Masquerading between 2 Virtualboxes

Hey Folks :slight_smile:

I set up an internal network between two VirtualBoxes for testing purposes (OpenSuSE 13.2).

One is setup as an Server and as an Client.

Server:

  • has two network interfaces: enp0s3 -> “external”; enp0s8 “internal”
  • DHCP and DNS on the internal network interface enp0s8 (IP-Adresse-Range 10.50.10.0/24)
  • connection to the “internet” on the external interface enp0s3 (IP:192.168.0.230) (192.168.0.0/24 with connection too the outside)

Client:

  • has one network interface: enp0s3 “internal”
  • configured to get IP from DHCP “Server Virtualbox”

DNS and DHCP works between Server and Client in Virtualbox-Network…

Sources:

http://www.subnet-calculator.com/subnet.php?net_class=C
http://www.subnet-calculator.com/cidr.php
http://www.netfilter.org/

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
https://doc.opensuse.org/documentation/html/openSUSE_122/opensuse-security/cha.security.firewall.html
http://wiki.linux-club.de/opensuse/Internetzugang_mit_Linux-Rechner_als_Router
http://wiki.linux-club.de/opensuse/Tests_bei_Problemen_mit_der_Internetverbindung
https://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19.html#sec:fire
https://forums.opensuse.org/showthread.php/399158-SFW2-INext-DROP-DEFLT-in-dmesg
http://www.opensuse-forum.de/themen/sicherheit-unter-linux/1408-gelöst-internes-netz-kommt-nicht-ins-inet/
https://forums.opensuse.org/showthread.php/399026-How-can-i-share-my-Internet-connection?highlight=masq

https://www.google.de/search?q=opensuse+firewall+mac+filter&ie=utf-8&oe=utf-8&gws_rd=cr&ei=gV0NVb_1HZPwaNvQgNgC

http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html
http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html
https://aminesoft.wordpress.com/2009/08/29/firewall-with-iptables-using-mac-address-filtering-in-linux/
https://www.suse.com/communities/conversations/basic-iptables-tutorial/
http://acooke.org/cute/BlockingMA0.html

http://unifix.org/cgi-bin/index.pl?action=show&ID=233
http://tecadmin.net/mac-address-filtering-using-iptables/

http://www.unix.com/security/160564-configure-iptables-allows-list-mac-address.html

http://stackoverflow.com/questions/1611809/remove-empty-lines-in-a-text-file-via-grep
http://stackoverflow.com/questions/11267015/how-to-ignore-blank-lines-and-comment-lines-using-awk

My Problem is:

If I connect the Server first with the external network “enp0s3” all of the internet connections work (Web Browser, Updating OpenSuSE, etc.).
If I connect the Server first with the internal network “enp0s8” and then with the external network “enp0s3” ther is no connection to the “internet”.
Same happens the the client.

/etc/sysconfig/SuSEfirewall2

FW_DEV_EXT="enp0s3"
FW_DEV_INT="enp0s8"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="enp0s3"
FW_MASQ_NETS="10.50.10.0/24"

cat /proc/sys/net/ipv4/ip_forward

1

cat /etc/resolv.conf

### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
search internal.test
nameserver 192.168.0.XXX
nameserver 192.168.0.YYY
nameserver 10.50.10.100

The first two nameservers are the one from the external network and third is the of the internal network…

But Masquerading won’t work…
There is no internet connection…

SuSEfirewall2 status -> follows in the Reply

SuSEfirewall2 status


### iptables filter ###
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED
    0     0 input_int  all  --  enp0s8 *       0.0.0.0/0            0.0.0.0/0          
    3   396 input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4  prefix "SFW2-IN-ILL-TARGET "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0             0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 forward_int  all  --  enp0s8 *       0.0.0.0/0            0.0.0.0/0            
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4  prefix "SFW2-FWD-ILL-ROUTING "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 1 packets, 106 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0          

