Ubuntu – VirtualBox client OS (using NAT) is able to access host’s LAN – How come


My network is somewhat simple: all PCs in my LAN (Ubuntu desktop, Win7 desktop, XP netbook) connected to a dlink home router, which is connected to ISP's cable modem. LAN has IP subnet, gateway (the dlink router) is, the PCs are, via DHCP. The PCs share folders among themselves (basic right-click -> share, this is samba, right?). So far, so good.

Now the Ubuntu desktop has VirtualBox. I was planning on installing sandboxed VMs to test malware (and monitor the way they "call home"). So I installed an Ubuntu VM, network set to NAT mode (the default mode, subnet I guess).

So I open up Nautilus in the VM, go to "network", and to my surprise… the VM is able to see all the shared folder in the host's LAN!!!

How? Isn't "Shared Folders" something that works on the LAN only? How come a VM that lives in another subnet can access, say, a shared folder in the Win7 machine? They are not in the same LAN! (that would be Virtualbox's "Bridged" mode, correct?). And no, I do not mean VirtualBox's "Share Folder" feature (that maps a host drive as a network share to the guest), I'm not using it.

So, I clearly lack some fundamental knowledge of how shared folders and NAT works.I assumed NAT would isolate the VM from my LAN while still being able to browse the internet. I am very surprised it was able to see my LAN's workgroups even being in a different subnet.

So, question is: How is that possible? How this relation between VirtualBox, Shared Folders and NAT works? And how to setup the VM so it can't see the guest's LAN but is still able to browse the internet?

Best Answer

Chapter 6. Virtual networking:

To an application on the host, or to another computer on the same network as the host, it looks like the data was sent by the VirtualBox application on the host, using an IP address belonging to the host. VirtualBox listens for replies to the packages sent, and repacks and resends them to the guest machine on its private network.

Networking in VirtualBox (Oracle Blogs):

Each vm thinks they are on their own isolated network. When they send their traffic via the gateway ( VirtualBox rewrites the packets to make them appear as though they originated from the Host, rather than the Guest (running inside the Host).

Like on a physical host, NAT impedes remote connections, but allows outgoing connections. I don't think there's a networking mode that can distinguish your LAN from the rest of Internet.

Related Question