host or to the
177	outside world.</para>
178	</glossdef>
179	</glossentry>
180
181	<glossentry>
182	<glossterm>Host-only networking</glossterm>
183
184	<glossdef>
185	<para>This can be used to create a network containing the host and
186	a set of virtual machines, without the need for the host's
187	physical network interface. Instead, a virtual network interface
188	(similar to a loopback interface) is created on the host,
189	providing connectivity among virtual machines and the host.</para>
190	</glossdef>
191	</glossentry>
192
193	<glossentry>
194	<glossterm>Generic networking</glossterm>
195
196	<glossdef>
197	<para>Rarely used modes share the same generic network interface,
198	by allowing the user to select a driver which can be included with
199	VirtualBox or be distributed in an extension pack.</para>
200
201	<para>At the moment there are potentially two available
202	sub-modes:</para>
203
204	<para><glosslist>
205	<glossentry>
206	<glossterm>UDP Tunnel</glossterm>
207
208	<glossdef>
209	<para>This can be used to interconnect virtual machines
210	running on different hosts directly, easily and
211	transparently, over existing network
212	infrastructure.</para>
213	</glossdef>
214	</glossentry>
215
216	<glossentry>
217	<glossterm>VDE (Virtual Distributed Ethernet)
218	networking</glossterm>
219
220	<glossdef>
221	<para>This option can be used to connect to a Virtual
222	Distributed Ethernet switch on a Linux or a FreeBSD host.
223	At the moment this needs compiling VirtualBox from
224	sources, as the Oracle packages do not include it.</para>
225	</glossdef>
226	</glossentry>
227	</glosslist></para>
228	</glossdef>
229	</glossentry>
230	</glosslist></para>
231
232	<para>The following sections describe the available network modes in more
233	detail.</para>
234	</sect1>
235
236	<sect1 id="network_nat">
237	<title>Network Address Translation (NAT)</title>
238
239	<para>Network Address Translation (NAT) is the simplest way of accessing
240	an external network from a virtual machine. Usually, it does not require
241	any configuration on the host network and guest system. For this reason,
242	it is the default networking mode in VirtualBox.</para>
243
244	<para>A virtual machine with NAT enabled acts much like a real computer
245	that connects to the Internet through a router. The "router", in this
246	case, is the VirtualBox networking engine, which maps traffic from and to
247	the virtual machine transparently. In VirtualBox this router is placed
248	between each virtual machine and the host. This separation maximizes
249	security since by default virtual machines cannot talk to each
250	other.</para>
251
252	<para>The disadvantage of NAT mode is that, much like a private network
253	behind a router, the virtual machine is invisible and unreachable from the
254	outside internet; you cannot run a server this way unless you set up port
255	forwarding (described below).</para>
256
257	<para>The network frames sent out by the guest operating system are
258	received by VirtualBox's NAT engine, which extracts the TCP/IP data and
259	resends it using the host operating system. To an application on the host,
260	or to another computer on the same network as the host, it looks like the
261	data was sent by the VirtualBox application on the host, using an IP
262	address belonging to the host. VirtualBox listens for replies to the
263	packages sent, and repacks and resends them to the guest machine on its
264	private network.</para>
265
266	<para>The virtual machine receives its network address and configuration
267	on the private network from a DHCP server integrated into VirtualBox. The
268	IP address thus assigned to the virtual machine is usually on a completely
269	different network than the host. As more than one card of a virtual
270	machine can be set up to use NAT, the first card is connected to the
271	private network 10.0.2.0, the second card to the network 10.0.3.0 and so
272	on. If you need to change the guest-assigned IP range for some reason,
273	please refer to <xref linkend="changenat" />.</para>
274
275	<sect2 id="natforward">
276	<title>Configuring port forwarding with NAT</title>
277
278	<para>As the virtual machine is connected to a private network internal
279	to VirtualBox and invisible to the host, network services on the guest
280	are not accessible to the host machine or to other computers on the same
281	network. However, like a physical router, VirtualBox can make selected
282	services available to the world outside the guest through <emphasis
283	role="bold">port forwarding.</emphasis> This means that VirtualBox
284	listens to certain ports on the host and resends all packets which
285	arrive there to the guest, on the same or a different port.</para>
286
287	<para>To an application on the host or other physical (or virtual)
288	machines on the network, it looks as though the service being proxied is
289	actually running on the host. This also means that you cannot run the
290	same service on the same ports on the host. However, you still gain the
