Pawel_Kowalski
asked on
ESXi Firewall Blocks Remote Connections
Hello,
I am trying to setup a backup ESXi 5.1/5.5 server at a DR location. I'm finding that ESXi brought back the firewall in version 5 and I am having trouble connecting to the server as a result from any network on a different subnet.
Is it possible to completely disable the firewall? If not how can I configure it to work with remote hosts? On the configuration tab if I go to the security profile option under software and click properties it says "allowed IP addresses: All" for all options.
So I have no clue why it doesn't work. How can I simply disable the firewall or if I can't disable the firewall how can I allow remote management?
I am trying to setup a backup ESXi 5.1/5.5 server at a DR location. I'm finding that ESXi brought back the firewall in version 5 and I am having trouble connecting to the server as a result from any network on a different subnet.
Is it possible to completely disable the firewall? If not how can I configure it to work with remote hosts? On the configuration tab if I go to the security profile option under software and click properties it says "allowed IP addresses: All" for all options.
So I have no clue why it doesn't work. How can I simply disable the firewall or if I can't disable the firewall how can I allow remote management?
Are you sure it's not a routing issue on your side?
I can't recall ever having to disable or modify the ESXi firewall in order to access the server from a different network.
I can't recall ever having to disable or modify the ESXi firewall in order to access the server from a different network.
ASKER
Thanks. This makes no sense then, and I have a hard time believing that this is my router as all other ports work fine on it but I can try a different router once I get back to the DR site.
When I try to connect to the ESXi server at the DR site I can do so using the vSphere client and SSH without any issues. However, if I try to do the same remotely (over WAN using port forwarding) it does not work. I know the port forwarding is setup correctly and like I said I'm pretty sure the router is okay, so I'm thinking ESXi is to blame here.
The version at the DR site is ESXi 5.1 using the custom image Dell provides for their server.
When I try to connect to the ESXi server at the DR site I can do so using the vSphere client and SSH without any issues. However, if I try to do the same remotely (over WAN using port forwarding) it does not work. I know the port forwarding is setup correctly and like I said I'm pretty sure the router is okay, so I'm thinking ESXi is to blame here.
The version at the DR site is ESXi 5.1 using the custom image Dell provides for their server.
If your able to connect to the server when you are at the DR site then as you are aware, that means those ports are open.
I would be looking into networking issues and not necessarily a firewall issue.
Have you tried connecting from some other location other than the one you have currently been trying?
Have you checked firewall logs to verify traffic is making it to the firewall and getting forwarded?
Also, VPN might be a better choice here if you can rather than opening up a ESXi server to the world with port forwards.
I would be looking into networking issues and not necessarily a firewall issue.
Have you tried connecting from some other location other than the one you have currently been trying?
Have you checked firewall logs to verify traffic is making it to the firewall and getting forwarded?
Also, VPN might be a better choice here if you can rather than opening up a ESXi server to the world with port forwards.
ASKER
The above message was for Andrew. @themightydude, I won't rule out the router having issues and will test that later when I have access to the DR site. But what's odd is every other port (including port 443, 22) work perfectly fine for other machines, it's only when I switch the rule to go to the ESXi host that it completely stops working. That's why I'm thinking the firewall on the ESXi server could be causing this.
Is there a log somewhere if I login through SSH to see what connections the firewall has dropped?
Is there a log somewhere if I login through SSH to see what connections the firewall has dropped?
You could try disabling the firewall and that will let us know for sure if it's a vmware firewall issue.
Should be able to do that from SSH with the following command:
esxcli network firewall set --enabled false
Should be able to do that from SSH with the following command:
esxcli network firewall set --enabled false
ASKER
I ran the command, it doesn't give me any confirmation that it executed without issues. I rebooted the server after I ran it, went to the security profile settings and nothing on there has changed either.
Obviously I am still having the same issues. Anyway to tell that the firewall is actually disabled?
This is the command I ran:
Obviously I am still having the same issues. Anyway to tell that the firewall is actually disabled?
This is the command I ran:
~ # esxcli network firewall set --enabled false
~ #
Rebooting the server may have re-enabled it. I can't remember 100%, but I think that service will come back up after a restart.
This command will show you status of the firewall
esxcli network firewall get
Enabled will either be true or false.
This command will show you status of the firewall
esxcli network firewall get
Enabled will either be true or false.
do not mess with the firewall, and drop the use of vSphere Client...
simple test
can you use
test1: confirm locally
test2: confirm from DR site (remote)
telnet <ip address of ESXi server > 443
telnet <ip address of ESXi server > 80
telnet <ip address of ESXi server > 902
you should get connections....
if not your firewall, router config, port forward is wrong!
is this NAT?
just open ports.....do not use NATTed rules!
simple test
can you use
test1: confirm locally
test2: confirm from DR site (remote)
telnet <ip address of ESXi server > 443
telnet <ip address of ESXi server > 80
telnet <ip address of ESXi server > 902
you should get connections....
if not your firewall, router config, port forward is wrong!
is this NAT?
just open ports.....do not use NATTed rules!
