I have a virtual machine instance running on Google Cloud Compute Engine — a preemptible free-tier CPU running Ubuntu 17.04. The end goal is to connect it to a MongoDB running on my local machine, a 2015 Macbook Pro (OS 10.12.6). But first, I've been trying to ensure the VM can reach my Mac via ping.
Running ping <VM's external IP> from my Mac works.
pinging my Mac from another Mac on the same wifi network works.
Running ping <Mac's IP> from the VM via the browser terminal does not work.
I've disabled my Mac's firewall. I've also configured my VM's firewall rules to allow all inbound and outbound traffic, to no avail:
ingress firewall rules, egress firewall rules
How might I get this instance to ping my Mac successfully?
Does your Mac's IP address begin with 10., 192.168., or between 172.16. and 172.32.? These are private addresses only reachable within your Mac's local network, which is (part of) why GCE cannot reach your VM.
This is part of a very common configuration. An ISP only allocates one (or a small number) of IP addresses to your home or business. A router on the network performs NAT to share that IP addess between computers on the local network, which instead use private IP addresses for themselves. As the router doesn't know what to do with the inbound MongoDB traffic, it blocks it.
There are two common ways around this that are usually found in your router settings:
"port forwarding" where you tell the traffic to forward all traffic on port 1234 to your Mac. This can get MongoDB working, but not ping.
If you have whole extra IP addresses, "DMZ" where your router directly forwards an entire extra IP to your instance. If you have only one IP address this is not an option as that IP is needed to be shared for other devices on the Wifi.
You likely also have a firewall on the router. If you use a DMZ or port-forwarding you must make sure that firewall allows traffic through too.
That said, I'm not sure that this is a sensible thing to do. Opening up your local network to the internet can create major security issues, plus it is likely unreliable more expensive (free tier only provides 1GB egress/month, your db traffic could exceed this).
Actually running MongoDB on instances within GCE is almost certainly a better option in every regard for you.
Related
I'll make this quick.
I have created a virtual network by setting several VMs to use HostOnly VMnet1 as their network adapter.
I then added a pfsense virtual machine firewall into that same network and configured it to allow traffic to the internet but block to/from my real home network.
That way - my virtual network can connect to the internet even though it is in host only mode.
The thing is, I need to manually set the DNS and Gateway of each machine in VMNet1 to the VM firewall to allow them to communicate since all communications must flow through it.
I was trying to figure out if I can do this automatically. When I go into Virtual Network settings in VMWare Workstation 16, the only options I can set are the subnet and available IP Scope. There is no option for default gateway or DNS here. Can this be done?
Do you have the ability to run a DHCP server on the PFSense firewall which is connected to the VMNetwork? If so, either Windows and Linux VMs that have their NICs set to DHCP, would get the IP, DNS and GW from the DHCP.
In last few days my Google VM is continuously being compromised, I have received warning and faced suspension of VM by Google saying "cryptocurrency mining activities was found on VM". I suspect someone has hacked my VM and doing this activity. So, now I want to create a new VM with secure SSH firewall such that only limited computers can access the VM.
I have tried setting the IP of my office routers on firewall ssh allow rule, but after setting this rule also SSH connection to VM do get established from other IP addresses. I just want to specify two IPs in firewall rule but it expects IP ranges in CIDR format (with which I am not clear).
I have also found some suggestions that I should change the ssh port of the VM.
Can anybody please explain how can I restrict the access to my Google VM to only a specific set of computers when this computers are connected to a router and external IP is same for all i.e. of router?
Thanks
I understand you want to create a new VM with secure firewall SSH and want to restrict and allow access from particular IP addresses of your office router.
To do that you can create firewall rules as explained here 1. To manage the access for a specific instance, I recommend you to use Network Tags for firewall rules 2.
Going back to your concern, that SSH connection to VM do get established from other IP addresses even when you create the firewall rule for the specific IP address. The reason for that might be due to this:
Every project you create in GCP comes with the default firewall rules.
So there might be one default-allow-ssh rule which you need to block, I guess that might be causing the issue. Note that the default network includes some additional rules that override this one, allowing certain types of incoming traffic. See the attached link[3][4] for more details.
[3]https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
[4]https://cloud.google.com/vpc/docs/firewalls#more_rules_default_vpc
You can also add guest-level firewall rule using for example "iptables" to add another security level to your VM instance. However, GCP project-level firewall rule takes care of inspecting network traffic before it goes to your VM instances. Operating system Firewall blocks all internet traffic to any port 22.
In order to allow a specific address to be able to connect on your VM instance, you may add a CIDR of /32 on the "IP ranges" value of your "default-allow-ssh" GCP firewall rule. For example, 45.56.122.7/32 and 208.43.25.31/32.
I have set up several ubuntu VMs using virtualbox. Right now I'm using network type as NAT and have access to it from the host machine, but what are the network changes that are needed to access these VMs through putty from other machines that are connected to the same network(wifi) ?
figured it out myself, first turn off the VM.
- enable two network adapters
- 1) host only - to connect between host and guest machines
- 2) Bridged network - to expose the vm to the network and assign ip address for each vm through dhcp
note: In my case I used vagrant tool to spin up my VMs, hence assigned fixed private ip to each vm,by enabling host only..I could do a headless start and then log in to VMs through putty(using fixed private ip) and get the dynamic bridge network ip.
I just created a VM instance with a static IP address to install cpanel.
It turns out that cPanel has some problems with NAT. Also cPanel does not provide technical support for systems with NAT.
Now I want to disable/remove NAT in my VM instance. Otherwise I will never be able to use cPanel on it.
Is it possible?
Well, if by saying NAT you mean Network Address Translation, you can't remove it from your VM instance due to NAT is allocated in your router. You need instead to forward a port in your router to your VM's local port. If you're using cPanel, the standard port should be 2082. The reason to forward a port is to enable all incoming packages to be redirected from you router's external (global static or dynamic)IP to your VM's local IP, from router's port to local port. Try to check out your router settings and find port forwarding option there. Also try to google for web-server behind NAT.
First off, the base question: how to reliably achieve IP/DNS resolution on a mixed network (Linux, Windows, Mac OS), on a common private physical network using IPV4/6, to hosted VM'S that may or may not have VPN's active and DHCP - without an internal DNS.
My Setup:
I run a Windows 10 Host machine with a static IPV4 address, which powers multiple Windows 10, and Linux VM's. Some of the VM's access VPN's, which run IPV4/6 VPN networks. Presently I use a Mac OS computer to RDP to the host system, and I use the Virtual Box GUI to access the systems from there.
I have tried using RDP (Microsoft), to access the VMs independently from my Mac OS system, however this only works through the Local IPV4 address when the VPN is not active - or the IPV6 address with the limitations noted below.
I have also tried using the IPV6 address; and while this works some of the time, I have have mixed to unpredictable results with this on reboots/IP refreshes. The IPV6 Address changes periodically, and I have to log into the router to determine the new address and update RDP entries accordingly.
What I am trying to achieve:
Mac OS system Source system, and RDP to multiple Physical/Virtual machines on the network, while maintaining connectivity through VPN connections on the VMs - Without having to manually type in/keep up with IPV6 addresses.
My hardware is all consumer grade, with a Netgear router (R6400).
While currently I use a single NIC in the VM host, I do have multiple NIC's if that will correct the connectivity issues.
MS-Windows implements RFC-4941 and RFC-7721, for security considerations, that lead to IPv6 address changes (this should not be a problem if you had DNS updates, but this is not your situation).
To avoid IPv6 changes, just use the following 4 lines on your Windows hosts:
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
You should now get predictable results.