Port forwarding to other virtual machines on same host.

johnpoz · Aug 23, 2010, 1:28 AM

I don't see how I could make it any clearer with the pictures drawn?

Yes I am quite sure it is the only thing connected to the vmnet. I don't believe its possible to give a vm direct access to the nic.. You have to assign it to a specific network.

As to putting it in its own subnet? Why would I want to do that – then whats going route between the segments on the lan side?

tommyboy180 · Aug 23, 2010, 3:53 AM

I too am a Xen fan and all my VMs are run on XenServer.

Take a look at http://benrobb.com/2007/01/20/howto-port-forward-to-your-virtual-machine/

Is this in the direction that you were looking for?

johnpoz · Aug 23, 2010, 2:55 AM

Thanks for the reply but that has nothing to do with port forwarding to host or other vms when running the router as a vm.

Really is it that hard to understand? I thought I was VERY VERY CLEAR to what the problem was, even drawing pictures, etc.

So on your XEN, do you run pfsense as a VM as well? And do you forward traffic through your vm router to other vms on the same host?

tommyboy180 · Aug 23, 2010, 3:58 AM

I do run pfsense in Xen, I have several pfsense VMs but I don't do any forwarding like what you are doing, but if I did I would have to create an internal interface on pfsense and the other VMs 'behind' pfsense. The internal network between the pfsense VM and any clients 'behind' pfsense would have to be exclusive. I'm sure there is a way to do it in VMware, I guess since your not getting the answer you are looking for it might be time to just experiment and mess around until you get it.

If you do figure it out please post back with your findings.

cougarmaster · Aug 23, 2010, 2:49 PM

I am sorry of not being any help but I did run into simillar situation with vmware before and I just gave up. I then turned to XEN. Not trying to put vmware down in anyway just I had a hard time understanding it. One of those things that just didn't work with me like my first wife :p.

johnpoz · Aug 23, 2010, 4:07 PM

"but if I did I would have to create an internal interface on pfsense and the other VMs 'behind' pfsense."

Yeah that is a GIVEN… How would I forward to them, if they were not behind the pfsense??

Again I thought I had made it crystal clear with a drawing -- but guess not? But I am at a loss to how to draw it any clearer than already shown..

pfsense vm, to vmnet2 bridged with physical nic connected to cable modem, this is the public interface in pfsense, then is lan side interface is tied to vmnet3, which is bridged with another physical interface on the host machine - this is tied to my local 192.168.1.0/24 network.. So pfsense has a publicIP on its WAN, and then its lan is 192.168.1.250.

Then another vmnet0 is also tied to my local lan with a different physical nic in the host. The host has a 192.168.1.4 address on this nic, the ubuntu vm also tied to vmnet0 has a IP address of 192.168.1.6

So there are 3 physical nics in the host.. ONE is used for the wan interface of pfsense - this is the only thing connected to this virtual switch vmnet2 - connect to cable modem, pfsense get a public IP (24.14.xxx.xxx).. Its lan interface is then tied to another physical nic which is bridged with vmnet3 -- pfsense is the only thing tied to this vmnet3, and has an IP address of 192.168.1.250

Now the host is tied to 3rd nic, vmnet0 bridged as well, host has IP of 192.168.1.4, and virtual ubuntu has a 192.168.1.6 IP.

From the console of pfsense, I can ping and ssh to ubuntu at 192.168.1.6, I can do dns queries to the host IP at 192.168.1.4

Problem is I can not port forward to either of these IPs.. But I can port forward if to a different physical machine on my 192.168.1.0/24 network.

This host is not 64bit, latest xen is only for 64bit hardware is it not? - so thats kind of not possible sort of switch.

So cougarmaster - you were seeing the same issue with vmware server, so its not just me ;) Thanks for that info..

What I find frustrating is why would they put up a tutorial of running psfsense virtual -- if you can not access any other vms or the host from the internet??? Its utterly pointless sort of setup if you ask me ;)

cougarmaster · Aug 24, 2010, 4:19 AM

Not sure if this is any help but try to give a diffrent subnet to each nic may help as I think you are putting all nics on the same subnet which might confuse others and pfsense as to where to route. As each nic to pfsense is a different subnet. Also double check your firewall rules usually its those places that makes life difficult. If not switch to XEN but be prepared for some late night studying :p

Supermule · Aug 24, 2010, 5:13 AM

I am running all of my machines in a virtualized enviroment…I use VmWare ESXi. The difference between ESX and i, is the lack of console.

On 2008 you need to enable routing and remote acces as a service to forward the traffic from the physical nic to the VM. Otherwise 2008 doesnt know where to send the traffic coming in from the interface....have you done that?

tommyboy180 · Aug 26, 2010, 9:55 AM

It's always nice when people reply back to the topic and tell you the fix action for searching purposes.

johnpoz · Aug 26, 2010, 8:47 PM

"On 2008 you need to enable routing and remote acces as a service to forward the traffic from the physical nic to the VM"

How is that since 2k8 is not doing any routing nor would I want it too. Its currently working for traffic going OUTBOUND from all the vms to the internet, and the host to the internet without it.

Same goes for changing the subnets.. of the nics.. If I did that – then something would have to route!!

I appreciate the attempted help - but unless your specifically running vmware server on a windows host, with pfsense as a VM, and your forwarding to other VMs on the same host as pfsense is running you might as well just not respond.. Or have run this setup in the past?

It has to be something with the vmware bridging into the physical nic.

Before I moved back to virtual -- I did this test.

So on the host running windump I watched for traffic to ubuntu on port 22 on the motherboard nic that is bridged to vmnet0.
At the same time Im watching for traffic on the vms nic inside ubuntu with tcpdump - tied to same physical nic through vmnet0

So I generate a ssh connection from the outside (my webhost shell account) to my public IP.. The packet travels through pfsense - can see on the firewall log that it passed the traffic.. And changed to go to 192.168.1.6

Now watching windump which is listening on the vmnet0 nic -- the HOST sees the packet. But tcpdump running inside ubuntu does NOT.

So something in the bridge protocol is not passing that packet to ubuntu.

Now I can hook it back up virtual pretty quickly -- but until someone has some actual advice that makes any sense at all.. It pointless for me to do so.

As to 2k8 routing -- What should it route?? Why should I have to put another router behind pfsense to route traffic to another subnet for? Like I said port forwarding is working through the VM pfsense - as long as it to a differnet physical box.. Not the HOST or guests.

To be honest I find it unlikely it has anything to do with pfsense - cuz I can see that it sent the traffic through.. It seems to be a issue with the vmware server bridging protocol. Now I have the same question with same details on the vmware boards -- and have not heard squat from that post either.

Is no one running vmware server with pfsense as virtual on it per the tutorial of how to run pfsense virutual on the pfsense site??