VMware Communities
aazpf1
Contributor
Contributor

NAT and Internet access through VMNET"

Hi,

for testing and studying purposes i am trying to setup an Active Directory with a child domain, still to install.

So my first VM "DC1" (which is going to be the Forest root domain) has two Nics:

1st NIC is NAT with:

IP: 192.168.25.130

DNS: 192.168.25.2

dhcp: 192.168.25.254 (the NIC got all these tcp/ip settings automatically)

2nd NIC: I connected it to VMNet2 (Subnet 192.168.1.0) with IP 192.168.1.1

I can browse the internet succesfully (not if i bridged though)

The second VM "dc2" has one NIC connected to VMNET2 with IP adss 192.168.1.100

My question is: why i am not able to browse the web from this 2nd VM?

I add routes for 192.168.25.0 network and i can ping successfully 192.168.25.130 but i cannot ping 192.168.25.2

How can this be?

default route is: 0.0.0.0 mask 255.255.255.0 192.168.25.2

These settings allows me to set up my AD Tree but i now wonder why i cannot browse the web from my 2nd machine!!

Any possible help would be appreciated.

thanks

Aldo

Reply
0 Kudos
11 Replies
AWo
Immortal
Immortal

IYour second VM is connected to VMnet2. Is VMnet2 bridged to a physical NIC? If not you have no access to the outside. Your first guest can use the NAT connection (VMnet8) which allows outside access.


AWo

VCP 3 & 4

Author @ vmwire.net

\[:o]===\[o:]

=Would you like to have this posting as a ringtone on your cell phone?=

=Send "Posting" to 911 for only $999999,99!=

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =
Reply
0 Kudos
aazpf1
Contributor
Contributor

Hi Awo,

thanks for the reply.

No, VMNET2 is not bridged to a physical NIC but i thought i should be able to get out through the NAT interface as i am able to ping it.

Why i can ping the 25.130 which is the DC1 interface but not the 25.2 (gateway) which is on the same subnet??

Reply
0 Kudos
AWo
Immortal
Immortal

No, VMNET2 is not bridged to a physical NIC but i thought i should be able to get out through the NAT interface as i am able to ping it.

Why i can ping the 25.130 which is the DC1 interface but not the 25.2 (gateway) which is on the same subnet??

You wrote in your first post:

1st NIC is NAT with:

IP: 192.168.25.130

DNS: 192.168.25.2

dhcp: 192.168.25.254

2nd NIC: I connected it to VMNet2 (Subnet 192.168.1.0) with IP 192.168.1.1

I can browse the internet succesfully (not if i bridged though)

The second VM "dc2" has one NIC connected to VMNET2 with IP adss 192.168.1.100

So, both NIC's are not in the same subnet. VMnet2 is 192.168.1.0/24 and NAT is VMnet8 with 192.168.25.0/25. And that's absolutely correct as two different networks can't share the same IP subnet address.

VMnet2 has no connection to VMNet8 as long as you didn't install a router in between (on the DC which has a connection to both networks, for example).


AWo

VCP 3 & 4

Author @ vmwire.net

\[:o]===\[o:]

=Would you like to have this posting as a ringtone on your cell phone?=

=Send "Posting" to 911 for only $999999,99!=

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =
Reply
0 Kudos
aazpf1
Contributor
Contributor

OK,

i just installed RRAS Lan Routing on Dc1 and add this route:

192.168.25.0 255.255.255.0 192.168.25.2

still cannot access from dc2

i understand what do you mean but it is still unclear why i cannot ping the gateway (192.168.25.2) if i can ping 192.168.25.130 which is on same subnet as the gw

Reply
0 Kudos
AWo
Immortal
Immortal

i just installed RRAS Lan Routing on Dc1 and add this route:

192.168.25.0 255.255.255.0 192.168.25.2

still cannot access from dc2

i understand what do you mean but it is still unclear why i cannot ping the gateway (192.168.25.2) if i can ping 192.168.25.130 which is on same subnet as the gw

I can't explain it to you, either. In a physical environment it shpuld be possible to ping the gateway. But I'm not sure if that should work with this virtual implementation across a router. Never tried that myself. Why don't you use bridged for DC1 as I know routing works here or add a second VMnet8 NIC to DC2?

But you may try/check this:

On DC2 the default gateway must be set to 192.168.1.1

On DC2 the DNS server must be 192.168.25.2

On DC1 the default gateay must be 192.168.25.2 (what already is the case).

If you enable RRAS on DC1 you don't need to add a route, just enable routing.

Try to ping the DC1 VMnet8 interface first (192.168.25.130): If that works, routing works.

