Allow RDP between my server and Vyos


#1

Hello to all the community,

I have a Hyper-V server for my lab.
On this server, I have only one network card for the Hyper-V virtual switch, and for Internet access.
On my Hyper-V server, I installed a VYOS virtual machine with 4 network cards:

  • eth0: No vlan
  • eth1: vlan10
  • eth2: vlan20
  • eth3: vlan30

Below is the diagram of my network:

I have a VM in the three vlan.
eth0 is the source network of my Hyper-V server and the Vyos “eth0” network card.

I installed the system, and run the following commands:


set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description WAN


set service ssh port 22


set ethernet interfaces eth1 address ‘172.16.1.254/24’
set ethernet interfaces eth1 description ‘VLAN10’


set ethernet interfaces eth2 address ‘172.16.2.254/24’
set ethernet interfaces eth2 description ‘VLAN20’


set ethernet interfaces eth3 address ‘172.16.3.254/24’
set ethernet interfaces eth3 description ‘VLAN30’


set nat source rule 101 outbound-interface ‘eth0’
set nat source rule 101 source address ‘172.16.1.0/24’
set nat source rule 101 translation address masquerade


set nat source rule 201 outbound-interface ‘eth0’
set nat source rule 201 source address ‘172.16.2.0/24’
set nat source rule 201 translation address masquerade


set nat source rule 301 outbound-interface ‘eth0’
set nat source rule 301 source address ‘172.16.3.0/24’
set nat source rule 301 translation address masquerade


set service dns forwarding cache-size 0
set dns service forwarding listen-on eth1
set dns service forwarding listen-on eth2
set dns service forwarding listen-on eth3
set service dns forwarding name-server 172.16.15.254
set dns service forwarding name-server 80.10.246.2 (ISP DNS1)
set service dns forwarding 80.10.246.129 (ISP DNS2)


The ping works from Vyos, but does not work from my server, even though it’s the same network. Why… ?
I would like to do RDP from my Hyper-V server to my VMs that are on different VLANs. Can you help me do that?

Regards.
Nico


#2

Have you setup the firewall on the interfaces, or just the rules? Have you ICMP ingress enabled?
You can check that via ‘show firewall’ in op mode.


#3

I have not configured anything more than the commands listed above.
I made a snapshot just after these commands, I do tests and I backtrack if it does not work.

I tested this, but it does not work:

set nat destination rule 100 description ‘RDP to 172.16.1.1:3389’
set nat destination rule 100 destination port 3389
set nat destination rule 100 inbound-interface eth0
set nat destination rule 100 protocol tcp
set nat destination rule 100 translation address 172.16.1.1
set nat destination rule 100 translation port 3389

If I analyze the traffic (with the command “monitor interfaces ethernet eth0 traffic”) at the moment I run the rdp from my server, on the interface eth0 and eth1, there is nothing.

And to answer your question:

vyos @ vyos # show firewall
Configuration under specified path is empty

Since my VM in 172.16.1.1, I can do an RDP to my server in 172.16.15.250, but not the opposite. This is the “nat source rule 101” that allows it I think?

Thanks a lot for your help.
Regards,


#4

Do you try RDP to 172.16.15.202 (router outside) and using the NAT destination config?
You are using NAT so I assume you don’t have any routing in to 172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/24.


#5

It works by using the eth0 interface of Vyos! You rock ArneO! Thank you so much!

But since I have to bounce on several VMs, it is not very simple … Is there a solution to make the RDP to the target address? Can I configure routing for it to work?

I’m not very good at networking, can you explain to me why the ping and the RDP do not work towards the target address?


#6

Your firewall will only do something if you apply it to a device.
https://vyos.readthedocs.io/en/latest/firewall.html


#7

If I add a rule on the Vyos firewall, I could do the RDP via the real IP address of my virtual machine?
Can you give me an example of a rule for a VM please?


#8

Depends pretty much on your rules, but you need to setup the rules on an interfaces, otherwise they aren’t being used by the system.
https://vyos.readthedocs.io/en/latest/firewall.html ]


#9

I have no rules on the Vyos firewall.
I will try, but it’s a complicated subject for me …
Thank you for your answer.


#10

You need to “port-foward” your RDP Port to the WinServer ( Port ) behind your VyOS Router / FW:

something like this:

set nat destination rule 100 description ‘RDP forward’
set nat destination rule 100 destination port ‘3389’
set nat destination rule 100 inbound-interface ‘eth0’
set nat destination rule 100 protocol ‘tcp’
set nat destination rule 100 translation address ‘1.2.3.4’
set nat destination rule 100 translation port ‘3389’

where 1.2.3.4 is your WinServer IP


#11

Yes, it works, but I have to do the RDP to the eth0 (172.16.15.202) address.
I would like to do the RDP to the target IP address (1.2.3.4 in your example) of my virtual machine.


#12

can you ping your target address ? Maybe you forgot to route ?


#13

Hello VoIP-Ninja,

Sorry for the delay, I was not present this weekend.

Since Vyos, I can ping my target address, but not from the server I want to rebound on.


#14

On the hyper-v server try this from command prompt with administrative privileges.

route add 172.16.1.0 mask 255.255.255.0 172.16.15.202 -p
route add 172.16.2.0 mask 255.255.255.0 172.16.15.202 -p
route add 172.16.3.0 mask 255.255.255.0 172.16.15.202 -p

You would have to update this if the VYOS lost its IP, so see if you can set a reservation.

You can also use a bypass for your PAT rules. This will allow translation to internet sources, but use correct internal IPs on your LAN.

set nat source rule 100 exclude
set nat source rule 100 destination address 172.16.0.0/20
set nat source rule 100 outbound-interface


#15

Hello chief_dan,

It works perfectly by adding persistent routes!
Thanks a lot for your help!

Have a good weekend.


closed #16

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.