VMware Networking Community
brewskit
Contributor
Contributor
‎09-20-2018 08:07 AM

Distributed firewall and non-VXLAN VMs

Hello,

If I place a VM in a NSX aware cluster with the NIC assigned to the regular VLAN (not VXLAN) I see that the traffic originating from the VM is dropped by the distributed firewall.

Adding rules for that VM doesn't have any effect -- it's still filtered. Is this expected? Firewalls on both NSX Edge and DLR are disabled.

Adding the VM into Exceptions works fine. Also no issues with the VMs using VXLANs.

And another one: how do you deal with the VMs that have multiple interfaces attached to different VXLANs (for example load balancers)? Do you setup fw rules using IPs for those VMs?

Thank you.

0 Kudos
4 Replies
nreyesv79
VMware Employee
VMware Employee
‎09-20-2018 01:39 PM

I recommend you to use the filter and make sure that you VM is not being filtered by any rule that include a segment/cluster/network, or any other object where this VM can exist.

Regarding your second question, you can assign DFW rules to a vNIC which allow you to be as granular as you want, if you talk about NSX Edge LB you can't assign DFW rules to its control VMs.

HTH

Cheers

0 Kudos
brewskit
Contributor
Contributor
‎09-27-2018 05:33 AM

nreyesv79​ thanks for your reply.

I do confirm that the affected VM is not filtered by any rule. Also, it seems that only outgoing traffic is affected.

Is there anything else I can look into?

0 Kudos
nreyesv79
VMware Employee
VMware Employee
‎10-03-2018 06:59 AM

If the filter for that IP doesn't show any DFW rule, then I don't know how you can see packet dropped by DFW, where can you see this? loginsight or any syslog server?.

Also, check if the vDS have any filter for that VM.

Cheers

0 Kudos
brewskit
Contributor
Contributor
‎10-08-2018 01:32 AM

nreyesv79

Thanks. I see it in Log Insight.

Anyway, the issue is resolved. Apparently we're running the version of NSX that has a bug affecting multi-homed VMs, although I observed this behavior with VMs with a single NIC too.

After looking at the logs on ESXi host where the affected VM is placed it was discovered that the added rule doesn't actually appear anywhere, hence the VM hit default 'deny all' rule. The "fix" was to use an IP Set object as a source in the firewall rule instead of a VM object.

0 Kudos