I'll make this quick.
I have created a virtual network by setting several VMs to use HostOnly VMnet1 as their network adapter.
I then added a pfsense virtual machine firewall into that same network and configured it to allow traffic to the internet but block to/from my real home network.
That way - my virtual network can connect to the internet even though it is in host only mode.
The thing is, I need to manually set the DNS and Gateway of each machine in VMNet1 to the VM firewall to allow them to communicate since all communications must flow through it.
I was trying to figure out if I can do this automatically. When I go into Virtual Network settings in VMWare Workstation 16, the only options I can set are the subnet and available IP Scope. There is no option for default gateway or DNS here. Can this be done?
Do you have the ability to run a DHCP server on the PFSense firewall which is connected to the VMNetwork? If so, either Windows and Linux VMs that have their NICs set to DHCP, would get the IP, DNS and GW from the DHCP.
Related
I have set up several ubuntu VMs using virtualbox. Right now I'm using network type as NAT and have access to it from the host machine, but what are the network changes that are needed to access these VMs through putty from other machines that are connected to the same network(wifi) ?
figured it out myself, first turn off the VM.
- enable two network adapters
- 1) host only - to connect between host and guest machines
- 2) Bridged network - to expose the vm to the network and assign ip address for each vm through dhcp
note: In my case I used vagrant tool to spin up my VMs, hence assigned fixed private ip to each vm,by enabling host only..I could do a headless start and then log in to VMs through putty(using fixed private ip) and get the dynamic bridge network ip.
I have a virtual machine instance running on Google Cloud Compute Engine — a preemptible free-tier CPU running Ubuntu 17.04. The end goal is to connect it to a MongoDB running on my local machine, a 2015 Macbook Pro (OS 10.12.6). But first, I've been trying to ensure the VM can reach my Mac via ping.
Running ping <VM's external IP> from my Mac works.
pinging my Mac from another Mac on the same wifi network works.
Running ping <Mac's IP> from the VM via the browser terminal does not work.
I've disabled my Mac's firewall. I've also configured my VM's firewall rules to allow all inbound and outbound traffic, to no avail:
ingress firewall rules, egress firewall rules
How might I get this instance to ping my Mac successfully?
Does your Mac's IP address begin with 10., 192.168., or between 172.16. and 172.32.? These are private addresses only reachable within your Mac's local network, which is (part of) why GCE cannot reach your VM.
This is part of a very common configuration. An ISP only allocates one (or a small number) of IP addresses to your home or business. A router on the network performs NAT to share that IP addess between computers on the local network, which instead use private IP addresses for themselves. As the router doesn't know what to do with the inbound MongoDB traffic, it blocks it.
There are two common ways around this that are usually found in your router settings:
"port forwarding" where you tell the traffic to forward all traffic on port 1234 to your Mac. This can get MongoDB working, but not ping.
If you have whole extra IP addresses, "DMZ" where your router directly forwards an entire extra IP to your instance. If you have only one IP address this is not an option as that IP is needed to be shared for other devices on the Wifi.
You likely also have a firewall on the router. If you use a DMZ or port-forwarding you must make sure that firewall allows traffic through too.
That said, I'm not sure that this is a sensible thing to do. Opening up your local network to the internet can create major security issues, plus it is likely unreliable more expensive (free tier only provides 1GB egress/month, your db traffic could exceed this).
Actually running MongoDB on instances within GCE is almost certainly a better option in every regard for you.
We have 3 ESXi servers that each have their public IP for manageability, however for the backups we need the servers to have an internal on a different NIC.
However, when we've added a new VMKernel network, the original (public IP) network won't connect anymore, resulting in the server being only reachable via the newly added LAN network.
Is there a solution we can use so the servers are reachable on both NICs/IPs ?
The 3 servers have these configuration for network:
Interface 1: Dell iDRAC
Interface 2: VMWare public management network (public)
Interface 3: VMWare private management network (10.0.0.1/24)
Interface 4-5: Double redundant uplink
Interface 6-7: LAN network trunked
You may use the same switch (with 2 uplinks and explicit LBFO settings for different port groups) or two different switches each using its own uplink - one for external and another for internal management network.
I think you can keep external management network setup as it is now (same vSwitch, same management port group, the same vmk0 adapter in default TCP/IP stack). This vmk0 adapter may have IP configuration like this:
IP: 192.168.5.5/24
GW: 192.168.5.1 - it may be defined for default TCP/IP stack or on vmk0 itself
For internal management network, just create another vSwitch, new management port group and new vmk1 adapter. Imagine you want to use internal management network like this:
IP: 10.5.5.5/24
GW: 10.5.5.1
Because we cannot have 2 gateways in default TCP/IP stack, you can define gateway directly on vmk1 (this is supported in ESXi 6.5):
esxcli network ip interface ipv4 set -g 10.5.5.1 -i vmk1 -t static -I 10.5.5.5 -N 255.255.255.0
Once you do this, I think both internal and external management networks should work for you. There may be some edge cases with routing where this scheme may not work, but I think for your use-case it should be fine.