ASKER
@thedude, here is the firewall setting:
~ # esxcli network firewall get
Default Action: PASS
Enabled: false
Loaded: true
Just so both of you know the default action was to Drop, not Pass. I changed it to Pass (didn't fix my issue).
Is the fact it's loaded mean that it's still on?
Andrew, here are the results from the tests:
Locally:
I can connect to SSH locally without issues using 10.10.10.50 (local IP)
Telnet to port 80, 443, and 902 works (80/443 take a fairly long time, especially port 443 but it eventually opens. 902 loads instantly)
When I say "works" I'm using the telnet client built in to windows, port 80 and 443 gives me back a message saying "press any key to continue..." while port 902 gives me a 220 message about authentication. A port that's not working at all would simply return a error message so I assume it is connecting on 80/443.
From the remote site all of the above tests fail (using the remote IP, aka 52.68.2.2). I have tried port forwarding, adding the host to a DMZ, etc. The DR site has a very basic SOHO router from Netgear. I am using port forwarding rules, not sure how that translates in how the router sets things up but like I said these ports work fine when pointed to other servers, just not the ESXi host.
~ # esxcli network firewall get
Default Action: PASS
Enabled: false
Loaded: true
Just so both of you know the default action was to Drop, not Pass. I changed it to Pass (didn't fix my issue).
Is the fact it's loaded mean that it's still on?
Andrew, here are the results from the tests:
Locally:
I can connect to SSH locally without issues using 10.10.10.50 (local IP)
Telnet to port 80, 443, and 902 works (80/443 take a fairly long time, especially port 443 but it eventually opens. 902 loads instantly)
When I say "works" I'm using the telnet client built in to windows, port 80 and 443 gives me back a message saying "press any key to continue..." while port 902 gives me a 220 message about authentication. A port that's not working at all would simply return a error message so I assume it is connecting on 80/443.
From the remote site all of the above tests fail (using the remote IP, aka 52.68.2.2). I have tried port forwarding, adding the host to a DMZ, etc. The DR site has a very basic SOHO router from Netgear. I am using port forwarding rules, not sure how that translates in how the router sets things up but like I said these ports work fine when pointed to other servers, just not the ESXi host.
So all ports are open and listening....at ESXi.
Network, Firewall, NAT or router issue.
a standard https://<IP Address> should give you a web page...on the ESXi server.
the block is not happening on ESXi.
Are they open on the ESXi site, not the server, but inbound on the router...
is this a public IP Address ?
or is it NATTED?
e.g. public IP > NATTED internal IP ?
Network, Firewall, NAT or router issue.
a standard https://<IP Address> should give you a web page...on the ESXi server.
the block is not happening on ESXi.
Are they open on the ESXi site, not the server, but inbound on the router...
is this a public IP Address ?
or is it NATTED?
e.g. public IP > NATTED internal IP ?
ASKER
It is a public IP from my ISP (the 52.x.x.x example). The local IP for the ESXi server once it is on the local side of the gateway is 10.10.10.50 . Nothing works when I am trying to connect remotely, if I VPN in or remote desktop in it works fine.
I just tested another office to make sure I wasn't crazy. It's virtually an identical setup to the DR site right now, only difference is instead of a cheap $50 netgear router we use the built-in router that came with Comcast's modem (the other site didn't have a router built in, just a gateway). I setup port forwarding for port 902 to that site's ESXi server, tried to go in remotely on port 902 (using telnet) and it worked like a charm. I can't try the other ports as unfortunately this is a production environment.
So instead of spinning the wheels and not getting anywhere I can try to bypass the router I have at the DR site completely and see if that will work. I can literally hook up the ESXi server to my Comcast gateway and use my mobile network to see if the default vSphere page loads. If it does it's clearly a router issue, if it doesn't it's clearly an ESXi issue.
Is that fair as far as troubleshooting goes?
I just tested another office to make sure I wasn't crazy. It's virtually an identical setup to the DR site right now, only difference is instead of a cheap $50 netgear router we use the built-in router that came with Comcast's modem (the other site didn't have a router built in, just a gateway). I setup port forwarding for port 902 to that site's ESXi server, tried to go in remotely on port 902 (using telnet) and it worked like a charm. I can't try the other ports as unfortunately this is a production environment.
So instead of spinning the wheels and not getting anywhere I can try to bypass the router I have at the DR site completely and see if that will work. I can literally hook up the ESXi server to my Comcast gateway and use my mobile network to see if the default vSphere page loads. If it does it's clearly a router issue, if it doesn't it's clearly an ESXi issue.
Is that fair as far as troubleshooting goes?
Why not just setup a site to site VPN?
I honestly think the issue is your trying to NAT/Port forward these services across a home netgear router. In my personal opinion and granted this is just mine, someone else may have a different idea.
Get a router mean more for small businesses and setup a Site to Site VPN between your protected site and your DR site.
Get a router mean more for small businesses and setup a Site to Site VPN between your protected site and your DR site.