291	advantages of running the service in a virtual machine -- for example,
292	services on the host machine or on other virtual machines cannot be
293	compromised or crashed by a vulnerability or a bug in the service, and
294	the service can run in a different operating system than the host
295	system.</para>
296
297	<para>To configure Port Forwarding you can use the graphical Port
298	Forwarding editor which can be found in the Network Settings dialog
299	for Network Adaptors configured to use NAT. Here you can map host
300	ports to guest ports to allow network traffic to be routed to a
301	specific port in the guest.</para>
302
303	<para>Alternatively command line tool <computeroutput>VBoxManage</computeroutput> could be used;
304	for details, please refer to <xref linkend="vboxmanage-modifyvm" />.</para>
305
306	<para>You will need to know which ports on the guest the service uses
307	and to decide which ports to use on the host (often but not always you
308	will want to use the same ports on the guest and on the host). You can
309	use any ports on the host which are not already in use by a service. For
310	example, to set up incoming NAT connections to an
311	<computeroutput>ssh</computeroutput> server in the guest, use the
312	following command: <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"</screen>With
313	the above example, all TCP traffic arriving on port 2222 on any host
314	interface will be forwarded to port 22 in the guest. The protocol name
315	<computeroutput>tcp</computeroutput> is a mandatory attribute defining
316	which protocol should be used for forwarding
317	(<computeroutput>udp</computeroutput> could also be used). The name
318	<computeroutput>guestssh</computeroutput> is purely descriptive and will
319	be auto-generated if omitted. The number after
320	<computeroutput>--natpf</computeroutput> denotes the network card, like
321	in other parts of VBoxManage.</para>
322
323	<para>To remove this forwarding rule again, use the following command:
324	<screen>VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</screen></para>
325
326	<para>If for some reason the guest uses a static assigned IP address not
327	leased from the built-in DHCP server, it is required to specify the
328	guest IP when registering the forwarding rule: <screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</screen>This
329	example is identical to the previous one, except that the NAT engine is
330	being told that the guest can be found at the 10.0.2.19 address.</para>
331
332	<para>To forward <emphasis>all</emphasis> incoming traffic from a
333	specific host interface to the guest, specify the IP of that host
334	interface like this:<screen>VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</screen>This
335	forwards all TCP traffic arriving on the localhost interface (127.0.0.1)
336	via port 2222 to port 22 in the guest.</para>
337
338	<para>It is possible to configure incoming NAT connections while the
339	VM is running, see <xref linkend="vboxmanage-controlvm"/>.</para>
340	</sect2>
341
342	<sect2 id="nat-tftp">
343	<title>PXE booting with NAT</title>
344
345	<para>PXE booting is now supported in NAT mode. The NAT DHCP server
346	provides a boot file name of the form
347	<computeroutput>vmname.pxe</computeroutput> if the directory
348	<computeroutput>TFTP</computeroutput> exists in the directory where the
349	user's <computeroutput>VirtualBox.xml</computeroutput> file is kept. It
350	is the responsibility of the user to provide
351	<computeroutput>vmname.pxe</computeroutput>.</para>
352	</sect2>
353
354	<sect2 id="nat-limitations">
355	<title>NAT limitations</title>
356
357	<para>There are four <emphasis role="bold">limitations</emphasis> of NAT
358	mode which users should be aware of:</para>
359
360	<glosslist>
361	<glossentry>
362	<glossterm>ICMP protocol limitations:</glossterm>
363
364	<glossdef>
365	<para>Some frequently used network debugging tools (e.g.
366	<computeroutput>ping</computeroutput> or tracerouting) rely on the
367	ICMP protocol for sending/receiving messages. While ICMP support
368	has been improved with VirtualBox 2.1
369	(<computeroutput>ping</computeroutput> should now work), some
370	other tools may not work reliably.</para>
371	</glossdef>
372	</glossentry>
373
374	<glossentry>
375	<glossterm>Receiving of UDP broadcasts is not reliable:</glossterm>
376
377	<glossdef>
378	<para>The guest does not reliably receive broadcasts, since, in
379	order to save resources, it only listens for a certain amount of
380	time after the guest has sent UDP data on a particular port. As a
381	consequence, NetBios name resolution based on broadcasts does not
382	always work (but WINS always works). As a workaround, you can use
383	the numeric IP of the desired server in the
384	<computeroutput>\\server\share</computeroutput> notation.</para>
385	</glossdef>
386	</glossentry>
387
388	<glossentry>
389	<glossterm>Protocols such as GRE are unsupported:</glossterm>
390
391	<glossdef>
392	<para>Protocols other than TCP and UDP are not supported. This
393	means some VPN products (e.g. PPTP from Microsoft) cannot be used.
