Hyper-V 2016: help with configuration
Hello. And I'd like to apologize in advance in case anything here sounds too basic or stupid.
I have a physical server with 2 NICs.
- NIC1: Internet connection.
- NIC2: LAN.
At my testing configuration, I was able to make everything work and clients were able to access the Internet. This is how it worked:
- Configured 2 virtual switches in Hyper-V:
- vWAN: virtual WAN, connected to NIC1, with "Allow management OS to share this network adapter" disabled.
- vLAN: virtual LAN, connected to NIC2, with "Allow management OS to share this network adapter" enabled.
- NIC1 had IP address 192.168.1.253 (Internet-enabled but everything also worked with disabled Internet access)
- NIC2 had IP address 192.168.2.1
- vWAN (hh0) had IP address 192.168.1.254 (Internet-enabled)
- vLAN (hh1) had IP address 192.168.2.2
- pfSense had DHCP enabled, so clients automatically had "192.168.2.2" configured as a host.
As you can see, here NIC1 and vWAN had different IP addresses.
Now, after testing this in another environment I've realized there are some differences that somehow need to be reflected in configuration.
Specifically, I can only have one Internet-enabled IP address, and its configuration must be like this:
Naturally, I just though I'd configure these addresses in hh0 (vWAN) interface and leave NIC1 with something else since I don't really need physical server to have access to the Internet, for now. So I did that.
But it didn't work quite right from what I saw. In the process I also enabled "Allow management OS to share this network adapter" in vWAN options but didn't see any improvement.
The problems is:
- In pfSense web interface, it checks for updates without issues (says that no updates were found).
- In Ping menu it can only ping Internet addresses (18.104.22.168, google.com etc.) if I specify vWAN interface as a source. If I try to ping from command line or with "Automatic" source, all packets will be lost.
- LAN clients can't access the Internet.
- Should I let hh0 (vWAN) interface in virtualized pfSense have the same IP address as the physical server with some other means perhaps?
- Am I missing anything important in my configuration?
I've spent hours on this and it seems I've solved my problem.
- In pfSense web interface, it checks for updates without issues for real (previously it said it was running the latest version but now it says that update is available).
- In Ping menu it can ping all addresses without issues, e.g. 22.214.171.124, 192.168.2.1, google.com etc.
- LAN clients can access the Internet.
What exactly fixed my problems (from what I understand):
- In [System - Routing - Gateways] there were 3 gateways configured (2 first ones remained from my testing environment). I had no idea that (a) pfSense would save them all even after I've changed the main gateway IP in vWAN interface, and that (b) it would also still use the very first gateway as by default.
I've removed first 2 gateways, leaving only current one. I think this fixed the issues in Ping menu and returned the ability of pfSense to actually access and share Internet access.
- In Hyper-V virtual switches settings, I've reverted back to vWAN with disabled "Allow management" and vLAN with enabled "Allow management".
- Network Connections section in Windows now looks like this:
- NIC1, set to something different from 1*.2*.3*.250, e.g. 1*.2*.3*.251 (also had to change the mask to allow that).
- NIC2, with all protocols/components except "Hyper-V Extensible Virtual Switch" disabled.
- vEthernet (LAN), set to use IP address 192.168.2.1, gateway is 192.168.2.2.
- Did not change addresses in pfSense, but just in case here they are:
- vWAN: 1*.2*.3*.250 (including all other parameters from our ISP)
- vLAN: 192.168.2.2.
Important thing to note about (3) and (4) is probably that the physical server should not use the same IP addresses as pfSense uses on any interface. Otherwise, from my observation, LAN clients could ping all Internet addresses (e.g. 126.96.36.199 and google.com) but were unable to load any website for browsing.
- Also, I'm not sure about DNS for now, but I've switched from DNS Resolver to DNS Forwarder. I was unable to fully understand how they work and why in most cases I'm unable to test DNS functionality right after I enable either service. Perhaps DNS services need some time to cache something, or I need to "Reset States" (have not tried this after changing DNS services yet). I'm testing DNS functionality like this in command line in Windows:
nslookup google.com 192.168.2.2
I'm disappointed that pfSense made me believe it could connect to the Internet at first. I might have been able to solve the problem much faster if it displayed an error message on Dashboard about being unable to check for updates.