Port foward
OUTBOUND 52.x.x.x TCP 22 >> INBOUND IP 10.10.10.50 Address TCP 22
OUTBOUND 52.x.x.x TCP 22 >> INBOUND IP 10.10.10.50 Address TCP 22
ASKER
The router could be the case and Andrew that is how it's setup (although I don't get the option of setting inbound/outbound on my router, just the port and local IP).
So port 22 is forwarded to 10.10.10.50. For some reason that doesn't work, even though all other port forward options I have setup work fine including ports 80 and 443 to other servers using this exact router. So what I'll do tonight is the test I mentioned above, I'll disconnect my router, connect the ESXi host directly to the Comcast router, allow it to get a WAN IP from the gateway by disabling DHCP (so it's IP will be something like 52.x.x.x).
Once that is online I'll pull up my laptop, use my cellphone as a hotspot, and try to connect that way. If that doesn't work do I need to do any more tests with another gateway (I can drag the server with me to the office tomorrow)? However, I would think if it doesn't work at the gateway level it must be the server, not anything on Comcast's side.
So port 22 is forwarded to 10.10.10.50. For some reason that doesn't work, even though all other port forward options I have setup work fine including ports 80 and 443 to other servers using this exact router. So what I'll do tonight is the test I mentioned above, I'll disconnect my router, connect the ESXi host directly to the Comcast router, allow it to get a WAN IP from the gateway by disabling DHCP (so it's IP will be something like 52.x.x.x).
Once that is online I'll pull up my laptop, use my cellphone as a hotspot, and try to connect that way. If that doesn't work do I need to do any more tests with another gateway (I can drag the server with me to the office tomorrow)? However, I would think if it doesn't work at the gateway level it must be the server, not anything on Comcast's side.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I had never once thought about doing this honestly until I saw this question, at which time I set it up.
My firewall on ESXi 5.1 is enabled, and it allows all IPs to talk to it under the 'Configuration-Security Profile-Firewall-Propertie
However, I did play around with it and noticed that port 22 failed and so did 80. I identified that I already had a forward for port 80 on my firewall, so I couldn't use that port - only one port forward rule allowed for each port - but when I pointed port 80 to my Host it still failed.
I am pretty sure you will need to use one of the specified ports in ESXi for vShpere, which are 902 and 443. Set a forward on your remote location's firewall to forward port 443 to your internal IP of your Host. I got mine to work first try without issue by using port 443 and specifying the (PublicIP):443 in vSphere under the 'IP Address/ Name' section.
My ESXi installation was a default one too.. I didn't need to change the firewall at all.
My firewall on ESXi 5.1 is enabled, and it allows all IPs to talk to it under the 'Configuration-Security Profile-Firewall-Propertie
However, I did play around with it and noticed that port 22 failed and so did 80. I identified that I already had a forward for port 80 on my firewall, so I couldn't use that port - only one port forward rule allowed for each port - but when I pointed port 80 to my Host it still failed.
I am pretty sure you will need to use one of the specified ports in ESXi for vShpere, which are 902 and 443. Set a forward on your remote location's firewall to forward port 443 to your internal IP of your Host. I got mine to work first try without issue by using port 443 and specifying the (PublicIP):443 in vSphere under the 'IP Address/ Name' section.
My ESXi installation was a default one too.. I didn't need to change the firewall at all.
ASKER
Machienet, that's exactly what I did. The problem is that for some reason ESXi will only accept requests from the local network, not ones coming from the internet (at least the assumption is it's ESXi). Not to get too side tracked but some advice, your router/firewall will often have the ability to redirect external ports to different internal ports. So in your case of port 80 being used up you could use port 81 on the external side and attach it to port 80 on the internal server.
Andrew, the router isn't good enough to tell me what connections I have open. Or did you mean on the ESXi side? If on the ESXi side should I simply do a TCPDump?
Edit: Andrew, please forgive me, I misunderstood the question. Yes, I have basic servers that use port 80 and 443, some of them run under the ESXi host that is having issues others are on physical hardware. And even the ones that are under the ESXi host worked fine. But I'll double check again tonight just to be sure. Port 902 not really, but I can maybe configure a Pi to listen on that port for telnet traffic?
Andrew, the router isn't good enough to tell me what connections I have open. Or did you mean on the ESXi side? If on the ESXi side should I simply do a TCPDump?
Edit: Andrew, please forgive me, I misunderstood the question. Yes, I have basic servers that use port 80 and 443, some of them run under the ESXi host that is having issues others are on physical hardware. And even the ones that are under the ESXi host worked fine. But I'll double check again tonight just to be sure. Port 902 not really, but I can maybe configure a Pi to listen on that port for telnet traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What are you trying to do?
Access the Management Interface is available by default on
443 TCP
902 TCP
80 TCP
22 TCP (of enabled)
Can you access these ports from your remote location, because by default they are not denied!
see here
http://buildvirtual.net/working-with-the-esxi-firewall/
What version are you 5.0, 5.1 or 5.5 ?