But I'm really not sure if the NAT engine is able to sent a packet back to a different subnet than its own one. Why? Because despite to what many people think, the source IP address in a packet (192.168.1.100) is not automatically used as the destination address for returning packets. TCP/IP states that an arp request has to be issued (if the address is not in the arp cache) everytime. The arp request is useless here, as it won't be answered as the queried host is not on the same subnet. Usually the TCP/IP stack recognizes this because the destination IP subnet is different from its own one. So it sends the packet to the default gateway and the gateway issues the arp request. In your case the host sends all packets for networks it don't know or don't know a route to (and it doesn't know a route to 192.168.1.0) to the default gateway which should be your Internet gateway. So the packets never reach 192.168.1.100.

But maybe that will work if you add a route on the host, telling it that it can reach 192.168.1.0 via 192.168.25.130 assumed routing works on DC1:

route add 192.168.1.0 mask 255.255.255.0 192.168.25.130 -p


AWo

VCP 3 & 4

Author @ vmwire.net

\[:o]===\[o:]

=Would you like to have this posting as a ringtone on your cell phone?=

=Send "Posting" to 911 for only $999999,99!=

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =
Reply
0 Kudos
aazpf1
Contributor
Contributor

all tcp/ip settings are as you mentioned.

I add route on DC1 as you suggested.

Anyway, i was thinking, dns is not working as, if i cannot ping 192.168.25.2 (DC1's main NS) from DC2, it is useless to add it as a NS to DC2

In fact nslookup fails

i add another route on DC1 pointing back to 192.168.1.0 with gw 192.168.1.100

still nothing

Reply
0 Kudos
AWo
Immortal
Immortal

I have somewhat less time, yet.

So some things on DNS:

You created two DC's. That means they must point to themself as DNS servers. But the DNS service on that servers must use the 192.168.25.2 as the DNS forwarding address. This IP is the host VMnet8 adapter IP address +1. The NAT service on the host will forward these packets accordingly.

But you're right, as long as routing doesn't work that is useless. You havce to get the routing working. The first routing is on DC1 between VMnet2 and VMnet8. The second is on the host. Your host OS was XP, right. XP itself has no routing engine, only Windows server OS can act as a router.

But the VMware NAT will forward packets. At least outgoing ones and incoming ones which belong to an active communication form an host on VMnet8. That's what I meant, I'm not sure if the NAT engine can use the route entry on the host telling it how to reach 192.68.1.0.


AWo

VCP 3 & 4

Author @ vmwire.net

\[:o]===\[o:]

=Would you like to have this posting as a ringtone on your cell phone?=

=Send "Posting" to 911 for only $999999,99!=

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =
Reply
0 Kudos
aazpf1
Contributor
Contributor

awo thanks,

i need to check things out.

So it could be that it is not possible at all, assuming DNS and routing is all setup correctly.

The DCs are not Dcs yet, i just called them like that in view of the dcpromo, but got stuck in this situation.

As you say i may add a NAT device to DC2 (supposingly the child domain) and have it get out on web indipendently (as in many real world scenarios).

But i am stubborn and need to check if it is possible for this dc2 to go out through DC1 forest root dc (as in many other real world scenarios)

thanks man!!

I will revert later.

Thanks for the help.

Reply
0 Kudos
aazpf1
Contributor
Contributor

this is getting funny:

i tried a different approach:

1st VM (dc1) with 2 NICS:

NIc1 autobridging to the external (working as i can surf the web)

ip: 192.168.1.38

gw: 192.168.1.1 (same as my home network)

Nic2 connected to VMNET2 (192.168.10.1)

-


2nd VM (router)

Nic1 connected to VMNET2 (192.168.10.10)

NIC2 connected to VMNET4 (192.168.12.10)

-


3rd VM (dc2) with one Nic (192.168.12.1)

connected to VMNET4

Intention is again to simulate two lans where to install AD with child domain on 3rd vm.

Well, from the router i can ping up to the interface 192.168.1.38 but i cannot ping the gateway (192.168.1.1) which is on same subnet!!!!

Same story from the 3rd VM.

I can ping up to the router interface connected to VMNET2 (192.168.10.10) but not the dc1 nic connected to the same VMNET2 which has an IP on same subnet (192.168.10.1)

i'd like this to be clarified, if possible

thank you

Reply
0 Kudos
AWo
Immortal
Immortal

1st VM (dc1) with 2 NICS:

NIc1 autobridging to the external (working as i can surf the web)

ip: 192.168.1.38

gw: 192.168.1.1 (same as my home network)

Nic2 connected to VMNET2 (192.168.10.1)

That's o.k. Routing enabled?

2nd VM (router)

Nic1 connected to VMNET2 (192.168.10.10)

NIC2 connected to VMNET4 (192.168.12.10)

That's o.k. It should not have Internet access as there's no connection to 192.168.1.0.

3rd VM (dc2) with one Nic (192.168.12.1)

connected to VMNET4

Also, no Internet access as there's no connection to 192.168.1.0.

Well, from the router i can ping up to the interface 192.168.1.38 but i cannot ping the gateway (192.168.1.1) which is on same subnet!!!!