394	There are other VPN products which use simply TCP and UDP.</para>
395	</glossdef>
396	</glossentry>
397
398	<glossentry>
399	<glossterm>Forwarding host ports < 1024 impossible:</glossterm>
400
401	<glossdef>
402	<para>On Unix-based hosts (e.g. Linux, Solaris, Mac OS X) it is
403	not possible to bind to ports below 1024 from applications that
404	are not run by <computeroutput>root</computeroutput>. As a result,
405	if you try to configure such a port forwarding, the VM will refuse
406	to start.</para>
407	</glossdef>
408	</glossentry>
409	</glosslist>
410
411	<para>These limitations normally don't affect standard network use. But
412	the presence of NAT has also subtle effects that may interfere with
413	protocols that are normally working. One example is NFS, where the
414	server is often configured to refuse connections from non-privileged
415	ports (i.e. ports not below 1024).</para>
416	</sect2>
417	</sect1>
418
419	<sect1 id="network_nat_service">
420	<title>Network Address Translation Service</title>
421
422	<para>The Network Address Translation (NAT) service works in a similar way
423	to a home router, grouping the systems using it into a network and
424	preventing systems outside of this network from directly accessing systems
425	inside it, but letting systems inside communicate with each other and with
426	systems outside using TCP and UDP over IPv4 and IPv6.</para>
427
428	<para>A NAT service is attached to an internal network. Virtual machines
429	which are to make use of it should be attached to that internal network.
430	The name of internal network is chosen when the NAT service is created and
431	the internal network will be created if it does not already exist. An
432	example command to create a NAT network is:
433	</para>
434	<para><screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable</screen></para>
435	<para>
436	Here, "natnet1" is the name of the internal network to be used and
437	"192.168.15.0/24" is the network address and mask of the NAT service
438	interface. By default in this static configuration the gateway will be
439	assigned the address 192.168.15.1 (the address following the interface
440	address), though this is subject to change. To attach a DHCP server to the
441	internal network, we modify the example as follows:</para>
442	<para><screen>VBoxManage natnetwork add --netname natnet1 --network "192.168.15.0/24" --enable --dhcp on</screen></para>
443	<para> or to add a DHCP server to the network after creation:</para>
444	<para><screen>VBoxManage natnetwork modify --netname natnet1 --dhcp on</screen></para>
445	<para>To disable it again, use:</para>
446	<para><screen>VBoxManage natnetwork modify --netname natnet1 --dhcp off</screen></para>
447	<para>DHCP server provides list of registered nameservers, but doesn't map
448	servers from 127/8 network.</para>
449	<para>To start the NAT service, use the following command:</para>
450	<para><screen>VBoxManage natnetwork start --netname natnet1</screen></para>
451	<para>If the network has a DHCP server attached then it will start together
452	with the NAT network service.</para>
453	<para><screen>VBoxManage natnetwork stop --netname natnet1</screen> stops
454	the NAT network service, together with DHCP server if any.</para>
455	<para>To delete the NAT network service use:</para>
456	<para><screen>VBoxManage natnetwork remove --netname natnet1</screen></para>
457	<para>This command does not remove the DHCP server if one is enabled on the
458	internal network.</para>
459	<para>Port-forwarding is supported (using the
460	<computeroutput>--port-forward-4</computeroutput> switch for IPv4 and
461	<computeroutput>--port-forward-6</computeroutput>
462	for IPv6):</para>
463	<para><screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 "ssh:tcp:[]:1022:[192.168.15.5]:22"</screen></para>
464	<para>This adds a port-forwarding rule from the host's TCP 1022 port to
465	the port 22 on the guest with IP address 192.168.15.5. Host port, guest port and guest IP
466	are mandatory. To delete the rule, use:</para>
467	<para><screen>VBoxManage natnetwork modify --netname natnet1 --port-forward-4 delete ssh</screen></para>
468	<para>It's possible to bind NAT service to specified interface:</para>
469	<screen>VBoxManage setextradata global "NAT/win-nat-test-0/SourceIp4" 192.168.1.185</screen>
470	<para>To see the list of registered NAT networks, use:</para>
471	<para><screen>VBoxManage list natnetworks</screen></para>
472	</sect1>
473
474	<sect1 id="network_bridged">
475	<title>Bridged networking</title>
476
477	<para>With bridged networking, VirtualBox uses a device driver on your
478	<emphasis>host</emphasis> system that filters data from your physical
479	network adapter. This driver is therefore called a "net filter" driver.