Chain forward_ext (3 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0             0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 5
    0     0 ACCEPT     all  --  enp0s3 enp0s8  0.0.0.0/0            10.50.10.0/24        ctstate RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 PKTTYPE = multicast LOG  flags 6 level 4 prefix "SFW2-FWDext-DROP-DEFLT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4  prefix "SFW2-FWDext-DROP-DEFLT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain forward_int (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0             0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED icmptype 5
    0     0 ACCEPT     all  --  enp0s8 enp0s3  10.50.10.0/24        0.0.0.0/0            ctstate NEW,RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 PKTTYPE = multicast LOG  flags 6 level 4 prefix "SFW2-FWDint-DROP-DEFLT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 PKTTYPE = broadcast LOG  flags 6 level 4 prefix "SFW2-FWDint-DROP-DEFLT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4  prefix "SFW2-FWDint-DROP-DEFLT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       192.168.0.100        0.0.0.0/0            udp dpt:7
    1    78 ACCEPT     udp  --  *      *       192.168.0.100        0.0.0.0/0            udp dpt:137
    0     0 ACCEPT     udp  --  *      *       192.168.0.230        0.0.0.0/0            udp spt:5353 dpt:5353
    2   318 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 PKTTYPE = multicast LOG  flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
    2   318 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 LOG        all  --  *      *       0.0.0.0/0             0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4  prefix "SFW2-INext-DROP-DEFLT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain input_int (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable

Rest of

SuSEfirewall2 status

### iptables nat ###
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 MASQUERADE  all  --  *      enp0s3  10.50.10.0/24        0.0.0.0/0          

### iptables raw ###
Chain PREROUTING (policy ACCEPT 3 packets, 396 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 CT         all  --  lo     *       0.0.0.0/0            0.0.0.0/0            CT notrack

Chain OUTPUT (policy ACCEPT 1 packets, 106 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 CT         all  --  *      lo      0.0.0.0/0            0.0.0.0/0            CT notrack

### ip6tables filter ###
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ctstate RELATED
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:546
    0     0 input_int  all      enp0s8 *       ::/0                 ::/0                
    0     0 input_ext  all      *      *       ::/0                 ::/0                
    0     0 LOG        all      *      *       ::/0                 ::/0                   limit: avg 3/min burst 5 LOG flags 6 level 4 prefix   "SFW2-IN-ILL-TARGET "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 forward_int  all      enp0s8 *       ::/0                 ::/0                
    0     0 forward_ext  all      enp0s3 *       ::/0                 ::/0                
    0     0 LOG        all      *      *       ::/0                 ::/0                   limit: avg 3/min burst 5 LOG flags 6 level 4 prefix   "SFW2-FWD-ILL-ROUTING "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0                
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                

Chain forward_ext (3 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 129
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 4
    0     0 LOG        all      *      *       ::/0                 ::/0                   limit: avg 3/min burst 5 LOG flags 6 level 4 prefix   "SFW2-FWDext-DROP-DEFLT "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain forward_int (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 129
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                   ::/0                 ctstate RELATED,ESTABLISHED ipv6-icmptype 4
    0     0 LOG        all      *      *       ::/0                 ::/0                   limit: avg 3/min burst 5 LOG flags 6 level 4 prefix   "SFW2-FWDint-DROP-DEFLT "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 137
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:22
    0     0 LOG        all      *      *       ::/0                 ::/0                   limit: avg 3/min burst 5 LOG flags 6 level 4 prefix   "SFW2-INext-DROP-DEFLT "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain input_int (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                 reject-with tcp-reset
    0     0 REJECT     udp      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-addr-unreachable
    0     0 DROP       all      *      *       ::/0                 ::/0                

### ip6tables mangle ###
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

### ip6tables raw ###
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 CT         all      lo     *       ::/0                 ::/0                 CT notrack

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 CT         all      *      lo      ::/0                 ::/0                 CT notrack

Without and before wading through all the information provided (although more is generally preferred over less, it remains to be seen what you’ve posted is relevant) I’d need to know exactly what you are trying to set up.

Are you trying to set up a virtual network behind another virtual network?
If that’s what you’re trying to do, all that stuff about what is configured <in> each Guest is next to irrelevant… Because like most other virtualization, virtual networking is generally configured first in the overall management application (on the HostOS) and then in each Guest VM’s properties.

