Hi all,

I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed
apache2 / php / postgres stack on it + ssh access.

Generally we have 3 subnets (IPv4 only):

- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254

- 10.10.10.0/24 (VPN1)

- 10.10.20.0/24 (VPN2)

The new VM runs at 192.168.4.12

I'm having a weird issue with accessing it:

DNS resolves fine.
I can ping and arp it from all addresses.
There is nothing is switches' config to restrict traffic.

I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and
10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).
I have no active 192.168.6.x or 192.168.7.x hosts to test from.

I've done nothing special during OS installation and config.
There is no local iptables running on the VM.

I've run tcpdump on the VM and connections from all 192.168.5.x hosts
are rejected with R (reset) flag.
It looks like some OS default or some kind of silent auto-ban causing it. Access rejection only affects TCP services, ICMP - ping go through fine.

I've deployed probably a hundred of various machines in this environment
but never had this kind of access issue before.

Any ideas?

Regards,
Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Adam Weremczuk wrote:

Hi all,

I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed apache2 / php / postgres stack on it + ssh access.

Generally we have 3 subnets (IPv4 only):

- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254

- 10.10.10.0/24 (VPN1)

- 10.10.20.0/24 (VPN2)

The new VM runs at 192.168.4.12

I'm having a weird issue with accessing it:

DNS resolves fine.
I can ping and arp it from all addresses.
There is nothing is switches' config to restrict traffic.

I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and 10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).
I have no active 192.168.6.x or 192.168.7.x hosts to test from.

I've done nothing special during OS installation and config.
There is no local iptables running on the VM.

I've run tcpdump on the VM and connections from all 192.168.5.x hosts are rejected with R (reset) flag.
It looks like some OS default or some kind of silent auto-ban causing it. Access rejection only affects TCP services, ICMP - ping go through fine.

I've deployed probably a hundred of various machines in this environment but never had this kind of access issue before.

What does

ip route show

give you on the VM in question?

Are there other VMs on the same host that work properly for the
same tests?

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Adam,

I doubt this is your issue. But there has been times when my VM's [virtual] MAC address is the same as another in the network.

You have not mentioned about firewalls? Have you installed and configured any firewalls?

From your VM can you ping and/or connect to a computer in the 192.168.5.x network?

From at least two computers in the 192.168.5.x network can you ping or connect to your VM ? (I presume not, from what you said).

George.





On Wednesday, 25-09-2024 at 06:31 Adam Weremczuk wrote:

Hi all,

I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed apache2 / php / postgres stack on it + ssh access.

Generally we have 3 subnets (IPv4 only):

- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends with 192.168.7.254

- 10.10.10.0/24 (VPN1)

- 10.10.20.0/24 (VPN2)

The new VM runs at 192.168.4.12

I'm having a weird issue with accessing it:

DNS resolves fine.
I can ping and arp it from all addresses.
There is nothing is switches' config to restrict traffic.

I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and 10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).
I have no active 192.168.6.x or 192.168.7.x hosts to test from.

I've done nothing special during OS installation and config.
There is no local iptables running on the VM.

I've run tcpdump on the VM and connections from all 192.168.5.x hosts
are rejected with R (reset) flag.
It looks like some OS default or some kind of silent auto-ban causing it. Access rejection only affects TCP services, ICMP - ping go through fine.

I've deployed probably a hundred of various machines in this environment
but never had this kind of access issue before.

Any ideas?

Regards,
Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 24 Sep 2024 21:31 +0100, from [email protected] (Adam Weremczuk):

I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed apache2 / php / postgres stack on it + ssh access.

Generally we have 3 subnets (IPv4 only):

- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254

- 10.10.10.0/24 (VPN1)

- 10.10.20.0/24 (VPN2)

The new VM runs at 192.168.4.12

I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and 10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).

To me this smells like a subnet mask length issue.

Triple-check that `ip a sh` shows the IP address and subnet mask that
you expect.

--
Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 24/09/2024 22:29, Dan Ritter wrote:

What does

ip route show

give you on the VM in question?

ip route show
default via 192.168.4.1 dev ens192 onlink
192.168.4.0/24 dev ens192 proto kernel scope link src 192.168.4.12

BINGO!

192.168.4.0/24 is wrong, should say 192.168.4.0/22

Do you know why?

In /etc/network/interfaces looks correct:

allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0
gateway 192.168.4.1
dns-nameservers 192.168.4.3
dns-search mydomain.co.uk

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le 25/09/2024 à 12:30, Adam Weremczuk a écrit :

On 24/09/2024 22:29, Dan Ritter wrote:

What does

ip route show

give you on the VM in question?

ip route show
default via 192.168.4.1 dev ens192 onlink
192.168.4.0/24 dev ens192 proto kernel scope link src 192.168.4.12

BINGO!

192.168.4.0/24 is wrong, should say 192.168.4.0/22

Do you know why?

In /etc/network/interfaces looks correct:

allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0
gateway 192.168.4.1
dns-nameservers 192.168.4.3
dns-search mydomain.co.uk

It should be "netmask 255.255.252.0" or (I prefer) just set
"address 192.168.4.12/22"
without netmask (man says it is deprecated)

--
Erwan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Adam Weremczuk wrote:

On 24/09/2024 22:29, Dan Ritter wrote:

What does

ip route show

give you on the VM in question?

ip route show
default via 192.168.4.1 dev ens192 onlink
192.168.4.0/24 dev ens192 proto kernel scope link src 192.168.4.12

BINGO!

192.168.4.0/24 is wrong, should say 192.168.4.0/22

Do you know why?

In /etc/network/interfaces looks correct:

allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0

^^^^
Spell this netmask instead.

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

That was it, thanks everyone.

On 25/09/2024 13:39, Erwan David wrote:

It should be "netmask 255.255.252.0" or (I prefer) just set
"address 192.168.4.12/22"
without netmask (man says it is deprecated)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Wed, Sep 25, 2024 at 08:01:45AM -0400, Dan Ritter wrote:

Adam Weremczuk wrote:

allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0

^^^^
Spell this netmask instead.

Spell it

address 192.168.4.12/22

(with no "netmask" line at all)

instead. 😀

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)