I have 2 Application servers connected directly to SAN server via Ethernet cables, the san server has dual network card with 2 ports.
APP1 APP2
172.16.16.10 192.168.10.10
| |
| |
172.16.16.1 --[ SAN DUAL NIC ] -- 192.168.10.1
ON SAN
When I set each nic with IP on the same subnet 172.16.16.x, only connection to single application server APP1 works.
However if I set the other nic on different subnet 192.168.1.x network connection to both servers works fine.
My question is how can I enable routing between APP2 and APP1??
Thank you
Since you didn't supply your subnet mask, I've written route statements that only route to those specific hosts you've put in your diagram. If you give me your subnet masks, then I can give you more general routing statements.
On APP1:
ip route add 192.168.10.10/32 via 172.16.16.1
On APP2:
ip route add 172.16.16.10/32 via 192.168.10.1
To make the routing persist across reboots, you'll have to add these static routes to configuration files, but since I don't know which distro you're using, I can't tell you the exact files to edit.
Related
Setup
I am setting up an Azure VM (Standard E2as_v4 running Debian 10) to serve multiple services. I want to use a separate public IP address for each service. To test whether I can do this, I set up the following:
vm1
- nic1
- vnet1, subnet1
- ipconfig1: 10.0.1.1 <-> p.0.0.1
- nsg1
- allow: ssh (22)
- nic2
- vnet1, subnet2
- ipconfig2: 10.0.2.1 <-> p.0.0.2
- nsg2
- allow: http (80)
vnet1
- subnet1: 10.0.1.0/24
- subnet2: 10.0.2.0/24
- address space: [10.0.1.0/24, 10.0.2.0/24]
Where 10.x.x.x IPs are private and p.x.x.x IPs are public.
nic1 (network interface) and its accompanying nsg1 (network security group) were created automatically when I created the VM; otherwise they are symmetrical to nic2, nsg2 (except for nsg2 allowing HTTP rather than SSH). Also, both NICs register fine on the VM.
Problem
I can connect to SSH via the public IP on nic1 (p.0.0.1). However, I fail to connect to HTTP via the public IP on nic2 (p.0.0.2).
Things I've tried
Listening on 0.0.0.0. To check whether it is a problem with my server, I had my HTTP server listen on 0.0.0.0. Then I allowed HTTP on nsg1, and added a secondary IP configuration on nic1 with another public IP (static 10.0.1.101 <-> p.0.0.3). I added the static private IP address manually in the VM's configuration (/run/network/interfaces.d/eth0; possibly not the right file to edit but the IP was registered correctly). I was now able to connect via both public IPs associated with nic1 (p.0.0.1 and p.0.0.3) but still not via nic2 (p.0.0.2). This means I successfully set up two public IPs for two different services on the VM, but they share the same NIC.
Configuring a load-balancer. I also tried to achieve the same setup using a load balancer. In this case I created a load balancer with two backend pools - backend-pool1 for nic1 and backend-pool2 for nic2. I diverted SSH traffic to backend-pool1 and HTTP traffic to backend-pool2. The results were similar to the above (SSH connected successfully, HTTP failed unless I use backend-pool1 rather than backend-pool2). I also tried direct inbound NAT rules - with the same effect.
Check that communication via subnet works. Finally, I created a VM on subnet2. I can communicate with the service using the private IP (10.0.2.1) regardless of the NSG configuration (I tried a port which isn't allowed on the NSG and it passed). However, it doesn't work when I use the public IP (p.0.0.2).
Question
What am I missing? Is there a setting I am not considering? What is the reason for not being able to connect to my VM via a public IP address configured on an additional NIC?
Related questions
Configuring a secondary NIC in Azure with an Internet Gateway - the answer refers to creating a secondary public IP
Multiple public IPs to Azure VM - the answer refers to creating a load balancer
Notes: I can try to provide command lines to recreate the setup, if this is not enough information. The HTTP server I am running is:
sudo docker run -it --rm -p 10.0.2.1:80:80 nginx
And I replaced to listen on 0.0.0.0 for subsequent tests.
Here's the final topology I used for testing.