Router = 2nd VM? How can you reach 192.168.1.0 at all while this host has no NIC connected to that network? Is DC1 also a router?

Same story from the 3rd VM.

I can ping up to the router interface connected to VMNET2 (192.168.10.10) but not the dc1 nic connected to the same VMNET2 which has an IP on same subnet (192.168.10.1)

1. Hot to connect your guests the way you want it (without Internet in mind):

DC1:

1 vNIC bridged (Vmnet0) (If#0)

1 vNIC attached to VMnet2 (If#1)

Routing enabled (RRAS)

Default gateway --> Internet Gateway (192.168.1.1)

Route to add: to VMnet4 via If#2

DNS --> Internet DNS (Internet Gateway?)

DC2:

1 vNIC attached to VMne2 (If#2)

1 vNIC attached to VMNet4 (If#3)

Routing enabled (RRAS)

Default gateway --> If#1

No route needs to be added.

DNS --> Internet DNS (Internet Gateway?)

DC3:

1 vNIC attached to VMnet4 (If#4)

Default gateway --> (If#3)

DNS --> Internet DNS (Internet Gateway?)

That connects all hosts and should make it possible to ping from DC3 up to the Internet Gateway.

I kept DNS out of the game. Internet access should work, now via DC1 for all guests.

If you want to use local DNS server on the virtual machines you need to configure the appropriate DNS forwarding addresses. But first try this. As long as this doesn't work continuing with DNS is useless.

Disable all firewalls on the guests and the host while testing.


AWo

VCP 3 & 4

Author @ vmwire.net

\[:o]===\[o:]

=Would you like to have this posting as a ringtone on your cell phone?=

=Send "Posting" to 911 for only $999999,99!=

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =
Reply
0 Kudos
aazpf1
Contributor
Contributor

aazpf1 schrieb:

1st VM (dc1) with 2 NICS:

NIc1 autobridging to the external (working as i can surf the web)

ip: 192.168.1.38

gw: 192.168.1.1 (same as my home network)

Nic2 connected to VMNET2 (192.168.10.1)That's o.k. Routing enabled?

2nd VM (router)

Nic1 connected to VMNET2 (192.168.10.10)

NIC2 connected to VMNET4 (192.168.12.10)That's o.k. It should not have Internet access as there's no connection to 192.168.1.0.

3rd VM (dc2) with one Nic (192.168.12.1)

connected to VMNET4Also, no Internet access as there's no connection to 192.168.1.0.

Well, from the router i can ping up to the interface 192.168.1.38 but i cannot ping the gateway (192.168.1.1) which is on same subnet!!!!Router = 2nd VM? How can you reach 192.168.1.0 at all while this host has no NIC connected to that network? Is DC1 also a router?

Same story from the 3rd VM.

I can ping up to the router interface connected to VMNET2 (192.168.10.10) but not the dc1 nic connected to the same VMNET2 which has an IP on same subnet (192.168.10.1)

1. Hot to connect your guests the way you want it (without Internet in mind):

DC1:

1 vNIC bridged (Vmnet0) (If#0)

1 vNIC attached to VMnet2 (If#1)

Routing enabled (RRAS)

Default gateway --> Internet Gateway (192.168.1.1)

Route to add: to VMnet4 via If#2

DNS --> Internet DNS (Internet Gateway?)

DNS is the ISP DNS. Defaulta gateway is vNIc1

Routing enabled in Ras

DC2:

1 vNIC attached to VMne2 (If#2)

1 vNIC attached to VMNet4 (If#3)

Routing enabled (RRAS)

Default gateway --> If#1

No route needs to be added.

DNS --> Internet DNS (Internet Gateway?)

NO DNS settings - Yes, this is what i called the router (sorry)

DC3:

1 vNIC attached to VMnet4 (If#4)

Default gateway --> (If#3)

DNS --> Internet DNS (Internet Gateway?)

That connects all hosts and should make it possible to ping from DC3 up to the Internet Gateway.

I kept DNS out of the game. Internet access should work, now via DC1 for all guests.

If you want to use local DNS server on the virtual machines you need to configure the appropriate DNS forwarding addresses. But first try this. As long as this doesn't work continuing with DNS is useless.

Disable all firewalls on the guests and the host while testing.

I did all you suggested. VM Router and VM DC3 dont have a DNS setting yet...first wanted to check the connectivity.

I was just missing the route (downwards) on DC1 to VMNet4, which i add.

Now, from DC3 i can ping all interfaces up to vNIC1 on DC1 (192.168.1.38) but i cannot ping the Gateway 192.168.1.1

AWo

VCP 3 & 4

Author @ vmwire.net

===[o:]

=Would you like to have this posting as a ringtone on your cell phone?=

=Send "Posting" to 911 for only $999999,99!=

Reply
0 Kudos