Hi all,
I have installed an ESXi 6.5 Update1 Build 6765664 host to do some tests with isolated environments. To accomplish this, I have setup the following vswitches:
[root@scotland:~] esxcfg-vswitch -l
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
vSwitch0 2432 6 128 1500 vmnic0
PortGroup Name VLAN ID Used Ports Uplinks
Prod_Network 0 2 vmnic0
Management Network 0 1 vmnic0
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
pub01_vs 2432 4 1024 1500 vmnic1
PortGroup Name VLAN ID Used Ports Uplinks
Pub01_Network 0 1 vmnic1
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
pub02_vs 2432 2 1024 1500
PortGroup Name VLAN ID Used Ports Uplinks
Pub02_Network 0 1
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
dmzpub_vs 2432 3 1024 1500
PortGroup Name VLAN ID Used Ports Uplinks
DMZ_Network 0 2
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
mgmt_vs 2432 2 1024 1500
PortGroup Name VLAN ID Used Ports Uplinks
Mgmt_Network 0 1
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
enc_vs 2432 2 1024 1500
PortGroup Name VLAN ID Used Ports Uplinks
Enc_Network 0 1
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
vpn_vs 2432 2 1024 1500
PortGroup Name VLAN ID Used Ports Uplinks
VPN_Network 0 1
Switch Name Num Ports Used Ports Configured Ports MTU Uplinks
fwsync_vs 2432 2 1024 1500
PortGroup Name VLAN ID Used Ports Uplinks
FwSync_Network 0 1
As you can see, only two switches have physical nics attached. I have setup three virtual machines:
- A DNS server connected to Prod_Network virtual switch
- A virtual firewall (without rules, all traffic is allowed during all tests) connected to all virtual switches.
- A test machine connected only to DMZ_Network virtual switch.
Ok, now the problem. DMZ's test machine can't ping to DNS virtual machine connected to internal Prod_Network virtual switch. Internal DNS server can't ping to DMZ's test machine. Firewall (without rules, all traffic is allowed) can't ping to DMZ's test machine. Firewall can ping to internal DNS machine and DNS internal machine can ping to firewall.
On the other side, firewall machine can't see any traffic on Pub01_Network virtual (which has a physical nic attached and this nic is connected to an ADSL). But, surprisingly, firewall can see traffic on Pub02_Network from ADSL network ... ¿¿¿¿???? Why?? Pub02_Network doesn't have any physical nic attached.
I don't understand anything.
Any light please?
Thanks Finikiez for your help, but now problem is solved.
I don't know why, but changing vmxnet3 by e1000 as a virtual network interface for Firewall vm, all works ok. At this point, it seems a bug with vmxnet3 under OpenBSD.
Hi!
Some additional info is needed.
1. What is an IP configuration on all 3 VMs? (IP address, netmask and default GW)
2. Security policies settings on all switches? (Especialy promiscuos mode).
3. Where do you see that firewall VM sees the traffic? do you use wireshar or what?
Thanks Finikiez for your help, but now problem is solved.
I don't know why, but changing vmxnet3 by e1000 as a virtual network interface for Firewall vm, all works ok. At this point, it seems a bug with vmxnet3 under OpenBSD.