To allow the secondary interface (with a public IP) to access to or from the Internet, we don't need to create a load balancer. Instead, we can use iproute to maintain multiple routing tables. Read http://www.rjsystems.nl/en/2100-adv-routing.php and this SO answer for more details.
After my validation, you can add the following configurations and It was working on Linux (ubuntu 18.04) VM for me.
Activate Linux advanced routing on a Debian GNU/Linux system, install the iproute package:
apt-get install iproute
Configure two default routes
echo 2 cheapskate >> /etc/iproute2/rt_tables
Add the new default route to table cheapskate and then display it:
~# ip route add default via 10.0.2.1 dev eth1 table cheapskate
~# ip route show table cheapskate
default via 10.0.2.1 dev eth1
Add a rule for when a packet has a from pattern of 10.0.2.4 in which case the routing table cheapskate should be used with a priority level of 1000.
ip rule add from 10.0.2.4 lookup cheapskate prio 1000
The kernel searches the list of ip rules starting with the lowest priority number, processing each routing table until the packet has been routed successfully.
After all of this, you can check it with the following command, you will see the public IP address attached to the secondary interface.
curl --interface eth1 api.ipify.org?format=json -w "\n"
Please note you have enough permission to do all of the above steps.
On my LAN, I have 2 networks. Let's say 192.168.10.0/24 and 192.168.20.0/24. I would like to use pfSense to allow or deny access from LAN1 to LAN2, depending on the IP.
On my test server, I have 2 NICs. On NIC1, I configured the IP 192.168.10.1/24 and on NIC2 192.168.20.1/24.
NIC1 is connected to the switch, where I can access pfSense using my notebook, configured with IP 192.168.10.2. On NIC2, there is another switch and another notebook with IP 192.168.20.2.
I went to the Firewall rules and granted access from all sources and protocols from LAN1 to LAN2. But even then, I can't ping LAN2. What do I need to do to be able to access LAN2 from LAN1?
Current scenario: https://prnt.sc/vqua7f
Intended scenario: https://prnt.sc/vquc4z
System/Routing/Static Routes/
add rout on each gateway to the other subnet
I have two subnets (A and B) in the same local area network where all IP addresses are static. I just created a DHCP server to solve the problem of IP address conflict.
The problem that there are Hosts that must belong to both Subnets and therefore have two IP addresses.
The router solution is not accepted because if a subnet A station wants to access a station in network B, it must go through the router, but the traffic is very important (SQL queries for statistics) which can cause the flood of the router.
Short: Can I configure my DHCP server to provide two IP addresses to the same Host?
Server operating system: Linux Suse (DHCPD)
This is not a DHCP problem, it's a routing problem.
AFAICT DHCP only lets you specify one IP address per client, but it also lets you push static routes.
You do not need your client to have an IP on both networks, you just need it to know which route to use to reach peers on network A and B (ie direct route in both cases).
See https://gauvain.pocentek.net/docs/dhcpd-push-routes/ to specify static routes for DHCP.
Some background:
I'm attempting to set up a pentesting network with a handful of virtual machines for the SANS 560 (Network Penetration Testing and Ethical Hacking) course, but I'm having an issue with the network configuration.
To paint a picture of the network (at least how it's intended to be):
My home router (connected to the internet, also the gateway for all other machines on the network) IP is 192.168.0.1/24, with all other machines on the network in the 255.255.255.0 subnet
As per the course notes, I should be setting up all my virtual machines with bridged adapters on the 10.10.X.X/16 subnet - with Linux machines on 10.10.75.X/16, Windows guest machines on 10.10.76.X/16, and my "host" (also a VM running Windows) machine on 10.10.78.1/16
My question:
How (assuming it's possible) do I configure my host machine (with new new IP 10.10.78.1/16) to be able to talk to the other guest machines (Virtual machines) while also being able to connect to the internet?
I've tried setting up a static route to use the new IP as the gateway (seeing as the router is on a different subnet):
route ADD 192.168.0.0 MASK 255.255.255.0 10.10.78.1 (192.168.0.0 is the destination, obviously the mask is 255.255.255.0, and the gateway is 10.10.78.1) - it didn't work (all I get is Destination Host Unreachable)
Do I need to have two interfaces on this Windows machine (i.e. one configured as 10.10.78.1/16 to talk to the other VMs, and another configured as 192.168.0.X/24 to access the internet) to make this configuration possible?
