Understanding VM Networking

Understanding Anka VM networking

Prerequisites

  1. You’ve installed the Anka Virtualization package
  2. You’ve created your first VM Template
  3. You grasp how to modify VM settings (like network)

The Basics

By default Anka VMs use a shared networking configuration with the host. This uses a combination of NAT with a local DHCP server provided by macOS, but adds a custom layer that we have more control over.

Checking network configuration for VMs

Stopped VM

❯ anka show 12.6 network
+------------+------------+
| mode       | shared     |
+------------+------------+
| controller | virtio-net |
+------------+------------+

Running VM

Every time you start/resume a VM it will be assigned an IP (may take a few seconds for the VM to boot and assign):

❯ anka show 12.6
+---------+--------------------------------------+
| uuid    | 1948dd37-e8ea-43b3-972f-b91860329eab |
+---------+--------------------------------------+
| name    | 12.6                                 |
+---------+--------------------------------------+
| created | Oct 12 17:14:31 2022                 |
+---------+--------------------------------------+
| vcpu    | 5                                    |
+---------+--------------------------------------+
| ram     | 6G                                   |
+---------+--------------------------------------+
| display | 1024x768 vnc://192.168.64.6:5900     |
+---------+--------------------------------------+
| disk    | 200GiB (17.20GiB on disk)            |
+---------+--------------------------------------+
| addons  | 3.1.0.148.6247878                    |
+---------+--------------------------------------+
| network | shared 192.168.64.6                  |
+---------+--------------------------------------+
| status  | running since Oct 14 10:28:54 2022   |
+---------+--------------------------------------+

❯ anka show 12.6 network
+------------+-------------------+
| mode       | shared            |
+------------+-------------------+
| controller | virtio-net        |
+------------+-------------------+
| ip         | 192.168.64.6      |
+------------+-------------------+
| mac        | ae:86:1c:97:a5:8a |
+------------+-------------------+

Types of networking available

These are set using anka modify. Please review the previous section to understand how modifying a VM works.
TypeDescription
sharedThe default network type operating as NAT + DHCP. Every VM after the start/resume gets an IP address assigned by the internal DHCP server in range 192.168.64.2 - 192.168.64.254. Programs inside a VM can access external networks (outside the host) and the internet directly. Also, other VMs on the host are also accessible. This mode typically works with multiple interfaces on the host.
hostIt is very similar to the shared one, but the VM get IP addresses from range 192.168.128.2 - 192.168.128.254 and can’t access external networks outside of the host.
bridgeThe Bridged type will cause the VM to show in the network as an individual device and receive a unique IP separate from the host.

An ENV is available to set the interface name: `ANKA_BRIDGE_NAME=en0`

When using the bridge, port-forwarding is not necessary as the VM will receive a unique IP that will be accessible directly to all other devices on the network.

By default, DHCP will not see your VM's MAC address. You'll need to enable `--mac` for the network-card: `anka modify VmName --type bridge --mac {MAC HERE}`

disconnectedThe VM will have a disconnected network cable.
natExperimental network mode for Apple Silicon/ARM, allowing at a minimum 2x the speed compared to the shared mode. Does not support VM to Host isolation or ARP Spoofing prevention.

If anka show does not display an IP, networking has either:

  1. Not fully started (give it a few more seconds).
  2. Networking cannot start due to some sort of host firewall or policy.
Within the VM, you can find an IP assigned for the host which can be used to ssh or transfer files out. To determine which IP is assigned to the host, execute ipconfig getoption en0 server_identifier (typically 192.168.64.1 for shared network mode and 192.168.128.1 for host network mode).

MAC Addresses

Anka will dynamically assign MAC addresses to your VM. You can assign custom MAC Addresses with the anka modify network --mac option.

Be aware that if you clone your VM Template with a specific MAC, both VMs cannot run at the same time.
You must use a static MAC for each VM running on the machine. You cannot use a mix of dynamically assigned and statically assigned.
When using bridged networking mode for your VM, dynamic MAC Addresses are not guaranteed to be unique, though, reuse/collision is extremely unlikely. We do our best to prevent this with our randomization logic.