In general there is not a problem with having two or more management interfaces. You should to give us some more information about network configuration. Did you change default gateway in host configuration? Remember that you may have only one default gateway and if you have changed it to correct for LAN then packets get by public interface not know how to return.
If this is the problem you should set default gateway properly for public interface. But you also need to connect from LAN. If machines in LAN are in the same network segment - it should just work. If machines are in other LAN - add entry to routing table, like described here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2001426
I've installed pfsense 2.3 x64 in virtualbox with 2 adapters; One is bridged to my wifi adapter (adsl modem) (WAN) and the other one set as'Internal network' ('intnet') (Lan);
The problem is that although pfsense can automatically detect dhcp over first adapter and get an IP but my system (the host) can not ping the pfsense server (pfsense can ping both adsl modem gateway and the host).
Note1: Disabling the antivirus and firewall (kaspersky internet security 2016) has no effect.
Note2: I know that this setup works because I use the exact same network configurations for a Kerio Control server (v9.0.2, installed in virtualbox)
Note3: If I constantly ping pfsense server in my host (ping 192.168.1.102 -t) and at the same time restart pfsense server, during the booting phase of pfsense I can get two pings!
After contacting the pfsense official forum, it turned out that the WAN interface blocks everything by default. Therefore, either a rule should be defined to allow WAN to accept traffic or access server from LAN side.
I figured this out without having to go through the WAN interface, answer is on the pfsense forum
Configure host-only network "vboxnet1" (or any of the other host-only networks if you're already using vboxnet1 for other VMs) with the following:
192.168.1.77 (or whatever IP you want your host to appear as on the network)
255.255.255.0
DHCP Disabled
The make sure that the LAN adapter on your pfSense VM is a "Host-only Adapter" and that it's using "vboxnet1" (or whatever network you configured above)
Reboot/re-install and http://192.168.1.1 should work now
I have created a VPC with public and private subnets on AWS. All app servers are in private subnets and all outbound requests have to be through an internet-facing NAT instance.
At the moment, our project requires the app servers to access a ftp server provided by a service provider.
I have tried several ways to manage that, but all no luck. What I have done was to open a port range, let's say (40000 - 60000) on both NAT and APP security groups, also standard ftp ports 20 - 21 as well.
The user authentication can be passed, but I could not list contents from app servers.
I am able to access the ftp server from NAT, not problem at all.
So what should I do to make it work?
#JohnRotenstein is absolutely correct that you should use Passive FTP if you can. If, like me, you're stuck with a client who insists that you use Active FTP because their FTP site that they want you to connect to has been running since 1990 and changing it now is completely unreasonable, then read on.
AWS's NAT servers don't support a machine in a private subnet connecting using Active FTP. Full stop. If you ask me, it's a bug, but if you ask AWS support they say it's an unsupported feature.
The solution we finally came up with (and it works) is to:
Add an Elastic Network Interface (ENI) in a public subnet on to your EC2 instance in the private subnet
So now your EC2 instance has 2 network adapters, 2 internal IPs, etc.
Let's call this new ENI your "public ENI"
Attach a dedicated elastic IP to your new public ENI
Let's assume you get 54.54.54.54 and the new public ENI's internal IP address is 10.1.1.10
Add a route in your operating system's networking configuration to only use the new public ENI
In windows, the command will look like this, assuming the evil active ftp server you're trying to connect to is at 8.1.1.1:
route add 8.1.1.1 mask 255.255.255.254 10.1.1.1 metric 2
This adds a route for all traffic to the FTP server at 8.1.1.1 using subnet mask 255.255.255.254 (ie. this IP and only this IP) should go to the internet gateway 10.1.1.1 using ethernet adapter 2 (your second NIC)
Fed up yet? Yeah, me too, but now comes the hard part. The OS doesn't know it's public IP address for the public EIN. So you need to teach your FTP client to send the PORT command with the public IP. For example if using CURL, use the --ftp-port command like so:
curl -v --ftp-port 54.54.54.54 ftp://8.1.1.1 --user myusername:mypass
And voila! You can now connect to a nightmare active FTP site from an EC2 machine that is (almost entirely) in a private subnet.
Try using Passive (PASV) mode on FTP.
From Slacksite: Active FTP vs. Passive FTP, a Definitive Explanation:
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
Thus, the traffic is trying to communicate on an additional port that is not passed through the NAT. Passive mode, instead, creates an outbound connection, which will then be permitted through the NAT