VMware Cloud Community
Phatsta
Enthusiast
Enthusiast

Network issues

Recently I discovered that I cannot connect to any ftp site from any client in my network. I've tried with 5+ computers and several different ftp clients such as CoreFTP, FileZilla and WinSCP. They all time out leaving an error message saying only "timeout error". To me this looks like a firewall issue, so I've made sure to turn off all software firewalls from the group policy. I also have a m0n0wall router with firewall running as a virtual machine on one of my ESXi4.1 hosts, and I've even tried adding rules in this to allow all traffic in both directions. No matter what I do, ftp will not work. All other protocols seems to work though, we have no connectivity issues towards the internet, it's only ftp that fails. To ensure the problem is in fact in my network, I now have my WinXP client on an external IP directly connected to the internet, and ftp works perfectly. So I know there's something wrong with my network setup, but I can't figure out where and I'm starting to suspect the ESXi network settings. This is my setup: WAN ---> vSwitch0 ---> m0n0wall VM ---> vSwitch1. vSwitch0 leads only to the m0n0wall VM (and it's WAN interface of course). vSwitch1 is the main network where all the clients and servers are connected. I've looked at the settings for the switches and both vSwitch0 and 1 have the same settings under vSwitch properties: Security Promiscuous Mode: Reject MAC Address Changes: Accept Forged Transmits: Accept Traffic Shaping Status: Disabled NIC Teaming Load Balancing: Route based in the originating virtual port ID Network Failover Detection: Link status only Notify Switches: Yes Failback: Yes Under Active adapters I've only got 1 NIC on each vSwitch. Anyone got any ideas where I should start to look?

Tags (3)
Reply
0 Kudos
7 Replies
weinstein5
Immortal
Immortal

vSwitch does not perform any fire wall activity - with the exoeriment you performed indicates the issue is in the m0n0wall firewall configuration -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
Walfordr
Expert
Expert

I agree with David, it sounds like its an issue with the FW.  I have seen various firewalls handle PASV ftp differently. While some take care of it automatically you have to fine tune others.

Does anything show under diagnotics when the connection times out?

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
Reply
0 Kudos
Phatsta
Enthusiast
Enthusiast

No unfortunally there's nothing in the log about the connection at all as far as I can tell. Maybe that's actually a sign something is wrong. I'll look at the firewall again and see what I can do. Thanks for your replies!

2 nov 2011 kl. 17:40 skrev "Robert Walford" <communities-emailer@vmware.com<mailto:communities-emailer@vmware.com>>:

VMware Communities<http://communities.vmware.com/index.jspa>

Network issues

reply from Robert Walford<http://communities.vmware.com/people/Walfordr> in VMware ESXi™ 4 - View the full discussion<http://communities.vmware.com/message/1856009#1856009

Reply
0 Kudos
weinstein5
Immortal
Immortal

Can you post a screen shot of your virtual switches -to make sure VMs on connected correctly -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
Phatsta
Enthusiast
Enthusiast

Sure, here it is.

Sorry for the confusion, I accidently swapped the numbers of the vSwitches in my initial post.

By the way, I read something like "Promiscuous mode" is supposed to give VM's "deeper" insight in network traffic (for lack of a better description) and that firewalls should have this enabled. I don't believe it'll do any difference in this case, but is it best practice to have this enabled?

Reply
0 Kudos
Walfordr
Expert
Expert

By the way, I read something like "Promiscuous mode" is supposed to give VM's "deeper" insight in network traffic (for lack of a better description) and that firewalls should have this enabled. I don't believe it'll do any difference in this case, but is it best practice to have this enabled?

Its best practice to turn Promiscuous mode off (default) and enable it only if needed at the vSwitch or Portgroup level.  What Promiscous mode does is allow VMs to see all traffic (frames) flowing through the vSwitch or Portgroup.  You would enable it if you have a IDS/IPS or a network packet capture VM/Appliance such as snort, suricata, wireshark or one that requires it, etc.

I have not gotten around to testing m0n0wall yet, but does it tell you to enable Promiscuous in the guide?

These post recommend enabling it so maybe you can give it a try:

http://vvirtual.wordpress.com/2010/06/02/how-to-simulate-wan-in-vmware-2/

http://forum.m0n0.ch/index.php?topic=3296.0

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
Reply
0 Kudos
Walfordr
Expert
Expert

I just got my hands on the m0n0wall handbook.  Below is the results of a quick search for Promiscuous.

17.7. Troubleshooting Bridging
In order to support bridging, the network cards you are using must support promiscuous mode. Not all
do. Some people have reported problems with Realtek chipsets not supporting promiscuous mode. To
determine if your NIC does, see its documentation.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
Reply
0 Kudos