Differences between bridged and NAT networking

  • kycklysf

    I don't fully understand the differences between NAT and a bridged connection over an virtual machine. As far as I've found, machines which are on the same network with our host machine can access our virtual machine if we make a bridged connection.

    Well, on the internet, people write that both NAT and bridged virtual machines can have IP address like a host machine but if it is NAT, machines which are on the same network can NOT access our vm but if it is bridged, then they can.

    If both NAT and bridged connections can have different IP addresses, then why can't I access a NAT'd address while I can access a bridged address?

    Note: stating that NAT connections are protected is insufficient; I want to know how that is.

  • Answers
  • Jeff Ferland

    How NAT works in a nutshell

    An external address, usually routable, is the "outside" of the NAT. The machines behind the NAT have an "inside" address that is usually non-routable. When a connection is made between an inside address and an outside address, the NAT system in the middle creates a forwarding table entry consisting of (outside_ip, outside_port, nat_host_ip, nat_host_port, inside_ip, inside_port). Any packet matching the first four parts gets its destination re-written to the last two parts.

    If a packet is received that doesn't match an entry in the NAT table, then there is no way for the NAT box to know where to forward it unless a forwarding rule was manually defined. That's why, by default, a machine behind a NAT device is "protected".


    Bridged mode acts just like the interface you're bridging with is now a switch and the VM is plugged into a port on it. Everything acts the same as if it were another regular machine attached to that network.

  • Lucas Kauffman

    With NAT the IPs of the virtual machines and the network your host is connecting to are separated. Meaning your VMs are on a different subnet. You can access the network because your host is doing Network Address Translation (if you don't know what that is What is strict, moderate and open NAT? ). The IP is assigned by a DHCP running on the host

    With a bridged interface your virtual machines are directly connected to the network the network interface they are using is connected to. This means in your case that they will be directly connected to the network your host connects to, getting IP addresses from the DHCP server running on the network (which probably also gives your host its IP).

    Now why can't you access these machines:

    Because you would need to enable portforwarding on the NAT segment. The NAT translates your virtual machines IPs to a single IP. Incomming connections have to be routed with portforwarding as the host cannot know for what virtual machine the connection is meant.

    While NAT can provide some protection it's not a firewall, for the same reason as above( when using NAT, inbound hosts can't connect unless portforwarding is enabled). However NAT is NOT SECURITY (http://blog.ioshints.info/2011/12/is-nat-security-feature.html).

    NAT has some side effects that resemble security mechanisms commonly used at the network edge. That does NOT make it a security feature, more so as there are so many variants of NAT.

  • Chris S

    Bridged connections are just that, essentially a virtual switch is connected between the VM and your physical network connection.

    NAT'd connections are also just that, instead of a switch a NAT router is between the VM and your physical network connection.

  • jamieb

    With a NAT connection, the host computer (your primary, physical machine) is acting like a router/firewall. The VM piggybacks off the network interface of the host and all packets to/from the VM are routed through it. Since the host computer actually sees IP packets and TCP datagrams, it can filter or otherwise affect the traffic.

    When the VM is using bridged mode, it's connecting to the network via the host at a lower level (Layer 2 of the OSI model). The host machine still sees the traffic, but only at the Ethernet frame level. So it's unable see where traffic is coming from/going to or what kind of data is contained in that traffic.

  • Related Question

    VMWare networking mode (NAT or Bridged)?
  • webworm

    I am running Windows 7 within a virtual Machine from my Mac. I use Windows 7 for Visual Studio primarily and also to host a dev install of IIS. There are two things I need and I am not sure what networking mode is needed ...

    1. I need to be able to reach the IIS server (running on the VM) via HTTP from the Mac.
    2. The web browsers on the virtual machine need to be able to access the internet.

      Any suggestions? Thanks.

  • Related Answers
  • lynxman

    For your requirements the NAT mode should work for you, just as a reminder.

    • NAT Mode : Your host computer (the Mac) will act as a gateway to the network for your virtual machines, nobody on your network (apart from the Mac) will be able to see them since they're sitting in a separate network

    • Bridged Mode : Your host computer (the Mac) will share its network connection with the virtual machines, they'll be sitting as if they were another computer on your network, everyone on the network will see them and be able to interact with them.

    Both options will give you internet access if your host computer has Internet access.

  • Cody Harlow

    You want bridged. Bridged will give it an IP from your network. So it will give you are 192.168.1.whatever number.

  • Polecat

    Not VMWare, I use Virtualbox and I just setup the guest with two NICs. One for NAT, for accessing the internet. The other with Host-Only network, allowing me to access the IIS Server on the guest.