480	This allows VirtualBox to intercept data from the physical network and
481	inject data into it, effectively creating a new network interface in
482	software. When a guest is using such a new software interface, it looks to
483	the host system as though the guest were physically connected to the
484	interface using a network cable: the host can send data to the guest
485	through that interface and receive data from it. This means that you can
486	set up routing or bridging between the guest and the rest of your
487	network.</para>
488
489	<para>For this to work, VirtualBox needs a device driver on your host
490	system. The way bridged networking works has been completely rewritten
491	with VirtualBox 2.0 and 2.1, depending on the host operating system. From
492	the user perspective, the main difference is that complex configuration is
493	no longer necessary on any of the supported host operating
494	systems.<footnote>
495	<para>For Mac OS X and Solaris hosts, net filter drivers were already
496	added in VirtualBox 2.0 (as initial support for Host Interface
497	Networking on these platforms). With VirtualBox 2.1, net filter
498	drivers were also added for the Windows and Linux hosts, replacing the
499	mechanisms previously present in VirtualBox for those platforms;
500	especially on Linux, the earlier method required creating TAP
501	interfaces and bridges, which was complex and varied from one
502	distribution to the next. None of this is necessary anymore. Bridged
503	network was formerly called "Host Interface Networking" and has been
504	renamed with version 2.2 without any change in functionality.</para>
505	</footnote></para>
506
507	<para><note>
508	<para>Even though TAP is no longer necessary on Linux with bridged
509	networking, you <emphasis>can</emphasis> still use TAP interfaces for
510	certain advanced setups, since you can connect a VM to any host
511	interface -- which could also be a TAP interface.</para>
512	</note>To enable bridged networking, all you need to do is to open the
513	Settings dialog of a virtual machine, go to the "Network" page and select
514	"Bridged network" in the drop down list for the "Attached to" field.
515	Finally, select desired host interface from the list at the bottom of the
516	page, which contains the physical network interfaces of your systems. On a
517	typical MacBook, for example, this will allow you to select between "en1:
518	AirPort" (which is the wireless interface) and "en0: Ethernet", which
519	represents the interface with a network cable.</para>
520
521	<note><para>Bridging to a wireless interface is done differently from
522	bridging to a wired interface, because most wireless adapters do not
523	support promiscuous mode. All traffic has to use the MAC address of the
524	host's wireless adapter, and therefore VirtualBox needs to replace the
525	source MAC address in the Ethernet header of an outgoing packet to make
526	sure the reply will be sent to the host interface. When VirtualBox sees
527	an incoming packet with a destination IP address that belongs to one of
528	the virtual machine adapters it replaces the destination MAC address in
529	the Ethernet header with the VM adapter's MAC address and passes it on.
530	VirtualBox examines ARP and DHCP packets in order to learn the IP
531	addresses of virtual machines.</para></note>
532
533	<para>Depending on your host operating system, the following limitations
534	should be kept in mind:<itemizedlist>
535	<listitem>
536	<para>On <emphasis role="bold">Macintosh</emphasis> hosts,
537	functionality is limited when using AirPort (the Mac's wireless
538	networking) for bridged networking. Currently, VirtualBox supports
539	only IPv4 and IPv6 over AirPort. For other protocols (such as IPX),
540	you must choose a wired interface.</para>
541	</listitem>
542
543	<listitem>
544	<para>On <emphasis role="bold">Linux</emphasis> hosts, functionality
545	is limited when using wireless interfaces for bridged networking.
546	Currently, VirtualBox supports only IPv4 and IPv6 over wireless.
547	For other protocols (such as IPX), you must choose a wired
548	interface.</para>
549
550	<para>Also, setting the MTU to less than 1500 bytes on wired
551	interfaces provided by the sky2 driver on the Marvell Yukon II EC
552	Ultra Ethernet NIC is known to cause packet losses under certain
553	conditions.</para>
554
555	<para>Some adapters strip VLAN tags in hardware. This does not allow
556	to use VLAN trunking between VM and the external network with
557	pre-2.6.27 Linux kernels nor with host operating systems other than
558	Linux.</para>
559	</listitem>
560
561	<listitem>
562	<para>On <emphasis role="bold">Solaris</emphasis> hosts, there is no
563	support for using wireless interfaces. Filtering guest traffic using
564	IPFilter is also not completely supported due to technical
565	restrictions of the Solaris networking subsystem. These issues would
566	be addressed in a future release of Solaris 11.</para>
567
568	<para>Starting with VirtualBox 4.1, on Solaris 11 hosts (build 159
569	and above), it is possible to use Solaris' Crossbow Virtual Network
570	Interfaces (VNICs) directly with VirtualBox without any additional
