34

I don't fully understand the differences between NAT and a bridged connection over an virtual machine. As far as I've found, machines which are on the same network with our host machine can access our virtual machine if we make a bridged connection.

Well, on the internet, people write that both NAT and bridged virtual machines can have IP address like a host machine but if it is NAT, machines which are on the same network can NOT access our vm but if it is bridged, then they can.

If both NAT and bridged connections can have different IP addresses, then why can't I access a NAT'd address while I can access a bridged address?

Note: stating that NAT connections are protected is insufficient; I want to know how that is.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
oguzhan
  • 441
  • 1
  • 4
  • 5
  • 1
    Bridging operates on layer 2, while NAT operates on layer 3, thereby requiring some sort of routing. http://en.m.wikipedia.org/wiki/Network_layer – EEAA Mar 21 '13 at 13:50
  • 1
    @EEAA ... but that doesn't explain why the routing doesn't work for an outside host. – Jeff Ferland Mar 21 '13 at 13:52
  • 4
    NAT will change your VM's ip address from something like **172.x.x.x** to **192.x.x.x**. However, Bridged will give your VM its own public ip address (like 172.x.x.x). – IgorGanapolsky Jun 23 '17 at 19:19

4 Answers4

31

How NAT works in a nutshell

An external address, usually routable, is the "outside" of the NAT. The machines behind the NAT have an "inside" address that is usually non-routable. When a connection is made between an inside address and an outside address, the NAT system in the middle creates a forwarding table entry consisting of (outside_ip, outside_port, nat_host_ip, nat_host_port, inside_ip, inside_port). Any packet matching the first four parts gets its destination re-written to the last two parts.

If a packet is received that doesn't match an entry in the NAT table, then there is no way for the NAT box to know where to forward it unless a forwarding rule was manually defined. That's why, by default, a machine behind a NAT device is "protected".

Bridged

Bridged mode acts just like the interface you're bridging with is now a switch and the VM is plugged into a port on it. Everything acts the same as if it were another regular machine attached to that network.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
14

With NAT the IPs of the virtual machines and the network your host is connecting to are separated. Meaning your VMs are on a different subnet. You can access the network because your host is doing Network Address Translation (if you don't know what that is What is strict, moderate and open NAT? ). The IP is assigned by a DHCP running on the host

With a bridged interface your virtual machines are directly connected to the network the network interface they are using is connected to. This means in your case that they will be directly connected to the network your host connects to, getting IP addresses from the DHCP server running on the network (which probably also gives your host its IP).

Now why can't you access these machines:

Because you would need to enable portforwarding on the NAT segment. The NAT translates your virtual machines IPs to a single IP. Incomming connections have to be routed with portforwarding as the host cannot know for what virtual machine the connection is meant.

While NAT can provide some protection it's not a firewall, for the same reason as above( when using NAT, inbound hosts can't connect unless portforwarding is enabled). However NAT is NOT SECURITY (http://blog.ioshints.info/2011/12/is-nat-security-feature.html).

NAT has some side effects that resemble security mechanisms commonly used at the network edge. That does NOT make it a security feature, more so as there are so many variants of NAT.

Community
  • 1
Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
11

Bridged connections are just that, essentially a virtual switch is connected between the VM and your physical network connection.

NAT'd connections are also just that, instead of a switch a NAT router is between the VM and your physical network connection.

Chris S
  • 77,337
  • 11
  • 120
  • 212
4

With a NAT connection, the host computer (your primary, physical machine) is acting like a router/firewall. The VM piggybacks off the network interface of the host and all packets to/from the VM are routed through it. Since the host computer actually sees IP packets and TCP datagrams, it can filter or otherwise affect the traffic.

When the VM is using bridged mode, it's connecting to the network via the host at a lower level (Layer 2 of the OSI model). The host machine still sees the traffic, but only at the Ethernet frame level. So it's unable see where traffic is coming from/going to or what kind of data is contained in that traffic.

jamieb
  • 3,387
  • 4
  • 24
  • 36