VirtualBox - Configuring port forwarding with NAT

Filed under: — By Aviran Mordo @ 11:41 am

As the virtual machine is connected to a private network internal to VirtualBox and invisible to the host, network services on the guest are not accessible to the host ma-chine or to other computers on the same network. However, VirtualBox can make given services available outside of the guest by using port forwarding. This means that VirtualBox listens to certain ports on the host and resends all packages which arrive on them to the guest on the ports used by the services being forwarded. To an application on the host or other physical (or virtual) machines on the network, it looks as though the service being proxied is actually running on the host (note that this also means that you cannot run the same service on the same ports on the host). However, you still gain the advantages of running the service in a virtual machine – for example, services on the host machine or on other virtual machines cannot be compromised or crashed by a vulnerability or a bug in the service, and the service can run in a different operating system to the host system.

You can set up a guest service which you wish to proxy using the command line tool VBoxManage. You will need to know which ports on the guest the service uses and to decide which ports to use on the host (often but not always you will want to use the same ports on the guest and on the host). You can use any ports on the host which are not already in use by a service. An example of how to set up incoming NAT connections to a ssh server on the guest requires the following three commands:

VBoxManage setextradata "GuestName” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/Apache/Protocol” TCP

VBoxManage setextradata “GuestName” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/Apache/GuestPort” 80

VBoxManage setextradata “GuestName” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/Apache/HostPort” 8880

The name Apache is an arbitrary one chosen for this particular forwarding configuration.
The name GuestName is the name you gave your virtual machine.
With that configuration in place, all TCP connections to port 8880 on the host will be forwarded to port 80 on the guest. Protocol can be either of TCP or UDP (these are case insensitive). To remove a mapping again, use the same commands, but leaving out the values (in this case TCP, 80 and 8880).

It is not possible to configure incoming NAT connections while the VM is running. However you can change the settings for a VM which is currently saved (or powered off at a snapshot).

NAT limitations

There are four limitations of NAT mode which users should be aware of:

  • ICMP protocol is very limited: Some frequently used network debugging tools (e.g. ping) rely on sending/receiving messages based on the ICMP protocol. The ICMP protocol cannot be used directly by normal applications such as VirtualBox, as it would, at least on Linux hosts, require root permissions (more precisely CAP_NET_RAW). Since this is not desirable, no attempt has been made to support ICMP to addresses other than and If you try to ping any other IP address you will not get any response.
  • Receiving of UDP broadcasts is not reliable: The guest does not reliably receive broadcasts, since, in order to save resources, it only listens for a certain amount of time after the guest has sent UDP data on a particular port. As a consequence, NetBios name resolution based on broadcasts is not always working (but WINS always works). As a workaround, you can use the numeric IP of the desired server in the \\server\share notation.
  • Protocols other than TCP and UDP are not supported: This means some VPN products (e.g. PPTP from Microsoft) can not be used. There are other VPN products which use simply TCP and UDP.
  • Forwarding host ports < 1024 impossible: On Unix-based hosts (e.g. Linux, Solaris, MacOS X) it is not possible to bind to ports below 1024 from applications that are not run by root. Therefore if you try to configure such a port forwarding, then the VM will refuse to start.

These limitations normally don’t affect standard network use. But the presence of NAT has also subtle effects that may interfere with protocols that are normally working. One example is NFS, where the server is often configured to refuse connections from non-provileged ports (i.e. ports not below 1024).


7 Responses to “VirtualBox - Configuring port forwarding with NAT”

  1. Ben Says:

    It seems you can only port forward one port from host to guest. Is there anyway around that?

  2. Aviran Mordo Says:

    You can forward any number of ports as long as you don’t use the same port twice

  3. Ben Says:

    Wrong. I’ve tried it, and I’m fairly sure it’s a limitation in VirtualBox as long as I remember. If you can explain how, I would be willing to accept defeat… The only work around right now is to port forward 22 and then tunnel everything thru it.

    If I did the following I would end up with ONLY port 80 on guest forwarded to port 8080 on host. The port forward of port 22 was overwritten.

    VBoxManage setextradata “myvm” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol” TCP
    VBoxManage setextradata “myvm” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort” 22
    VBoxManage setextradata “myvm” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort” 2222

    VBoxManage setextradata “myvm” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol” TCP
    VBoxManage setextradata “myvm” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort” 80
    VBoxManage setextradata “myvm” “VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort” 8080

  4. Ben Says:

    Ok, I’m an idiot, you just have to use a different name in that path, instead of “guestssh” you could have “guesthttp”, etc. Sorry for doubting you…

  5. Aviran Mordo Says:

    You need to give the second port mapping a different name, i.e change “guestssh” to something else like “gusthttp”

  6. georgey Says:

    Is there anyway to have BOTH TCP and UDP forwarded? Some programs require both protocols to function. If I set one (ie, UDP) it automatically unsets the other (ie, TCP). If I just put “Both” in the command will this be understood?

  7. olivier Says:


    I’ve just tried many times those commands and even modified directly the xml file. Here is what is in my xml file:

    If I understood everything, normally, there, if I put on my hosts’s web browser http://localhost:8800 it will display my apache homepage from my guest web server which runs on port 8080.
    My host is XP and netstat gives me no 8800, my guest is opensuse and from it, http://localhost:8080 gives me the page.

    Is there something to do with the firewalls or other things like this ?

    (VBox 2.1.4)

    Best Regards

Leave a Reply

You must have Javascript enabled in order to submit comments.

All fields are optional (except comment).
Some comments may be held for moderation (depends on spam filter) and not show up immediately.
Links will automatically get rel="nofollow" attribute to deter spammers.

Powered by WordPress