571	configuration other than each VNIC must be exclusive for every guest
572	network interface.</para>
573
574	<para>Starting with VirtualBox 2.0.4 and up to VirtualBox 4.0, VNICs
575	can be used but with the following caveats:</para>
576
577	<itemizedlist>
578	<listitem>
579	<para>A VNIC cannot be shared between multiple guest network
580	interfaces, i.e. each guest network interface must have its own,
581	exclusive VNIC.</para>
582	</listitem>
583
584	<listitem>
585	<para>The VNIC and the guest network interface that uses the
586	VNIC must be assigned identical MAC addresses.</para>
587	</listitem>
588	</itemizedlist>
589
590	<para>When using VLAN interfaces with VirtualBox, they must be named
591	according to the PPA-hack naming scheme (e.g. "e1000g513001"), as
592	otherwise the guest may receive packets in an unexpected
593	format.</para>
594	</listitem>
595	</itemizedlist></para>
596	</sect1>
597
598	<sect1 id="network_internal">
599	<title>Internal networking</title>
600
601	<para>Internal Networking is similar to bridged networking in that the VM
602	can directly communicate with the outside world. However, the "outside
603	world" is limited to other VMs on the same host which connect to the same
604	internal network.</para>
605
606	<para>Even though technically, everything that can be done using internal
607	networking can also be done using bridged networking, there are security
608	advantages with internal networking. In bridged networking mode, all
609	traffic goes through a physical interface of the host system. It is
610	therefore possible to attach a packet sniffer (such as Wireshark) to the
611	host interface and log all traffic that goes over it. If, for any reason,
612	you prefer two or more VMs on the same machine to communicate privately,
613	hiding their data from both the host system and the user, bridged
614	networking therefore is not an option.</para>
615
616	<para>Internal networks are created automatically as needed, i.e. there is
617	no central configuration. Every internal network is identified simply by
618	its name. Once there is more than one active virtual network card with the
619	same internal network ID, the VirtualBox support driver will automatically
620	"wire" the cards and act as a network switch. The VirtualBox support
621	driver implements a complete Ethernet switch and supports both
622	broadcast/multicast frames and promiscuous mode.</para>
623
624	<para>In order to attach a VM's network card to an internal network, set
625	its networking mode to "internal networking". There are two ways to
626	accomplish this:</para>
627
628	<para><itemizedlist>
629	<listitem>
630	<para>You can use a VM's "Settings" dialog in the VirtualBox
631	graphical user interface. In the "Networking" category of the
632	settings dialog, select "Internal Networking" from the drop-down
633	list of networking modes. Now select the name of an existing
634	internal network from the drop-down below or enter a new name into
635	the entry field.</para>
636	</listitem>
637
638	<listitem>
639	<para>You can use <screen>VBoxManage modifyvm "VM name" --nic<x> intnet</screen>
640	Optionally, you can specify a network name with the command <screen>VBoxManage modifyvm "VM name" --intnet<x> "network name"</screen>
641	If you do not specify a network name, the network card will be
642	attached to the network <computeroutput>intnet</computeroutput> by
643	default.</para>
644	</listitem>
645	</itemizedlist></para>
646
647	<para>Unless you configure the (virtual) network cards in the guest
648	operating systems that are participating in the internal network to use
649	static IP addresses, you may want to use the DHCP server that is built
650	into VirtualBox to manage IP addresses for the internal network. Please
651	see <xref linkend="vboxmanage-dhcpserver" /> for details.</para>
652
653	<para>As a security measure, by default, the Linux implementation of internal
654	networking only allows VMs running under the same user ID to establish an
655	internal network. However, it is possible to create a shared
656	internal networking interface, accessible by users with different UUIds.</para>
657	</sect1>
658
659	<sect1 id="network_hostonly">
660	<title>Host-only networking</title>
661
662	<para>Host-only networking is another networking mode that was added with
663	version 2.2 of VirtualBox. It can be thought of as a hybrid between the
664	bridged and internal networking modes: as with bridged networking, the
665	virtual machines can talk to each other and the host as if they were
666	connected through a physical Ethernet switch. Similarly, as with internal
667	networking however, a physical networking interface need not be present,
668	and the virtual machines cannot talk to the world outside the host since
669	they are not connected to a physical networking interface.</para>
670
671	<para>Instead, when host-only networking is used, VirtualBox creates a new
672	software interface on the host which then appears next to your existing
673	network interfaces. In other words, whereas with bridged networking an
674	existing physical interface is used to attach virtual machines to, with
675	host-only networking a new "loopback" interface is created on the host.
