VMware Cloud Community
pawelkaroluk
Contributor
Contributor
‎04-03-2010 04:34 AM

HowTo manage from VM Net without Physical Adaper

Hi, I have a problem with get access to vSphere from Virtual Lan, but let's start from begining

My soft vpnserver "router" give mi access to 192.168.0.0/24 notwork (vSwitch2 - V.Net and V.Net Managment)

When I want open https://192.168.0.200 in web browser I get error so what is the reason of that situation - embeded firewall or not right config of VM Kernel Port for V.Net Managment?

0 Kudos
8 Replies
marcelo_soares
Champion
Champion
‎04-03-2010 03:29 PM

Can you ping this IP? or performa "telnet 902"?

Marcelo Soares

VMWare Certified Professional 310/410

Virtualization Tech Master

Globant Argentina

Consider awarding points for "helpful" and/or "correct" answers.

Marcelo Soares
0 Kudos
pawelkaroluk
Contributor
Contributor
‎04-03-2010 05:41 PM

ping 192.168.0.1 - ok - router from V.NET

ping 192.168.0.98 - ok - Windows Machine

ping 192.168.0.200 - fail - ESXi Server

same with telnet on 443. RDP to Windows working and ESXi portal from this machine working so propably is not routers firewall rather config of VMKernel

0 Kudos
marcelo_soares
Champion
Champion
‎04-03-2010 05:52 PM

Hmmm... ok, and did you configured a gateway for the management network of this box? Are you able to ping it from one of the machines from inside the 192.168.0.* network?

Marcelo Soares

VMWare Certified Professional 310/410

Virtualization Tech Master

Globant Argentina

Consider awarding points for "helpful" and/or "correct" answers.

Marcelo Soares
0 Kudos
Rumple
Virtuoso
Virtuoso
‎04-03-2010 10:39 PM

Is your esxi management ip 192.168.0.200?

esxi does not include an http interface which is probably your problem.

but, more importantly, you should NEVER expose the manahement interface to the internet in any shape or form...

0 Kudos
pawelkaroluk
Contributor
Contributor
‎04-04-2010 01:02 AM

I will explain once again, I have server with 2 Lan adapter, one of them is for LAN (vSwitch0 192.168.1.0/24) where is Managment Interface 192.168.1.70 and everything working OK, but I want manage ESXi from WAN side so I create only internal network area (vSwitch2 192.168.0.0/24) with VMKernel Port 192.168.0.200 and its working to, from RDP i can manage from vSphere Client and https portal is working too but ...

but from VPN is not working, Im passing all trafic TCP/UDP and ICMP, problem is in ESXi because packet from VPN subnet is routing in OpenVPN Server to LAN address and firewall in ESXi blocks it - that is my opinion

Funny is that I have done the same in other server and there everything works fine

Rumple, U dont need to afraid about WAN side because i have firewall on the border

http://img534.imageshack.us/img534/9508/vmnet2.png

http://img691.imageshack.us/img691/6771/vmnet.png

0 Kudos
Rumple
Virtuoso
Virtuoso
‎04-04-2010 01:08 AM

I see said the blind man...

Have you conencted right to the ESX server with the Virtual Infrastructure Client (VIC) to look at the security settings to see if there is any difference between the machines firewall rules.

although you've added a second vmkernet network, my suspicion is that traffic is coming in the .200 network ip, but traveling out the default vmkernel interface ip of .70...and when the firewall see's that request it drops the packet. I've done the same thing as you using different network's for the management interface and putting on a static route to make sure traffic went back out the right interface...

0 Kudos
pawelkaroluk
Contributor
Contributor
‎04-04-2010 01:09 PM

OK, I have changed it and now its working but I need some advise

I have 2 VMKernel Port for managment, First one with physical adapter have ip 192.168.1.70/24 and second one without adapter with ip 192.168.0.200/24.

And I have only one gate for my machine, If I choose 192.168.1.1 I cant manage from remote host BUT If I choose 192.168.0.1 everything working

In first situation:

My host (ex 10.0.0.2/24) -> VPN -> VPN Server (10.0.0.1/24 / 192.168.0.1/24) -> ESXi (192.168.0.200) ... and packet go to gate (192.168.1.1)

In second one:

My host (ex 10.0.0.2/24) -> VPN -> VPN Server (10.0.0.1/24 / 192.168.0.1/24) -> ESXi (192.168.0.200) ... and packet go back to VPN Server (192.168.0.1)

I understand correctly?

0 Kudos
marcelo_soares
Champion
Champion
‎04-04-2010 01:22 PM

You must have in mind that your problem is network related. Anytime you need to access another network you need a route for that. What I would suggest to you is to enable NAT on your VPN server, or create static routes on the ESXi - but this will demand a little extra configuration because of the nature of the ESXi service console.

Marcelo Soares

VMWare Certified Professional 310/410

Virtualization Tech Master

Globant Argentina

Consider awarding points for "helpful" and/or "correct" answers.

Marcelo Soares
0 Kudos