1

I have two virtual box VMs. U1 and U2

VM U1 has two adapters, enp0s3 which is bridged to my wireless adapter on my host machine and enp0s8 which is connected to internal network named "inet". Additionally I am also running a dhcp server on enp0s8 interface. I also configure static ip address for U1's enp0s8 interface using /etc/network/interfaces file

VM U2 has one adapter, enp0s3 which is connected to internal network named "inet".

Now when I spin up U1 and then U2 and do

ping <u1_enp0s8_ip_address> from U2 I get a reply back

However when I try

ping <u1_enp0s3_ip_address> from U2, there is no response

Also I have tried

ping -I enp0s8 <u1_enp0s3_ip_address> in U1, and there is no response.

What do I need to do so that enp0s8 on U1 can communicate with enp0s3 on U1?

Any suggestions/replies will be highly appreciated. I have been stuck on this for a couple of days now.

(EDIT 1)

Output from sudo iptables -L command

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

(EDIT 2)

sudo iptables -L command output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

(Edit 3)

Output from route -n command

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp0s3
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s8
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp0s8
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s3

enp0s3's (external network interface) network is 192.168.0.0/24 and enp0s8's (internal network interface) network is 10.0.1.0/24

Output from sysctl net.ipv4.ip_forward command

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Regards

Improve this question
2
  • The answer from @kubanczyk is a good start - what OS are each VM running?
    – ivanivan
    Commented Feb 18, 2018 at 14:35
  • @ivanivan I am using ubuntu 16.04 on both
    – Abdul Rahman
    Commented Feb 18, 2018 at 15:58

2 Answers 2

Reset to default
2

On U1 you'll need to either set up NAT for the internal only network or open it up and just forward packets. If you choose the second, you'll need to set appropriate routes on whatever machines on your physical LAN you want to connect to the virtual LAN.

If you want to set up NAT, you have to enable packet forwarding and set up some iptables rules. Here's a script I use that does this - 

#!/bin/bash
# a very simple set of iptables commands 
# to allow forwarding between ethernet
# devices


# which device is the one that connects to The World (or at least your
# non virtual LAN - this would be a Bridged or NAT (not NAT Network) type
# in VirtualBox
WAN_DEVICE="enp0s3"

# which device is the one that connects to Internal Only or Host Only network?
LAN_DEVICE="enp0s8"


# enable forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

# where is iptables located?
iptables=`which iptables`

# flush all existing rules
$iptables -F

# this is for NAT
# enable masquerading
$iptables -t nat -A POSTROUTING -o $WAN_DEVICE -j MASQUERADE

# don't forward packets from off-lan to lan if
# they are a brand new connection being formed
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_DEVICE -m state --state NEW -j REJECT

# if the packets come from off-lan but they are
# related to a connection that was established from
# within the lan, go ahead and forward them
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT

# whatever traffic comes from the lan to go to
# the world allow thru
$iptables -A FORWARD -i $LAN_DEVICE -o $WAN_DEVICE -j ACCEPT

After running this, your iptables should look like

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             state NEW reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

To just open it up, it is a bit overkill but you can simply change the rules above to accept all connections and forward in/out on both interfaces. Doing this, you would also remove the NAT/Masquerade command, BUT you'd need to set routes on any machine that you wanted to connect from the physical LAN to the virutal. Simply comment out the other $iptables calls (except the flush one) and duplicate the last line with the device references reversed, which reduces the script to - 

#!/bin/bash
# a very simple set of iptables commands 
# to allow forwarding between ethernet
# devices


# which device is the one that connects to The World (or at least your
# non virtual LAN - this would be a Bridged or NAT (not NAT Network) type
# in VirtualBox
WAN_DEVICE="enp0s3"

# which device is the one that connects to Internal Only network?
LAN_DEVICE="enp0s8"


# enable forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

# where is iptables located?
iptables=`which iptables`

# flush all existing rules
$iptables -F

# whatever traffic comes from the lan to go to
# the world allow thru
$iptables -A FORWARD -i $LAN_DEVICE -o $WAN_DEVICE -j ACCEPT

# whatever traffic comes from the world to go to
# the lan allow thru
$iptables -A FORWARD -i $WAN_DEVICE -o $LAN_DEVICE -j ACCEPT

After you use this one, your iptables should look like

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Improve this answer
7
  • Ran the script as it is. and then tried pinging my wan interface ip via internal interface ip but no luck :(
    – Abdul Rahman
    Commented Feb 18, 2018 at 17:19
  • Can bridging help here. Can we somehow bridge the two interfaces on U1? I went that route yesterday and spent quite a bit of time but didn't get much luck. Perhaps I missed something. What do you think?
    – Abdul Rahman
    Commented Feb 18, 2018 at 17:31
  • @AbdulRahman Your enp0s3 adapter should be Bridged or NAT (but not NAT Network) in virtualbox. Be sure it has an ip, etc. What is output of sudo iptables -L ?
    – ivanivan
    Commented Feb 18, 2018 at 18:57
  • @ ivanivan my enp0s3 is bridged and has an ip address. Also edited my question with the sudo iptables -L output
    – Abdul Rahman
    Commented Feb 18, 2018 at 19:37
  • @AbdulRahman i added example iptables -L output from a working setup. It looks like on yours you want traffic to flow both ways, but you left some of the other commands active. Try running JUST the second script - should fix things up. Don't forget to add appropriate routes.
    – ivanivan
    Commented Feb 18, 2018 at 20:57
1

Enable forwarding on U1. Most OSes by default don't do interface-to-interface routing unless you explicitly tell them.

Review the OS-level firewall rules on U1. Don't forget nat table too.

Improve this answer
1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .