Understanding Virtual networking Concepts
Configuring Network Address Translation
When you install Workstation on a Windows or Linux host system, a NAT network (VMnet8) is set up for you. When you use the New Virtual Machine wizard to create a typical virtual machine, the wizard configures the virtual machine to use the default NAT network.
With NAT, a virtual machine does not have its own IP address on the external network. Instead, a separate private network is set up on the host system. In the default configuration, virtual machines get an address on this private network from the virtual DHCP server.
The virtual machine and the host system share a single network identity that is not visible on the external network. NAT works by translating the IP addresses of virtual machines in the private network to the IP address of the host system. When a virtual machine sends a request to access a network resource, it appears to the network resource as if the request is coming from the host system.
The host system has a virtual network adapter on the NAT network. This adapter enables the host system and virtual machines to communicate with each other. The NAT device passes network data between one or more virtual machines and the external network, identifies incoming data packets intended for each virtual machine, and sends them to the correct destination.
Features and Limitations of NAT Configurations
NAT is useful when the number of IP addresses is limited or the host system is connected to the network through a non-Ethernet adapter.
With NAT, a virtual machine can use many standard TCP/IP protocols to connect to other machines on the external network. For example, you can use HTTP to browse Web sites, FTP to transfer files, and Telnet to log in to other computers. You also can connect to a TCP/IP network by using a Token Ring adapter on the host system. NAT works with Ethernet, DSL, and phone modems.
In the default NAT configuration, computers on the external network cannot initiate connections to the virtual machine. For example, you cannot use the virtual machine as a Web server to send Web pages to computers on the external network. This feature protects the guest operating system from being compromised before you have a chance to install security software.
NAT configurations have the following additional features and limitations.
- NAT causes some performance loss. Because NAT requires that every packet sent to and received from a virtual machine must be in the NAT network, an unavoidable performance penalty occurs.
- NAT is not perfectly transparent. NAT does not usually allow connections to be initiated from outside the network, although you can manually configure the NAT device to set up server connections. The practical result is that some TCP and UDP protocols that require a connection be initiated from the server machine do not work automatically and some might not work at all.
- NAT provides some firewall protection. A standard NAT configuration provides basic-level firewall protection because the NAT device can initiate connections from the private NAT network, but devices on the external network usually cannot initiate connections to the private NAT network.
Understanding DHCP in a NAT Configuration
In a NAT configuration, virtual machines running on the network with the NAT device can send DHCP requests to dynamically obtain their IP addresses.
In the default configuration, the virtual DHCP server dynamically allocates IP addresses in the range of net.128 through net.254, where net is the network number assigned to the NAT network. Workstation always uses a Class C address for NAT networks. IP addresses net.3 through net.127 can be used for static IP addresses. IP address net.1 is reserved for the host virtual network adapter and net.2 is reserved for the NAT device.
In addition to the IP address, the virtual DHCP server on the NAT network sends out configuration information that enables the virtual machine to operate.
This information includes the default gateway and the DNS server. In the DHCP response, the NAT device instructs the virtual machine to use the IP address net.2 as the default gateway and DNS server. This routing causes all IP packets destined for the external network and DNS requests to be forwarded to the NAT device.
Understanding the NAT Device
The NAT device is connected to the VMnet8 virtual switch. Virtual machines connected to the NAT network also use the VMnet8 virtual switch.
The NAT device waits for packets coming from virtual machines on the VMnet8 virtual network. When a packet arrives, the NAT device translates the address of the virtual machine to the address of the host system before forwarding the packet to the external network.
When data arrives from the external network for the virtual machine on the private network, the NAT device receives the data, replaces the network address with the address of the virtual machine, and forwards the data to the virtual machine on the virtual network. This translation occurs automatically and requires minimal configuration on the guest operating system and the host system.
The NAT device is a DNS proxy and forwards DNS requests from the virtual machines to a DNS server that the host system knows. Responses return to the NAT device, which then forwards them to the virtual machines.
If they get their configuration information from the virtual DHCP server, the virtual machines on the NAT network use the NAT device as the DNS server. The virtual machines in the private NAT network are not accessible through DNS. To have the virtual machines running on the NAT network access each other by DNS names, you must set up a private DNS server connected to the NAT network and configure the virtual machines to use the DNS server.