676	And whereas with internal networking, the traffic between the virtual
677	machines cannot be seen, the traffic on the "loopback" interface on the
678	host can be intercepted.</para>
679
680	<para>Host-only networking is particularly useful for preconfigured
681	virtual appliances, where multiple virtual machines are shipped together
682	and designed to cooperate. For example, one virtual machine may contain a
683	web server and a second one a database, and since they are intended to
684	talk to each other, the appliance can instruct VirtualBox to set up a
685	host-only network for the two. A second (bridged) network would then
686	connect the web server to the outside world to serve data to, but the
687	outside world cannot connect to the database.</para>
688
689	<para>To change a virtual machine's virtual network interface to "host
690	only" mode:<itemizedlist>
691	<listitem>
692	<para>either go to the "Network" page in the virtual machine's
693	settings notebook in the graphical user interface and select
694	"Host-only networking", or</para>
695	</listitem>
696
697	<listitem>
698	<para>on the command line, type <computeroutput>VBoxManage modifyvm
699	"VM name" --nic<x> hostonly</computeroutput>; see <xref
700	linkend="vboxmanage-modifyvm" /> for details.</para>
701	</listitem>
702	</itemizedlist></para>
703
704	<para>Before you can attach a VM to a host-only network you have to
705	create at least one host-only interface, either from the GUI:
706	"File" → "Preferences" → "Network" → "Host-only network"
707	→ "(+)Add host-only network", or via command line with</para>
708	<screen>VBoxManage hostonlyif create</screen>
709	<para>see <xref linkend="vboxmanage-hostonlyif" /> for details.</para>
710
711	<para>For host-only networking, like with internal networking, you may
712	find the DHCP server useful that is built into VirtualBox. This can be
713	enabled to then manage the IP addresses in the host-only network since
714	otherwise you would need to configure all IP addresses
715	statically.<itemizedlist>
716	<listitem>
717	<para>In the VirtualBox graphical user interface, you can configure
718	all these items in the global settings via "File" → "Preferences"
719	→ "Network", which lists all host-only networks which are
720	presently in use. Click on the network name and then on the "Edit"
721	button to the right, and you can modify the adapter and DHCP
722	settings.</para>
723	</listitem>
724
725	<listitem>
726	<para>Alternatively, you can use <computeroutput>VBoxManage
727	dhcpserver</computeroutput> on the command line; please see <xref
728	linkend="vboxmanage-dhcpserver" /> for details.</para>
729	</listitem>
730	</itemizedlist>
731	</para>
732
733	<para><note><para>On Linux and Mac OS X hosts the number of host-only
734	interfaces is limited to 128. There is no such limit for Solaris and
735	Windows hosts.</para></note></para>
736	</sect1>
737
738	<sect1 id="network_udp_tunnel">
739	<title>UDP Tunnel networking</title>
740
741	<para>This networking mode allows to interconnect virtual machines running
742	on different hosts.</para>
743
744	<para>Technically this is done by encapsulating Ethernet frames sent or
745	received by the guest network card into UDP/IP datagrams, and sending them
746	over any network available to the host.</para>
747
748	<para>UDP Tunnel mode has three parameters:<glosslist>
749	<glossentry>
750	<glossterm>Source UDP port</glossterm>
751
752	<glossdef>
753	<para>The port on which the host listens. Datagrams arriving on
754	this port from any source address will be forwarded to the
755	receiving part of the guest network card.</para>
756	</glossdef>
757	</glossentry>
758
759	<glossentry>
760	<glossterm>Destination address</glossterm>
761
762	<glossdef>
763	<para>IP address of the target host of the transmitted
764	data.</para>
765	</glossdef>
766	</glossentry>
767
768	<glossentry>
769	<glossterm>Destination UDP port</glossterm>
770
771	<glossdef>
772	<para>Port number to which the transmitted data is sent.</para>
773	</glossdef>
774	</glossentry>
775	</glosslist></para>
776
777	<para>When interconnecting two virtual machines on two different hosts,
778	their IP addresses must be swapped. On single host, source and destination
779	UDP ports must be swapped.</para>
780
781	<para>In the following example host 1 uses the IP address 10.0.0.1 and
782	host 2 uses IP address 10.0.0.2. Configuration via command-line:<screen> VBoxManage modifyvm "VM 01 on host 1" --nic<x> generic
783	VBoxManage modifyvm "VM 01 on host 1" --nicgenericdrv<x> UDPTunnel
784	VBoxManage modifyvm "VM 01 on host 1" --nicproperty<x> dest=10.0.0.2
785	VBoxManage modifyvm "VM 01 on host 1" --nicproperty<x> sport=10001
786	VBoxManage modifyvm "VM 01 on host 1" --nicproperty<x> dport=10002</screen>
787	and <screen> VBoxManage modifyvm "VM 02 on host 2" --nic<y> generic
788	VBoxManage modifyvm "VM 02 on host 2" --nicgenericdrv<y> UDPTunnel
789	VBoxManage modifyvm "VM 02 on host 2" --nicproperty<y> dest=10.0.0.1
