Here is my home network (or a bit of it, anyway):
(I apologise in advance for lack of abilities when it comes to using Dia, the Linux equivalent of Visio!)
What you have there is not very exciting: a couple of Centos-running servers called NEWTON and GALILEO, one of which connects to the Internet, thanks to a wireless dongle and the magic of 3G. There’s a wireless access point, handling all the “devices”: Nexus 7, Kindles, Smartphones and the like. Then there’s FEYNMAN,’s Windows 8 PC doing sterling duty as a Photoshop workstation. RUTHERFORD’s the media centre (also running Windows 8, but with Windows Media Centre added). And my new PC is DIRAC, running Fedora 18. Everything is running on a 192.168.0… subnet.
I probably should expand this diagram, though: there are 7 different virtual machines which run routinely on Dirac: they all share the 192.168.0 subnet thanks to ‘bridged networking’ in VMware Workstation and can therefore access Galileo and, from there, the Internet. Though they are merely virtual machines in fact, they behave exactly as real, physical machines would: by sharing the same subnet as the PC they run on, they look just like real machines to all the other real machines on the network. Bridged networking is fine for VMs that are allowed to function as though they were real.
But here’s the problem: what if I want a bunch of new virtual machines to be able to talk amongst themselves as though they were part of a normal network but without any of the existing, physical machines being aware of the fact? For example, I may want to build a DHCP server -but I don’t want any of my ‘real’ PCs accidentally picking up their IP address from it. Similarly, I may want to build a new DNS server -but I wouldn’t want FEYNMAN trying to look up hostnames there.
The underlying reason for needing this ability is, in fact down to my laptop (which isn’t shown in the above diagram). I use it at work, so it needs to see proper, commercial DNS, DHCP, NTP and other servers -but if I want to run VMs on my laptop that are running their own DNS, DHCP, NTP and other servers, I have to be able to ensure that whatever I build can never, ever “leak” out onto the real network. I need, in fact, complete isolation of my network of virtual machines running on my laptop from the real corporate network my laptop is physically connected to.
Fortunately, this is easy to do with VMware Workstation -and VirtualBox: both employ a feature misleadingly called host-only networking. I say ‘misleadingly called’ there, because that name implies (to my mind, anyway) that virtual machines making use of it can only communicate with the physical host. If that were true, you could ‘network’ the host to the VM -but you’d be stuffed trying to network one VM with another VM. But happily, it’s the name that’s wrong, not the functionality: host-only networking in both virtualisation products actually means that any VM built to use the feature can communicate with the physical host and with every other host-only VM, too.
So here’s the network I want to build:
The virtual network is all the grey-coloured stuff at the bottom. My physical PC, DIRAC, will host six different virtual machines, all running in host-only mode, and using the 192.168.42 subnet. Note that DIRAC itself acquires a second IP address, allowing it and it alone both to connect to the rest of the world and to connect to any of the 192.168.42 virtual machines.
How exactly is that to be achieved, then? Well, if I persist with my usual desktop virtualisation software (VMware Workstation), I’d find the menu option for the Virtual Network Editor (in Linux, you can launch it from the command-line by typing /usr/bin/vmware-netcfg -you’ll be prompted to supply root’s password if you’re not root at the point of issuing that command):
When you install VMware Workstation, you get three different network interfaces created for you automatically: one of them is used for bridged networking, one for Network Address Translation …and one for host-only networking. Highlight that last one and you’ll be able to alter its properties in the lower part of the screen. Here you see that I’ve switched off the virtual DHCP server that VMware offers to run for you on this interface; I’ve also altered the default subnet IP so that it matches my desired ’192.168.42…’ subnet address range. Leave the last octet of that address set to zero and you will find that your physical host PC or laptop is automatically assigned a 192.168.42.1 address, which is fine.
You can create as many of these host-only network interfaces as you like: each one will create a new network adapter (if your host is running Windows) or a new network interface, visible via ifconfig, if your host runs Linux), meaning that if your host PC is powerful enough, there’s nothing to stop it running multiple, isolated virtual networks at the same time.
VirtualBox does it slightly differently: just use the File -> Preferences menu options to bring up a Settings dialog, then select the Network item:
By default (at least on Fedora 18!), you don’t have any host-only network adapters installed here, but if you click that little green ‘plus’ button, a new one will be created for you and will be automatically named virtualbox0. After creating it, click the third little icon on the right to configure its settings:
Again, just type in a ‘starting address’ for your new isolated network. With VirtualBox, I find it necessary to specify the ‘.1′ at the end of the IP address, otherwise it doesn’t work properly. By specifying the 192.168.42.1 address in full, therefore, I ensure my physical host is assigned that IP address on its new virtualbox0 interface. (As you can see from that last screenshot, too, I don’t have much use for IPv6 at the moment!)
Finish things off by switching to the DHCP Server tab and uncheck the ‘Enable Server’ option: again, VirtualBox proposes to run a virtual DHCP server for you, which you might find desirable, but which I definitely don’t!
Incidentally, if you happen to have VMware Workstation and VirtualBox installed on the one physical guest, make sure each uses a different isolated subnet, because they can’t both be configured to use the same one meaningfully! In other words, if I’ve created a 192.168.42.x host-only subnet in VMware, I’ll have to create a 192.168.43.x host-only subnet in VirtualBox. Networking won’t work reliably if you try assigning the same IP address to two different interfaces at the same time!
Once your network interfaces are configured properly, it’s simply a matter of choosing the right sort of networking for each new Virtual Machine that you build. In VMware, you do that as part of the ‘create new VM’ wizard:
By default, VMware threatens to create new VMs with a NAT interface, but it’s easy to switch to using a host-only one.
VirtualBox is not as easy, because the wizard you use to create a new VM doesn’t offer you any opportunity to specify anything about the network interface to use at all. It’s therefore necessary to create a new VM ‘blind’, and after it’s been created, right-click it and select Settings. Select the Network item on the left:
You’ll discover that, once again, a NAT interface has been assigned to your new VM by default. Just click that combo-box, though, and you’ll find an item for Host-only adapter. Select that, click OK, and you’re all done.
Once built, you’ll find that all your host-only VMs can ping each other and your physical PC on which they’re running -but they won’t be able to ping beyond your physical PC. That means, in my case, that ALPHER and BETHE can ping each other, or MARCONI, TESLA or DIRAC (my physical PC). But they won’t be able to ping GALILEO -and since GALILEO controls access to the Internet, that means my host-only VMs can’t reach the Internet, either.
For my purposes, that’s fine: why would I need an Oracle server (say) to be able to access the Internet? You wouldn’t normally do that in production (I hope!), so having a set of servers that behave similarly is not a problem for me. It does mean I have to have one of my VMs hosting a software repository from which my other VMs can download packages and so on necessary for running Oracle (or anything else), but that’s usually not difficult to do.
The main issue is easily solved, therefore: host-only networking allows your virtual machines and all the networking services they provide and consume to be completely isolated from the rest of the world -and any real corporate networks your physical PC might be attached to at the time! Splendid!!
(Oh, and as a side benefit: my laptop will be able to run a virtual network of six VMs even when I’m running it on a train and it’s stuck in a tunnel without a 3G signal. The virtual network will keep running just fine, even if the physical one decides to die -or even if you don’t have a physical network at all. Host-only VMs are a great way of virtualising networks on standalone PCs, in other words).