Evening clever people - need some input for a problem that I don’t understand…
Senario:
I have a Hyper-V lab, several in fact that is segregated by the great Vyos router / firewall.
I normally don’t need to go from the physical to the virtual world, but in this instance I do. So I have set up firewall rules that allow specific services from the outside interface to the ‘lab1’ interface out.
Lab1 has an network address of 192.168.100.0/24, I set a rule that allows ICMP through from the outside to the Lab1 network. I have only 5 nodes in this lab, of those I can get a PING response from 2, a DC and an IIS server, but not from the other 3.
Within the Lab I can get PING responses from all of the devices, all devices can reach the internet through Vyos. I have double checked the IP settings and have gone as far as turning off the firewalls on the virtual nodes - no difference.
The rule that allows ICMP is this:
rule 2 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
and it is applied to the lab1 interface outbound.
The fact that I can ping the DC and one of the IIS servers would indicate that the firewall is configured right.
Any help would be appreciated. Thank you
EDIT _ I have down a show arp and all the devices are showing up:
vyos@vyos:~$ show arp
Address HWtype HWaddress Flags Mask Iface
192.168.100.201 ether 00:15:5d:00:4c:1e C eth1
192.168.100.210 ether 00:15:5d:00:4c:25 C eth1
192.168.100.10 ether 00:15:5d:00:4c:02 C eth1
192.168.100.203 ether 00:15:5d:00:4c:20 C eth1
192.168.100.212 ether 00:15:5d:00:4c:25 C eth1
192.168.100.202 ether 00:15:5d:00:4c:1f C eth1
192.168.137.1 ether 60:a4:4c:3f:6b:4d C eth0
192.168.100.6 ether 00:15:5d:00:4c:25 C eth1
192.168.100.253 ether 00:15:5d:00:4c:1d C eth1
I certainly can - it’s just a lab.
In Lab1 I have a DC, 3 IIS servers and Ubuntu server running HAProxy for load balancing. Everything works in the Lab environment; web pages, load balancing etc. What I am trying to do is allow HTTP requests through Vyos from the real world to the virtual load balancer so I can do some performance testing. So I need for http and icmp requests to be able to pass from eth0 through Vyos out on the Lab1 / eth1 interface. Like I siad I can ping the DC and one of the IIS servers but nothing else. Thank you for looking - and yes I am new to Vyos, sorry!
vyos@192.168.137.102’s password:
Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
Last login: Wed Feb 13 18:32:45 2019 from xps.mshome.net
vyos@vyos:~$ sho config
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-IN {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 3 {
action accept
description RDP
protocol tcp
}
}
name OUTSIDE-LAB1 {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 4 {
action accept
description http
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 3 {
action accept
destination {
port 22
}
protocol tcp
source {
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address dhcp
description Outside
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
hw-id 00:15:5d:00:4c:09
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.100.254/24
description LAB1
duplex auto
firewall {
out {
name OUTSIDE-LAB1
}
}
hw-id 00:15:5d:00:4c:0a
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:15:5d:00:4c:0b
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 1 {
outbound-interface eth0
source {
address 192.168.100.0/24
}
translation {
address masquerade
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user {
authentication {
encrypted-password
plaintext-password
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vyos@vyos:~$
ok, I setup firewall loging on the outside interface and the lab1 interface - it’s not Vyos but my setup.
My workstation is connected to the wireless for internet stuff and the NIC connected to the hyper-v server with ICS enabled.
I have put in a static route in the windows 10 table which seems to be rather hit or miss - so I can ping 2 nodes in the lab and even rdp to them. However the logs show that when I ping the other nodes the ICMP requests aren’t registering. So I’m guessing the requests aren’t being forwarded properly. If I do a tracert to the ones I can ping the route is correct, if I do a tracert for the ones I can’t it doesn’t fly - so sorry for wasting you time should have looked a little closer. time to change the setup!