790	VBoxManage modifyvm "VM 02 on host 2" --nicproperty<y> sport=10002
791	VBoxManage modifyvm "VM 02 on host 2" --nicproperty<y> dport=10001</screen></para>
792
793	<para>Of course, you can always interconnect two virtual machines on the
794	same host, by setting the destination address parameter to 127.0.0.1 on
795	both. It will act similarly to "Internal network" in this case, however
796	the host can see the network traffic which it could not in the normal
797	Internal network case.</para>
798
799	<para><note><para>On Unix-based hosts (e.g. Linux, Solaris, Mac OS X) it is
800	not possible to bind to ports below 1024 from applications that are not run
801	by <computeroutput>root</computeroutput>. As a result, if you try to
802	configure such a source UDP port, the VM will refuse to
803	start.</para></note></para>
804	</sect1>
805
806	<sect1 id="network_vde">
807	<title>VDE networking</title>
808
809	<para>Virtual Distributed Ethernet (VDE<footnote>
810	<para>VDE is a project developed by Renzo Davoli, Associate Professor
811	at the University of Bologna, Italy.</para>
812	</footnote>) is a flexible, virtual network infrastructure system,
813	spanning across multiple hosts in a secure way. It allows for L2/L3
814	switching, including spanning-tree protocol, VLANs, and WAN emulation. It
815	is an optional part of VirtualBox which is only included in the source
816	code.</para>
817
818	<para>The basic building blocks of the infrastructure are VDE switches,
819	VDE plugs and VDE wires which inter-connect the switches.</para>
820
821	<para>The VirtualBox VDE driver has one parameter:<glosslist>
822	<glossentry>
823	<glossterm>VDE network</glossterm>
824
825	<glossdef>
826	<para>The name of the VDE network switch socket to which the VM
827	will be connected.</para>
828	</glossdef>
829	</glossentry>
830	</glosslist></para>
831
832	<para>The following basic example shows how to connect a virtual machine
833	to a VDE switch:</para>
834
835	<para><orderedlist>
836	<listitem>
837	<para>Create a VDE switch: <screen>vde_switch -s /tmp/switch1</screen></para>
838	</listitem>
839
840	<listitem>
841	<para>Configuration via command-line: <screen>VBoxManage modifyvm "VM name" --nic<x> generic</screen>
842	<screen>VBoxManage modifyvm "VM name" --nicgenericdrv<x> VDE</screen>
843	To connect to automatically allocated switch port, use: <screen>VBoxManage modifyvm "VM name" --nicproperty<x> network=/tmp/switch1</screen>
844	To connect to specific switch port <n>, use: <screen>VBoxManage modifyvm "VM name" --nicproperty<x> network=/tmp/switch1[<n>]</screen>
845	The latter option can be useful for VLANs.</para>
846	</listitem>
847
848	<listitem>
849	<para>Optionally map between VDE switch port and VLAN: (from switch
850	CLI) <screen>vde$ vlan/create <VLAN></screen> <screen>vde$ port/setvlan <port> <VLAN></screen></para>
851	</listitem>
852	</orderedlist></para>
853
854	<para>VDE is available on Linux and FreeBSD hosts only. It is only
855	available if the VDE software and the VDE plugin library from the
856	VirtualSquare project are installed on the host system<footnote>
857	<para>For Linux hosts, the shared library libvdeplug.so must be
858	available in the search path for shared libraries</para>
859	</footnote>. For more information on setting up VDE networks, please see
860	the documentation accompanying the software.<footnote>
861	<para><ulink
862	url="http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking">http://wiki.virtualsquare.org/wiki/index.php/VDE_Basic_Networking</ulink>.</para>
863	</footnote></para>
864	</sect1>
865
866	<sect1 id="network_bandwidth_limit">
867	<title>Limiting bandwidth for network I/O</title>
868
869	<para>Starting with version 4.2, VirtualBox allows for limiting the
870	maximum bandwidth used for network transmission. Several network adapters
871	of one VM may share limits through bandwidth groups. It is possible
872	to have more than one such limit.</para>
873	<note><para>VirtualBox shapes VM traffic only in the transmit direction,
874	delaying the packets being sent by virtual machines. It does not limit
875	the traffic being received by virtual machines.</para>
876	</note>
877
878	<para>Limits are configured through
879	<computeroutput>VBoxManage</computeroutput>. The example below creates a
880	bandwidth group named "Limit", sets the limit to 20 Mbit/s and assigns the
881	group to the first and second adapters of the VM:<screen>VBoxManage bandwidthctl "VM name" add Limit --type network --limit 20m
882	VBoxManage modifyvm "VM name" --nicbandwidthgroup1 Limit
883	VBoxManage modifyvm "VM name" --nicbandwidthgroup2 Limit</screen></para>
884
885	<para>All adapters in a group share the bandwidth limit, meaning that in the
886	example above the bandwidth of both adapters combined can never exceed 20
887	Mbit/s. However, if one adapter doesn't require bandwidth the other can use the
888	remaining bandwidth of its group.</para>
889
890	<para>The limits for each group can be changed while the VM is running,
