Second management interface/NIC/IP for ESXi 6.5 - vmware

We have 3 ESXi servers that each have their public IP for manageability, however for the backups we need the servers to have an internal on a different NIC.
However, when we've added a new VMKernel network, the original (public IP) network won't connect anymore, resulting in the server being only reachable via the newly added LAN network.
Is there a solution we can use so the servers are reachable on both NICs/IPs ?
The 3 servers have these configuration for network:
Interface 1: Dell iDRAC
Interface 2: VMWare public management network (public)
Interface 3: VMWare private management network (10.0.0.1/24)
Interface 4-5: Double redundant uplink
Interface 6-7: LAN network trunked

You may use the same switch (with 2 uplinks and explicit LBFO settings for different port groups) or two different switches each using its own uplink - one for external and another for internal management network.
I think you can keep external management network setup as it is now (same vSwitch, same management port group, the same vmk0 adapter in default TCP/IP stack). This vmk0 adapter may have IP configuration like this:
IP: 192.168.5.5/24
GW: 192.168.5.1 - it may be defined for default TCP/IP stack or on vmk0 itself
For internal management network, just create another vSwitch, new management port group and new vmk1 adapter. Imagine you want to use internal management network like this:
IP: 10.5.5.5/24
GW: 10.5.5.1
Because we cannot have 2 gateways in default TCP/IP stack, you can define gateway directly on vmk1 (this is supported in ESXi 6.5):
esxcli network ip interface ipv4 set -g 10.5.5.1 -i vmk1 -t static -I 10.5.5.5 -N 255.255.255.0
Once you do this, I think both internal and external management networks should work for you. There may be some edge cases with routing where this scheme may not work, but I think for your use-case it should be fine.

In general there is not a problem with having two or more management interfaces. You should to give us some more information about network configuration. Did you change default gateway in host configuration? Remember that you may have only one default gateway and if you have changed it to correct for LAN then packets get by public interface not know how to return.
If this is the problem you should set default gateway properly for public interface. But you also need to connect from LAN. If machines in LAN are in the same network segment - it should just work. If machines are in other LAN - add entry to routing table, like described here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2001426

Related

VMWare - How do i configure Host Only Network with a custom Gateway?

I'll make this quick.
I have created a virtual network by setting several VMs to use HostOnly VMnet1 as their network adapter.
I then added a pfsense virtual machine firewall into that same network and configured it to allow traffic to the internet but block to/from my real home network.
That way - my virtual network can connect to the internet even though it is in host only mode.
The thing is, I need to manually set the DNS and Gateway of each machine in VMNet1 to the VM firewall to allow them to communicate since all communications must flow through it.
I was trying to figure out if I can do this automatically. When I go into Virtual Network settings in VMWare Workstation 16, the only options I can set are the subnet and available IP Scope. There is no option for default gateway or DNS here. Can this be done?
Do you have the ability to run a DHCP server on the PFSense firewall which is connected to the VMNetwork? If so, either Windows and Linux VMs that have their NICs set to DHCP, would get the IP, DNS and GW from the DHCP.

Google cloud virtual instance cannot ping my Mac (checked firewalls)

I have a virtual machine instance running on Google Cloud Compute Engine — a preemptible free-tier CPU running Ubuntu 17.04. The end goal is to connect it to a MongoDB running on my local machine, a 2015 Macbook Pro (OS 10.12.6). But first, I've been trying to ensure the VM can reach my Mac via ping.
Running ping <VM's external IP> from my Mac works.
pinging my Mac from another Mac on the same wifi network works.
Running ping <Mac's IP> from the VM via the browser terminal does not work.
I've disabled my Mac's firewall. I've also configured my VM's firewall rules to allow all inbound and outbound traffic, to no avail:
ingress firewall rules, egress firewall rules
How might I get this instance to ping my Mac successfully?
Does your Mac's IP address begin with 10., 192.168., or between 172.16. and 172.32.? These are private addresses only reachable within your Mac's local network, which is (part of) why GCE cannot reach your VM.
This is part of a very common configuration. An ISP only allocates one (or a small number) of IP addresses to your home or business. A router on the network performs NAT to share that IP addess between computers on the local network, which instead use private IP addresses for themselves. As the router doesn't know what to do with the inbound MongoDB traffic, it blocks it.
There are two common ways around this that are usually found in your router settings:
"port forwarding" where you tell the traffic to forward all traffic on port 1234 to your Mac. This can get MongoDB working, but not ping.
If you have whole extra IP addresses, "DMZ" where your router directly forwards an entire extra IP to your instance. If you have only one IP address this is not an option as that IP is needed to be shared for other devices on the Wifi.
You likely also have a firewall on the router. If you use a DMZ or port-forwarding you must make sure that firewall allows traffic through too.
That said, I'm not sure that this is a sensible thing to do. Opening up your local network to the internet can create major security issues, plus it is likely unreliable more expensive (free tier only provides 1GB egress/month, your db traffic could exceed this).
Actually running MongoDB on instances within GCE is almost certainly a better option in every regard for you.