I understand it's not how a network would be set up typically, so please let me know if you need me to clarify or provide more information.
I found a solution that seems to work.
Again, for context, below is a list of the machines on the network:
Name | Adapter type | IP | Static routes?
============================================================================
Windows VM1 | Bridged | 192.168.0.11/24 | Nil
| Bridged | 10.10.78.1/16 | Yes, see below
-------------|----------------|---------------------|-----------------------
Windows VM2 | Bridged | 10.10.76.1/16 | Yes, see below
-------------|----------------|---------------------|-----------------------
Linux VM3 | Bridged | 10.10.75.1/16 | Nil
Static routes:
Static routes for VM1:
Note: In the adapter settings for 192.168.0.11/24, I set the default gateway as the IP for my internet router (192.168.0.1), and the netmask as 255.255.255.0
Note: In the adapter settings for 10.10.78.1/16, I left the default gateway blank (as it gets set when adding the static route), and the netmask as 255.255.0.0
route -P ADD 10.10.0.0 MASK 255.255.0.0 192.168.0.11 (must use -P so that the route persists between reboots)
Static routes for VM2:
route -P ADD 10.10.0.0 MASK 255.255.0.0 10.10.76.1 (must use -P so that the route persists between reboots)
Note: you must run netsh advfirewall set allprofiles state off to allow the other VMs (including other Windows machines) on the 10.10.0.0/16 subnet to talk to this machine.
This configuration allows the following behaviour:
VM1 can initiate a connection with VM2 and VM3
Neither VM2 nor VM3 can initiate a connection with VM1
VM2 and VM3 can inter-communicate (i.e. can initiate connections with each other, in either direction)
Furthermore, this configuration should allow all of the VMs to communicate to the VPN that is setup for labs later on in the course, since they all have an adapter configured on the 10.10.x.x/16 network.
There are two solutions:
Add 10.10.0.0/16 to your router as a secondary IP subnet - if possible - or change the 192.168.0.0/24 range to 10.10.0.0/16.
Use another router to create the 10.10.0.0/16 subnet and connect it to 192.168.0.0/24 through on of its interfaces. On your Internet router, add a static route to 10.10.0.0/16. The router can be anything, a hardware router, a layer-3 switch, or a Windows/Linux machine with routing enabled.
A third approach - running both subnets in the same layer-2 segment connected by a router-on-a-stick - doesn't really cut it for the purpose.
Edit: The route in your question is the wrong way - assuming your inter-subnet router uses 192.168.0.99 and 10.10.78.1, on your Internet router, add route 10.10.0.0/16 -> 192.168.0.99 and on the new subnet use 10.10.78.1 as the default gateway.
Avahi is usually used for service discovery. I want to make a service discoverable from a different subnetwork, could I use avahi to achieve this?
For example, the service host ip is "192.168.1.100" with mask "255.255.255.0", so it's in 192.168.1.X subnetwork. Another host ip is "192.168.2.100" with mask "255.255.255.0". Could I use avahi to let this host discover the previous service host?
Unfortunately, no, it's going to require reconfiguration of whatever device is routing between those two subnets. mDNS uses the multicast addresses 224.0.0.251 for IPv4 and ff02::fb for IPv6. Those are link-local addresses and the data sent to them is typically not routed outside of the current subnet.
There are various options, some may be easier than others depending on what your routing device is.
Multicast Proxying. mdns-repeater is a simple solution that will repeat mDNS requests across interfaces.
Wide Area DNS. Wide-Area DNS-SD could be enabled on the DNS resolver that is service the hosts in those subnets. Avahi could then be configured to publish not the .local domain but to the domain for those subnets.
Multicast Routing. The device routing between those subnets could be configured to route the multicast groups between those two subnets.
mDNS Gateway. There is a draft RFC for implementing a mDNS gateway that sits at the edge of a network segment (typically a router). This is not a simple repeater/reflector, but a gateway that caches service entries and responds to queries from other connected network segments.
Sure you can. It's called a reflector and it's part of the Linux avahi daemon.
Look at "SECTION [REFLECTOR]" of man avahi-daemon.conf on your distribution.