So, before I post too much, pls verify that is what you’re trying to configure…
And then I’d be interested in the results in each of your Guest VMs

ip addr

TSU

Sorry for answering this late …

Output of “ip addr”:

Server:


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether aa:00:00:00:bb:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.230/24 brd 192.168.0.255 scope global dynamic enp0s3
       valid_lft 566sec preferred_lft 566sec
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether aa:00:00:00:bb:12 brd ff:ff:ff:ff:ff:ff
    inet 10.50.10.100/24 brd 10.50.10.255 scope global enp0s8
       valid_lft forever preferred_lft forever

Client:
its “enp0s9” which connects to the “internal” network…


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether DD:EE:FF:AA:BB:CC brd ff:ff:ff:ff:ff:ff
    inet 10.50.10.7/24 brd 10.50.10.255 scope global dynamic enp0s9
       valid_lft 384sec preferred_lft 384sec
    inet6 fe80::21a:31ff:fedb:978b/64 scope link 
       valid_lft forever preferred_lft forever

I want to setup a new network structure for my home…
Before destroying the old one i want to test the new one in a virtual enviroment.

So the “Server”-Vbox gets an ip from old network structure on the first eth-interface “enp0s3” and should provide all services, i want to use in the new network-structure…
Therefor two Virtualboxes (VirtualBox as Emulator) are connected to the same “Virtualbox Internal Network”…

Server properties in network tab in VirtualBox
“enp0s3” → Bridged Network with its own IP-Address 192.168.0.230 form old DHCP+DNS connected to the Internet → working if activated
“enp0s8” → Internal Network “…” → provider of network services for Client…
“enp0s9” → Internal Network “…”
“enp0s10” → Internal Network “…”

Client properties in network tab in VirtualBox
“enp0s3” → Internal Network “…”
“enp0s8” → Internal Network “…”
“enp0s9” → Internal Network “…”
“enp0s10” → Internal Network “…”

You’re likely making things a lot harder than it likely has to be.

First some terminology…
network adapter - Generally meant to be the adapter as seen by the OS, it should not matter whether is a real physical or actually virtual.
virtual network adapter - Seen by the virtual networking app or manager. Typically a logical device that represents a connection to a physical or other virtual device. Not visible within a Guest, but typically only on the HostOS.
NAT vs NAT-int-network - A VBox peculiarity not found in other virtual technologies. The NAT network is an isolated connection which is not shared with other Guests. The NAT-int-network is a shared connection so that Guests not only have a NAT connection to the Internet but can also connect between themselves.

Overall Steps…

  1. Verify default virtual networks created by VBox. If you’re not particular about the address spaces, a lab can be setup this way. If you’re particular about your virtual networks, you can create custom networks and select those instead when you configure your Guests (which you’ll hopefully understand by the end of this guide).
  2. Create Server using the NAT-network network as for the external network and the Host-Only network as the private network.
  3. Create Client using the Host-only network as its only network. With proper networking configured, this machine is on an isolated network but will use the Guest created as a Server the Gateway for Internet access.

Actual Steps…
Install Virtualbox
In this example we will simplify the setup a little bit by using DHCP to configure all Guest networking. You can modify for static addresses if you wish, recommended only after you understand and get a feel for how virtual networking works and how it’s configured.

Since we will be using existing default VBox Virtual networks, the main way you can verify what network an adapter is attached to is by the address space it is configured and working (by DHCP or static). With experience you’ll notice that it’s possible and sometimes it can be tricky to properly bind the correct virtual network to proper adapters in multi-homed Guests (as the Server will be).

Optionally, you can also inspect existing network configurations using Virtualbox Manager directly by
File > Preferences > Network
But, there is no consistent way to describe/find how each network is configured which is one of the main minor complaints I have about VBox… Since it appears to be a rather disorganized collaborative effort, no one has taken the time to apply uniformity and consistency so it takes a little bit more effort but all the info is there and will work. But, this is not a required step for now if you perform the following steps in order even if you’re unfamiliar with VBox. In other words, you can come back to this later.

4. Create or import your first Guest which will be the Client (there will be a reason for this the first time although I usually create Servers before Clients).