Default NAT Subnet

VMs are created using the default NAT subnet which can be found with sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist Shared_Net_Address.

To change this, you can use sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist Shared_Net_Address -string 192.168.80.1. Changing the Shared_Net_Mask is also available with the same modification to the plist.

DHCP Lease Time

MacOS sets the DHCP timeout to 86,400 seconds (one day) by default. We reuse these leases, which means you will not run out after ~253 VMs in a day. From our testing, Anka’s VM networking is much more stable because of this, and not subject to sudden network reconnections and failed tests when the leases timeout. You can check the amount of leases available with cat /var/db/dhcpd_leases.

Security

We find that many users are interested in VM to VM isolation, VM to Host isolation, and ARP Spoofing prevention. Most macOS virtualization tools on the market do not support network security outside of the defaults Apple provides. We’ve included features to protect from all three in Anka for both Intel and ARM/Silicon.

IP Filtering

Starting in Anka 3.3, users can use a VM/Template specific network traffic filtering which mimicks the behavior of ipf.conf.

This is only available for shared networking.

Filter rules are checked in descending order, with the first matching rule determining the treatment of the packet. For example, the following rules will block any traffic and ignore all other rules:

block any
pass out from all

Examples of rules you can set on a VM:

block out to 1.1.1.1 from any
block out to 1.1.1.1 port 53
block in to port 22
block out from port 68 to port 67
block in from any port 67 to any port 68
block any from port 67 to port 68
block any
block local

You can apply rules in several ways:

  1. Globally for all VMs that run on the host by setting the path to the rules file: anka config net_filter /Users/myUser/vm-filter-rules. This will be ignored if the VM Template has filter rules applied already.

  2. With a dynamic file from the host, set in the specific VM template, which is then applied at VM start time. This allows you to create rules specific to a VM + Host.

    ❯ cd ~; cat << EOF > ./rules
pass in from 10.20.30.40
pass out to 10.20.30.40
block any
EOF

❯ anka modify 13.3.1 network --filter rules

❯ anka show 13.3.1 network -f                                                                            
pass in from 10.20.30.40
pass out to 10.20.30.40
block any

❯ cat ~/Library/Application\ Support/Veertu/Anka/vm_lib/c12ccfa5-8757-411e-9505-128190e9854e/config.yaml | grep net
network_cards:
  controller: virtio-net
  net_filter: /Users/nathanpierce/rules

  3. Embedding the rules inside of the VM’s config, but not require a file on the host. This is useful to avoid having to ensure the rules file exists on each host.

    ❯ cd ~; cat << EOF > ./rules
block in from any port 22
block local
EOF

❯ anka modify 13.3.1 network -f- < rules

❯ anka show 13.3.1 network -f           
block in from any port 22
block local

❯ cat ~/Library/Application\ Support/Veertu/Anka/vm_lib/c12ccfa5-8757-411e-9505-128190e9854e/net_filter 
block in from any port 22
block local%

  4. You can also apply a single rule using echo "block any" | anka modify 13.3.1 network -f-.

Applying new rules will remove all previously set.
You can disable the rules with anka modify 13.3.1 network --filter off.

VM to VM isolation

This requires using IP Filtering features available for shared networking mode. To prevent VM to VM communication, you will use block local.

VM to Host isolation

This requires using IP Filtering features available for shared networking mode. To prevent VM to Host communication, you will use block local.

ARP Spoofing Prevention

ARP Spoofing is prevented by default for all networking modes except for nat.

ARP Isolation is not blocked however. You can run sudo arp -a for example and see the other VMs running on the host and their MAC and IP. You can prevent this with network --no-local, but keep in mind this also disables VM to Host and VM to VM communication.

FAQs

  • Should your Firewall software be blocking VM networking, you need to whitelist the /Library/Application\ Support/Veertu/Anka/bin/headless.app (3.x), /Library/Application\ Support/Veertu/Anka/bin/ankahv.app, and /Applications/Anka.app.

What’s next?