TCP Chat not working in different networks

I coded a TCP/IP Chat Server/Client in C/C++ that works perfectly in my local network and with several clients connected to it. It does not work when the Server is in a different network to the client. I coded time ago the same tool in Python and the same happened.
Is there any way of solving this? Without port forwarding, that is the most common solution.
I could only find this: Android server concept confusion. How to connect TCP chat app on different networks but I could not understand it.
NOTE: I have just find a sample program (server) that works when it is on a different network; http://www.codeproject.com/Articles/1891/Beginning-Winsock-Programming-Simple-TCP-server
You have three choices:
1) NAT penetration. Both devices simultaneously attempt to exchange data with each other, tricking each person's router into thinking that it's replying. For this to work, you each need each other's public IP address and if you need any features from TCP, you need to implement them yourself.
2) Public rendezvous server. Both devices automatically connect to a server on an unNATed network. The server knows the public IP address of every client that connects to it, so it can route your data to the client with the correct public IP.
3) Some combination of 1 and 2. Here, a public server is used to facilitate NAT penetration and eliminate the need for manual coordination. Your friend registers with the public server and the public server tells him your public IP address and facilitates NAT penetration.
In local network addresses of devices doesn't change offently. Yo can reach the computer by only defining the local address. On the other hand, if you want to communicate with a device in different network yoou should know its public IP and should define a routing to the port.
If you have a server with static IP or known IP you can reach it. You can store the IP addresses of clients dynamically in this server. Write a program that inform the IP of host computer to the server. In that way, you can store the IP addresses even they change oftenly.

Multiple server applications, one public IP on Amazon EC2

I have a single Windows Amazon EC2 instance and one public IP. The instance is running multiple web server EXEs which all sit on port 80. I want to have different domain names which I want to point to each server. On my old dedicated server I achieved this simply by having different public IPs, but with Amazon EC2 I want to keep to just one public IP.
I am not using IIS, Apache, etc. otherwise life would be a lot simpler (I would simply bind hostnames accordingly). The web server executables perform unusual "utility" tasks as part of a range of other websites, but still need to be hosted on port 80. There is no configuration other than address to bind to and port #.
I have setup several private IPs and bound each server application to those private IPs. Is it possible to leverage some of the Amazon networking products to direct the traffic to the correct private IP? e.g. I have tried setting up a private-DNS using Amazon Route53, and internally at least this seems to point to the correct servers - but not (perhaps logically) when I try to access the site externally.
In absence of any other solutions I decided to solve this using the blunt hammer approach and use a reverse proxy. Downside is my servers now only see the user IPs as 127.0.0.1 which was less than ideal, but better than nothing at all.
For my reverse proxy I used Redbird (uses node.js) but Nginx may also be an option. Both are free / open source.

ftp access from AWS VPC private subnet behind a NAT instance

I have created a VPC with public and private subnets on AWS. All app servers are in private subnets and all outbound requests have to be through an internet-facing NAT instance.
At the moment, our project requires the app servers to access a ftp server provided by a service provider.
I have tried several ways to manage that, but all no luck. What I have done was to open a port range, let's say (40000 - 60000) on both NAT and APP security groups, also standard ftp ports 20 - 21 as well.
The user authentication can be passed, but I could not list contents from app servers.
I am able to access the ftp server from NAT, not problem at all.
So what should I do to make it work?
#JohnRotenstein is absolutely correct that you should use Passive FTP if you can. If, like me, you're stuck with a client who insists that you use Active FTP because their FTP site that they want you to connect to has been running since 1990 and changing it now is completely unreasonable, then read on.
AWS's NAT servers don't support a machine in a private subnet connecting using Active FTP. Full stop. If you ask me, it's a bug, but if you ask AWS support they say it's an unsupported feature.
The solution we finally came up with (and it works) is to:
Add an Elastic Network Interface (ENI) in a public subnet on to your EC2 instance in the private subnet
So now your EC2 instance has 2 network adapters, 2 internal IPs, etc.
Let's call this new ENI your "public ENI"
Attach a dedicated elastic IP to your new public ENI
Let's assume you get 54.54.54.54 and the new public ENI's internal IP address is 10.1.1.10
Add a route in your operating system's networking configuration to only use the new public ENI
In windows, the command will look like this, assuming the evil active ftp server you're trying to connect to is at 8.1.1.1:
route add 8.1.1.1 mask 255.255.255.254 10.1.1.1 metric 2
This adds a route for all traffic to the FTP server at 8.1.1.1 using subnet mask 255.255.255.254 (ie. this IP and only this IP) should go to the internet gateway 10.1.1.1 using ethernet adapter 2 (your second NIC)
Fed up yet? Yeah, me too, but now comes the hard part. The OS doesn't know it's public IP address for the public EIN. So you need to teach your FTP client to send the PORT command with the public IP. For example if using CURL, use the --ftp-port command like so:
curl -v --ftp-port 54.54.54.54 ftp://8.1.1.1 --user myusername:mypass
And voila! You can now connect to a nightmare active FTP site from an EC2 machine that is (almost entirely) in a private subnet.
Try using Passive (PASV) mode on FTP.
From Slacksite: Active FTP vs. Passive FTP, a Definitive Explanation:
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
Thus, the traffic is trying to communicate on an additional port that is not passed through the NAT. Passive mode, instead, creates an outbound connection, which will then be permitted through the NAT