  • This Client machine should be configured with a single network adapter.
    After your Guest VM has been fully created,
  • Whether you configured during creation or import or not, verify and if necessary modify this machine to operate on the Host Only network as follows…
  • Select your Guest in Oracle VM VirtualBox Manager
  • Although there are several ways to arrive at the following (eg rt-click or settings from the menu) in the rt pane scroll down to “Network” and click
  • A window should display Adapter 1 tab by default, with “Enable Network Adapter” enabled and attached to… a dropdown box. Make sure it says “Host Only”
    -Save
  • Boot this Guest and then run “ip addr”
    If your network adapter is configured as a DHCP client, it should automatically be assigned a valid private network address.

5. Create or import your second Guest which will be the Server (and Gateway to to your first Guest).

  • This machine should be configured with two network adapters.
    After fully created or imported,
  • Select your Guest in Oracle VM VirtualBox Manager
  • Although there are several ways to arrive at the following (eg rt-click or settings from the menu) in the rt pane scroll down to “Network” and click
  • A window should display Adapter 1 tab by default, with “Enable Network Adapter” enabled and attached to… a dropdown box. Make sure it says “NAT” or “NAT-int-network” in this case either is sufficient. If you configured multiple Servers you might want to configure the latter that allows NAT Guests on this level (ie Servers) to connect to each other, otherwise VBox “NAT” uniquely (compared to other virt technologies) isolates NAT connections from each other.
    Click on the Adapter 2 tab, enable and configure it for the “Host Only” network.
    -Save
  • Boot this Guest and then run “ip addr”
    If your network adapter is configured as a DHCP client, it should automatically be assigned valid addresses for each network adapter. NOTE which adapter is your external and which is your internal if it matters to you. Note that proper configuration of network services like FW rules, web services, remote connections, etc requires binding to the proper network adapter.

Possible Problem:
Internal and External networks are reversed - If you’ve run “ip addr” and found that your firewall is facing the wrong way, you can’t ping in or out the machine or otherwise discover your networks are reversed, perform the following to resolve

  • Shutdown the VM
  • Open the Guest Network settings as described above in Oracle Virtualbox Manager.
  • With the “Network” preference selected, reverse the binding for the first tab (Adapter 1) likely pointing to “Host Only” and the second tab (Adapter 2) likely pointing to either NAT or NAT-int-network.
  • Save
    Important teaching point here… Note how you don’t touch a thing inside the Guest to switch networking from one physical or virtual network to another. It’s all done as just described in the Guest network properties. Internally, this is a reason why we’re setting up with DHCP clients only at first… Of course when you next boot the network adapters will pick up the new IP address assignments automatically.

6. Last required step
Host Only networks ordinarily aren’t assigned a Default Gateway (should make sense).
So, this will need to be configured manually on your Client pointing to your Server (remember, both on the Host Only network).
You may need to also manually configure other network services not provided by VBox’s Host-Only DHCP server like DNS or other name resolution methods.

Once completed, with your Server configured the ordinary way (using YAST) as an Internet Gateway router, both machines should have access to the Internet and can otherwise also be configured for all other types of networking as though they were physical machines instead of virtual.

HTH,
TSU

Hey :slight_smile:

i forgot the set up a route on the pc, which is executing the “Server”-Vbox…

route add -net 10.50.10.0 netmask 255.255.255.0 gw 192.168.0.230

so ther “Server” is now able to communicate with my formerly “Home-Net” (192.168.0.0/24)…

traceroute 192.168.0.230

Output:


traceroute to 192.168.0.230 (192.168.0.230), 30 hops max, 60 byte packets
 1  suselinux-ldap-test.simon.net (192.168.0.230)  0.042 ms  0.022 ms  0.007 ms

and also needed to add a rule on my router for DNS (Port 53 UDP) for Address 192.168.0.230…

finally it works :slight_smile:

Congrats.

Now, remember that if you’re considering running a variation of this in Production, consider security implications…

  • The HostOS has “physical access” to all Guests, so be extra vigilant protecting the Host. This is why it’s recommended to strip the HostOS of any unnecessary functionality beyond simply providing a hypervisor (but of course it’s your decision what to actually install and run).
  • Because security is so critical, you may want to be certain the HostOS automatically self-patches regularly.
  • You may want to set up extra monitoring for the HostOS.

TSU