VMware Networking Community
RickBaran
Contributor
Contributor

Outbound Rules (No NAT)

We are just starting with NSX and everything seems to be pretty straight  forward but having two issues that are not making sense and wanted to see if anyone else can shed some light on them.

Config:

Public GW -> Public WAN IP ->edge01 ->LAN Public IP-> VM public IP

We are using an edge device that it doing our public layer3 routing (no NAT) and we had too do way more rules then I would expect and having to “Apply To”  both the DFW and the Edge device.

All the rules that we created inbound are what to be expected. (ports-> vm public ip –> from any) but the outbound was what seemed a little funky. We ended up doing an outbound VM Public IP ->ALL -> !not Edge01 IP’s and then a block rule from VM Public IP’s -> VM Public IP’s. I have not been able to find a different way to get this to work so if any one has any other suggestions or if this just would be what we need to do?

The down side to this is if we have a rule above all this that allows traffic from any to a VM Public IP and another VM guest needs this access as well we cant seem to get it to access that ANY rule even if it is above the VM Public IP’s -> VM Public IP’s block rule.

The second issue:

The rules that we create for the VM Public IP’s have to be applied to the DFW and the Edge device otherwise the rule does not work. My understanding is that it processes the DFW first so why does it not allow if it is applied to the DWF only.


Thanks!

Reply
0 Kudos
6 Replies
DaleCoghlan
VMware Employee
VMware Employee

For your first issue, its a bit hard to understand from your description, are you able to post some screenshots of your config as that might make it a bit easier to understand.

For your second issue, sounds like you still have the ESG Firewall enabled and the traffic is traversing that firewall? Thats why you need to apply the rules to the ESG.

Is it your intention to also firewall all traffic traversing the ESG?

Dale

Reply
0 Kudos
RickBaran
Contributor
Contributor

1) I will try and re-document it but it is live and trying to avoid posting accessible info. I think we might have the answer to this but I will post on the findings

2) yes, the default block rule and firewall are enabled if I didn't you can reach the ssh service on the edge devices. This is the only reason that the firewall is enabled on the edge device.

Thanks

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee

Just going to play devils advocate here, but why do you need SSH access enabled on the ESG? The majority of troubleshooting commands on an ESG can be accomplished via the Central CLI, and for the couple that aren't available, you can grab those via the console.

It would make your life a lot easier.

hansroeder
Enthusiast
Enthusiast

Regarding the second issue, this is because the ESG is simply just another/different firewall. You have the Distributed Firewall, which handles East/West traffic, and then you go out of the datacenter and you hit a new roadblock (the ESG). If you don't also permit the traffic on the ESG, the traffic will be blocked. If you compare this to two physical firewalls, it makes sense. That's why you should apply the rules to both the DFW and the ESG. The same would probably happen if you apply the rules to the ESG but not to the DFW: then the DFW will block the traffic instead of the ESG.

RickBaran
Contributor
Contributor

Thanks Hans this added to the understanding.

Reply
0 Kudos
RickBaran
Contributor
Contributor

Dale,

1) Have not been able to get to redoing the doc's but the short of it is that we are using the ESG to route all the public networks through while doing DFW. I ended up creating the inbound port access that the hosts needed with a direction of IN only and then did an allow from the ip host blocks if destination was not the router or the host IP block with a driection of OUT only. This simplified the rule sets that we orginaly had we were able to remove the block rule that we had to setup. Not sure this is the best way but deffantly simpler then what we had.

2) We have a tech portal that has tools that the techs can run on the routers/firewall when working on connectivity issues and they use SSH to connect and run the commands. Looking at it deeper I assume that we could chaneg the default block rule onthe ESG to allow and create a rule to block ssh unless if it is not coming from our management ip addresses?

Reply
0 Kudos