891	with changes being picked up immediately. The example below changes the
892	limit for the group created in the example above to 100 Kbit/s:<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 100k</screen></para>
893
894	<para>To completely disable shaping for the first adapter of VM use the
895	following command:
896	<screen>VBoxManage modifyvm "VM name" --nicbandwidthgroup1 none</screen></para>
897
898	<para>It is also possible to disable shaping for all adapters assigned to a
899	bandwidth group while VM is running, by specifying the zero limit for the
900	group. For example, for the bandwidth group named "Limit" use:
901	<screen>VBoxManage bandwidthctl "VM name" set Limit --limit 0</screen></para>
902	</sect1>
903	<sect1 id="network_performance">
904	<title>Improving network performance</title>
905
906	<para>VirtualBox provides a variety of virtual network adapters that can be
907	"attached" to the host's network in a number of ways. Depending on which
908	types of adapters and attachments are used the network performance will
909	be different. Performance-wise the <emphasis>virtio</emphasis> network
910	adapter is preferable over <emphasis>Intel PRO/1000</emphasis> emulated
911	adapters, which are preferred over <emphasis>PCNet</emphasis> family of
912	adapters. Both <emphasis>virtio</emphasis> and <emphasis>Intel PRO/1000
913	</emphasis> adapters enjoy the benefit of segmentation and checksum
914	offloading. Segmentation offloading is essential for high performance as
915	it allows for less context switches, dramatically increasing the sizes
916	of packets that cross VM/host boundary.</para>
917	<note><para>Neither <emphasis>virtio</emphasis> nor <emphasis>Intel PRO/1000
918	</emphasis> drivers for Windows XP support segmentation
919	offloading. Therefore Windows XP guests never reach the same
920	transmission rates as other guest types. Refer to MS Knowledge base
921	article 842264 for additional information.</para>
922	</note>
923	<para>Three attachment types: <emphasis>internal</emphasis>,
924	<emphasis>bridged</emphasis> and <emphasis>host-only</emphasis>, have
925	nearly identical performance, the <emphasis>internal</emphasis> type
926	being a little bit faster and using less CPU cycles as the packets never
927	reach the host's network stack. The <emphasis>NAT</emphasis> attachment
928	is the slowest (and safest) of all attachment types as it provides
929	network address translation. The generic driver attachment is special and
930	cannot be considered as an alternative to other attachment types.</para>
931	<para>The number of CPUs assigned to VM does not improve network
932	performance and in some cases may hurt it due to increased concurrency in
933	the guest.</para>
934	<para>Here is the short summary of things to check in order to improve
935	network performance:</para>
936	<para><orderedlist>
937	<listitem>
938	<para>Whenever possible use <emphasis>virtio</emphasis> network
939	adapter, otherwise use one of <emphasis>Intel PRO/1000</emphasis>
940	adapters;</para>
941	</listitem>
942	<listitem>
943	<para>Use <emphasis>bridged</emphasis> attachment instead of
944	<emphasis>NAT</emphasis>;</para>
945	</listitem>
946	<listitem>
947	<para>Make sure segmentation offloading is enabled in the guest OS.
948	Usually it will be enabled by default. You can check and modify
949	offloading settings using <computeroutput>ethtool</computeroutput>
950	command in Linux guests.</para>
951	</listitem>
952	<listitem>
953	<para>Perform a full, detailed analysis of network traffic on
954	the VM's network adaptor using a 3rd party tool such as Wireshark.
955	To do this, a promiscuous mode policy needs to be used on the
956	VM's network adaptor. Use of this mode is only possible on
957	networks: NAT Network, Bridged Adapter, Internal Network and Host-only Adapter.</para>
958	<para>To setup a promiscuous mode policy, either select from the drop down list
959	located in the Network Settings dialog for the network adaptor
960	or use the command line tool <computeroutput>VBoxManage</computeroutput>;
961	for details, refer to <xref linkend="vboxmanage-modifyvm" />.</para>
962	<para>Promiscuous mode policies are: </para>
963	<para><orderedlist>
964	<listitem>
965	<para><computeroutput>deny</computeroutput> (default setting) which hides
966	any traffic not intended for this VM's network adaptor.</para>
967	</listitem>
968	<listitem>
969	<para><computeroutput>allow-vms</computeroutput> which hides all host
970	traffic from this VM's network adaptor, but allows it to see traffic from/to other
971	VMs.</para>
972	</listitem>
973	<listitem>
974	<para><computeroutput>allow-all</computeroutput> which removes all
975	restrictions - this VM's network adaptor sees all traffic.</para>
976	</listitem>
977	</orderedlist></para>
978	</listitem>
979	</orderedlist></para>
980	</sect1>
981	</chapter>

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/doc/manual/en_US/user_Networking.xml@ 64529

以其他格式下載: