Hi all,
I've managed to successfully deploy NSX-T on my home lab. I am able to ping out to anywhere such as 8.8.8.8 or google.com and I get responses. However, I am attempting to communicate from my computer through to a VM sitting on a segment. Currently, the server on the segment can ping out to my PC's IP (via NAT), however, my device cannot ping to it's IP. Here is the traceroute:
I have set up a static route on the pfSense router to route all requests to 192.168.20.0/24 via 192.168.2.221 (L0 Gateway interface IP).
Tracing route to 192.168.20.30 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1 - Pfsense Router Gateway
2 <1 ms <1 ms <1 ms 192.168.2.221 - L0 Gateway
3 <1 ms <1 ms <1 ms 100.64.240.1 - L1 Gateway
4 * * * Request timed out.
5 * * * Request timed out.
6 * * ^C
As far as I know, I do not have any firewall rules blocking this.
Any help would be greatly appreciated.
Thanks!
Check your T1 for non-default configurations you may have applied. There shouldn't be any SNAT rules, for example. I'd then look at tcpdump output on the destination VM checking for those ICMP packets to see what's in the ethernet header. Maybe the source address is getting replaced and return traffic is black holed.
How many interfaces does your VM have ? Are you sure gateway/default route is set correctly in the machine ?
Hi Sreec,
Thanks for helping.
The VM only has one interface that is connected to the segment. It can communicate out to the internet via another interface on the T0 gateway, in addition to being able to ping my desktop computer.
Thanks,
James
Not sure why you're calling them "L0" and "L1". They're "T0" and "T1" objects. In any case, your trace shows it going all the way to the downlink of the T1, so it's possible the destination isn't accepting ICMP traffic. Check the local firewall. Put another VM on the same logical segment and do a ping east-west and see if you get a response.
Hi daphnissov ,
My mistake, thanks for correcting that. I've just tried pinging from a device in the same segment, in addition to a separate segment, and both are working.
Thanks,
James
Check your T1 for non-default configurations you may have applied. There shouldn't be any SNAT rules, for example. I'd then look at tcpdump output on the destination VM checking for those ICMP packets to see what's in the ethernet header. Maybe the source address is getting replaced and return traffic is black holed.
Hi daphnissov ,
You hit the nail on the head, I just had look at the NAT rules on the T1 and there was a SNAT rule.
Thanks,
James