I've stuck on a problem of setting up NAT for a network directly connect to the ESG.
It should be simple but I have no idea where the bug is...
the configuration is below:
0. the outside network (10.101.6.0/24) works just fine, and also used by the hosts
1. one ESG with uplink-interface ip 10.101.6.25(and secondary 10.101.6.26), is connected to vDS portgroup properly
2. the vNIC on ESG has interface 192.168.1.1, and connected to a logical switch
3. a test VM using that logical switch as network interface and setup static ip 192.168.1.2/24
the configuration of the SNAT on ESG is below:
applied on the (only) uplink-interface; original source ip/range set to 192.168.1.0/24; translated source ip/range set to 10.101.6.26
the configuration of the DNAT on ESG is below:
applied on the same uplink-interface; original destination ip/range is 10.101.6.25; translated ip/range is 192.168.1.2
additionally, i configured all the ESG firewall enabled, and rules are all accept
the test vm just couldn't reach outside anyway, even cannot ping the default gateway 192.168.1.1
did i misunderstand any knowledge or configurations?
thanks for any reply~!
Keeping your NAT aside - your main problem is VM to gateway connectivity .
> Can you check VM & ESG - Routing table - you should see 192.168.1.0/24 as directly connected networks
> Firewall/IPtables etc @ Guest Level
> ESG to VM connectivity is fine ?
> Are they running on two different ESXI servers ? - If possible migrate them to same server and do a test to rule out possible uplink/policy issues etc etc ...
Keeping your NAT aside - your main problem is VM to gateway connectivity .
> Can you check VM & ESG - Routing table - you should see 192.168.1.0/24 as directly connected networks
> Firewall/IPtables etc @ Guest Level
> ESG to VM connectivity is fine ?
> Are they running on two different ESXI servers ? - If possible migrate them to same server and do a test to rule out possible uplink/policy issues etc etc ...
hi Sreec,
your reply is very much appreciated!
but i just discovered that i confused myself;
the configurations were all ok...
cause i just double checked the test VM to ping the gateway 192.168.1.1 and both 10.101.6.25, 10.101.6.26 without a problem.
the pings all replied normally, which achieved my initial expectation.
the final problem is that the VM couldn't reach 8.8.8.8, unable to touch the internet.
(the 10.101.6.0/24 was designed as public ip)
i believe the static route and next hop do not need to configure, neither do the DHCP
the "route redistribution table" didn't help too.
any ideas?
thanks for the reply again!
Good to hear that . Can ESG reach internet ?
yes, the ESG can reach the internet.
i logged in to the edge and ping 8.8.4.4 and 208.67.222.222, they all replied.
the edge router can also ping the 10.101.6.0/24(designed as public ip and used by hosts) of course.
and now i turned off the edge firewall and VM firewall, didn't help at all.
this is weird...
VM-ESG and ESG to External connectivity is fine as per your findings. Looks like a NAT issue. What is the reason for using two IP for SNAT/DNAT rule ? Can you write a rule like below ?
1. SNAT and DNAT with one external IP of ESG
2. Run a traceroute from VM to whatever external IP you want to check
Alright, i solved this question.
i double checked the NAT settings on ESG and deleted the DNAT, which i actually don't need.
there might be something wrong with the network, and i later found the VM could ping to the 8.8.8.8 .
weird but it was supposed to be like this.
the last problem that disappointed me was the test VM can ping the internet but couldn't browse the website!
after several troubleshootings, the reason why VM can ping to the internet but not browsing...
was caused by different hosts the VM and ESG located at.
I vMotioned the VM to the ESG resided host and therefore solved the browsing problem on VM.
despite further debugs might need to be done..
it's kind of like MTU and VXLAN problems. I forgot to check the MTU setting on physical networks.
My GOAL was connecting a test VM to a logical switch and ESG then try the networking from VM to internet.
anyway, Sreec, i really appreciate your kind help. you are a patient expert!
Good to hear that & happy to help anyime