The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

ENDIAN Firewall – Connected client can access EFW but no other hosts: enable promiscuous mode on VMware ESXi

Posted by jpluimers on 2010/10/12

While solving a problem with Windows 7 machines not being able to ping the machines on the GREEN LAN of an Endian when connecting through OpenVPN, but XP machines could, I did a few upgrades, then went on to solve the problem.

  • Upgraded from ESX 3.5 to ESXi 4.1 (I needed this anyway because of Pass Through USB support)
  • Upgraded the community edition appliance from Endian 2.2 to Endian 2.4 (which has more configuration options, and better ways for reporting and logging)

Then I went on solving the issue, which I suspected was a kind of routing problem.The steps below are specifically for the Endian FireWall Community Edition version 2.4 (I’ll call this Endian 2.4 from now on) running on VMware ESXi 4.1.
Endian 2.2 on ESX 3.5 behaved differently: for XP, I didn’t need to add a VPN traffic firewall rule, nor a default route.  For Windows 7, I couldn’t get it to work, and since I needed to upgrade both anyway, I did the upgrades first.

After an extensive search, the below two posts (follow the links to read more than just the quotes) got me into the right direction.

  1. mrkroket (from somwehere down under) posted an OpenVPN  checklist as an answer on the efwsupport.com forum.
  2. bucho posted on Connected client can access EFW but no other hosts telling about the VMware promiscuous mode at the same forum.

Thanks guys, you are great forum members!

These were the steps I had to perform on Endian 2.4 to get PING to hosts on the GREEN LAN working through the OpenVPN:

Endian 2.4 configuration changes

Add VPN traffic firewal rule that allows ANY traffic.
Steps:

  1. Logon to the web interface of your Endian 2.4 box
  2. Click on the “Firewall” link in the dark grey main menu bar
  3. Click on the “VPN traffic” link in the left submenu bar
  4. If the state button is disabled (it then looks like ), then click on the button until it is enabled (it then looks like )
  5. Click on the link “Add a new VPN firewall route”
  6. For logging purposes, you can check the “Log all accepted packets”
    (make sure you turn that off if your routing works!)
  7. In my case (I wanted all OpenVPN users to be able to reach the green zone), I choose this configuration:
    # Source Destination Service Policy Remark Actions
    1 GREEN + OPENVPN
    RED
    GREEN + OPENVPN
    ORANGE
    IPSEC
    Uplink main
    		 <ANY> ALLOW Allow ANY for GREEN + OpenVPN to ANY UpDownEnabled (click to disable)Editdelete
    Legend Enabled (click to disable) Enabled (click to disable) Disabled (click to enable) Disabled (click to enable) Edit Edit Remove Remove
  8. In the big green area that appeared on top, press the “Apply’ button

Examining the firwall logs is easy:

  1. Logon to the web interface of your Endian 2.4 box
  2. Click on the “Logs” link in the dark grey main menu bar
  3. Click on the “Firewall” link in the left submenu bar

Watch the incoming ping requests coming :-)

Some people also need the Endian OpenVPN server to push the GREEN LAN as a route.
I didn’t need to to that, but in case you need, these are the steps to follow:

  1. Logon to the web interface of your Endian 2.4 box
  2. Click on the “VPN” link in the dark grey main menu bar
  3. Click on the “Advanced” link in the light grey sub menu bar
  4. In the “Global push options” section, make sure that next to “Push these networks”
    – the “Enable” checkbox is checked
    – the textbox  contains a valid GREEN network and netmask using the CIDR notation (in my case it was “172.16.41.0/24”)
  5. Press the “Save and restart” button in the  “Global push options” section

ESXi 4.1 configuration change

Enable “Promiscuous Mode” for the vSwitch Port Group where the GREEN NIC of the Endian resides on.

  1. In the ESXi configuration,
    – Select your ESXi server in the tree view on the left
    – Select the “Configuration” tab
    – Find the “Virtual Switch” where the GREEN NIC of your Endian connects to
    – Click on the “Properties” link for that Virtual Switch
    – Select the “Virtual Machine Port Group”
    – Click “Edit”
    – Go to the “Security” tab
    – Put a checkmark after the “Promiscuous Mode”, then set the value in the combobox to “Accept”
    – Press the “OK” button in the “Virtual Machine Port Group” dialog
    – Press the “Close” button in the “Virtual Switch” dialog

Why enable Promiscuous Mode?
A router or bridge does more with traffic than a normal NIC.
So the router needs to see more packets.
Promiscuous mode enables that.

After knowing all this, it was easy to find someone else who did similar things:

User sheastr used ESXi to install untangle and blogged about it and posted a link to it in the untangle forum.

Note there seem to have been people having difficulties getting promiscuous mode to work on ESXi 4.0; see the above “easy to find” link for some examples.
Here it works fine in ESXi 4.1.

VMware background information

–jeroen

via: ENDIAN Firewall – Connected client can access EFW but no other hosts.

This entry was posted on 2010/10/12 at 10:30 and is filed under Endian, ESXi4, ESXi5, ESXi5.1, Firewall, Infrastructure, OpenVPN, Power User, VMware, VMware ESXi. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “ENDIAN Firewall – Connected client can access EFW but no other hosts: enable promiscuous mode on VMware ESXi”

  1. denvercoder9's avatar

    denvercoder9 said

    2017/06/07 at 16:53

    Thank you, you just saved my a$$!
    Also works on ESXi 5.1+

    Reply

  2. More ESXi5 installation steps « The Wiert Corner – irregular stream of stuff said

    2014/07/31 at 11:30

    […] Enable Promiscuous mode on the vSwitch that is going to run the Windows MSM LSI management software. I had to do this once before when installing ENDIAN Firewall – Connected client can access EFW but no other hosts: enable promiscuous mode on V… 4.1: […]

    Reply
  3. alexie's avatar

    alexie said

    2011/05/04 at 14:41

    i found every thing you’ve said then found yours which mentions all the relivent posts i found
    totally awesome

    do have one question though did all this fix the packet lost issue as well?

    Reply
  4. Silnic's avatar

    Silnic said

    2011/03/27 at 19:27

    GOD BLESS YOU !!!!! Meny meny meny thanks! Thank you so much for the info with promiscous mode on Esxi. It was so frustrating … i have tried meny thigs but … this … Iwoul d have never expected to be because of vmware. Thanks again !!!

    Reply
  5. dheep vijay balaraman's avatar

    dheep vijay balaraman said

    2011/03/10 at 05:50

    Hi Thanks for the tip. It working for me in ESXi3.5 and endian 2.3.

    Reply
  6. Digital Network's avatar

    Digital Network said

    2010/10/29 at 17:52

    Great! It’s works fine also on ESXi 4.0.
    Thank’s for the tip

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»