Vyatta Firewall
August 6th, 2016
hope someone arround here can help me with Vyatta firewall, my Firewall Vyatta 6.2 works fine for over the last year, however after updating to the next version 6.5 and even 6.5 my Vyatta firewall become crazy,
i can’t browse some sites, its blocks them, like www.microsoft.com and faecebook.com and i can’t even ping them,
thank you
when you try and ping them what is the address resolving to?
C:\Users\XXXXXXXXXXXX>ping www.microsoft.com
Pinging lb1.www.ms.akadns.net [65.55.57.27] with 32 bytes of data:
Is this a cracked copy or a legit license?
Check your hosts file hasn’t been hijacked
Also provide us with the output of
nslookup www.microsoft.com
C:\Users\techsupport>nslookup www.microsoft.com
Server: google-public-dns-b.google.com
Address: 8.8.4.4
Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: lb1.www.ms.akadns.net
Address: 65.55.57.27
Aliases: www.microsoft.com
toggle.www.ms.akadns.net
g.www.ms.akadns.net
the vyatta i am using is legit on hyperV,
i can’t ping Microsoft.com either browse to it
C:\Users\>ping www.microsoft.com
Pinging lb1.www.ms.akadns.net [65.55.57.27] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 65.55.57.27:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\>nslookup
Default Server: UnKnown
Address: 192.168.4.1
> www.microsoft.com
Server: UnKnown
Address: 192.168.4.1
Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: lb1.www.ms.akadns.net
Address: 65.55.57.27
Aliases: www.microsoft.com
toggle.www.ms.akadns.net
g.www.ms.akadns.net
>
Does the PING go through from the firewall?
Since you say this happened after upgrading to v6.5, pick up the release notes and see what changes were introduced that could break your internet access
Does the PING go through from the firewall?
Since you say this happened after upgrading to v6.5, pick up the release notes and see what changes were introduced that could break your internet access
i tried it on vyatta 6.5 and 6.6 and the same problem,
the ping doesn’t go out from the Vyatta firewall
vyatta@vyatta:~$ ping www.microsoft.com
PING lb1.www.ms.akadns.net (64.4.11.42) 56(84) bytes of data.
Does the PING go through from the firewall?
Since you say this happened after upgrading to v6.5, pick up the release notes and see what changes were introduced that could break your internet access
i tried it on vyatta 6.5 and 6.6 and the same problem,
the ping doesn't go out from the Vyatta firewall
vyatta@vyatta:~$ ping www.microsoft.com
PING lb1.www.ms.akadns.net (64.4.11.42) 56(84) bytes of data.
Is the website accessible without the firewall? If no, then it’s likely a problem with your ISP
I wouldn’t be able to help you with the commands for this but is your NAT properly configured?
yes the nat and firewall are propriely configured,
the website is accessible thought the physique network, www.microsoft.com is Always up and running i have two networks, Privat and Physique
Physique is thought my ISP Gateway 192.168.2.xx
Private thought Vyatta 192.168.4.xx
all websites are accesible from my ISP Gateway when i am connected to the 192.168.2.xxx however when i am siwtched to Vyatta network some websites are not working like microsoft.com and facebook.com is not loading the pages completely some images are unrecognised !
my ISP protocol is PPPoE but Vyatta is not connected directly to the PPPoE protocol because there is ISP Gateway between.
yes the nat and firewall are propriely configured,
the website is accessible thought the physique network, www.microsoft.com is Always up and running i have two networks, Privat and Physique
Physique is thought my ISP Gateway 192.168.2.xx
Private thought Vyatta 192.168.4.xx
all websites are accesible from my ISP Gateway when i am connected to the 192.168.2.xxx however when i am siwtched to Vyatta network some websites are not working like microsoft.com and facebook.com is not loading the pages completely some images are unrecognised !
my ISP protocol is PPPoE but Vyatta is not connected directly to the PPPoE protocol because there is ISP Gateway between.
Hmmmm…is there some kind of filtering that is possible on the Vyatta firewall? The Microsoft site seems to be resolving properly but the request isn’t going through…
Also, is it possible for you to do a policy trace on the firewall for a website that is getting blocked
There is no filtering or firewalling,
i just have one firewall rule to allow RDP and UDP, i hav’t even restricted the web proxy yet,
how i can i do the policy trace on the firewall?
i want to allow the traffic between the eth0 and eth1, so all protocol will be accepted between both NIC,
can you advise how to do this?
i want to RDP to the servers on the eth1 from eth0 and the other way arround, also allow the ping thought those eth0 and eth1
thank you for your help!
how i can i do the policy trace on the firewall?
Not sure how exactly you’d go about doing this on a Vyatta firewall but instead you could take a look at the logs on the firewall and see if you can find anything for why the website request isn’t going through i want to allow the traffic between the eth0 and eth1, so all protocol will be accepted between both NIC,
can you advise how to do this?
i want to RDP to the servers on the eth1 from eth0 and the other way arround, also allow the ping thought those eth0 and eth1
From source to destination, you’d probably need to open up port 3389 for RDP connections and allow ICMP traffic for PING.
thank you for your help!
No problem!
Thank you so much for your continu port,
port 3389 and ICMP traffic are already allowed on however when trying to RDP to the VM’s sometimes it does work and sometimes it doesn’t !
Thank you so much for your continu port,
port 3389 and ICMP traffic are already allowed on however when trying to RDP to the VM's sometimes it does work and sometimes it doesn't !
When RDP access is lost, does the VM still respond to PING? If it doesn’t, then it would point to an issue with the VM itself
when the RDP is down, the ping also is down,
when the RDP is down, the ping also is down,
Assuming your firewall configuration is staying constant, it points to something going on with the VM…
What about the firewall on the VM, have you tried turning it off?
Also, what changes from the time that it works to the time when it doesn’t? Is the IP address on the VM statically configured? Anything else you can think of?
Dear ,
the VM is fine, the internal network is working fine on Vmexs3 10GBp network card,
the only issue now i can’t ping the devices that are behind my ISP Gateway 192.168.2.xx the strange thing is i can ping my ISP router 192.168.2.254!
is this some block on vyatta or ISP Router?
Dear ,
the VM is fine, the internal network is working fine on Vmexs3 10GBp network card,
the only issue now i can't ping the devices that are behind my ISP Gateway 192.168.2.xx the strange thing is i can ping my ISP router 192.168.2.254!
is this some block on vyatta or ISP Router?
Simple way to determine that – take the Vyatta firewall out of the picture. Do you now have access? If yes, then it is the firewall that’s causing problems.
It’s hard to say for certain without doing a more thorough investigation on the firewall…
if i take the Vyatta of the picture i will kill the subnet where they are
vyatta is router for my private network
if i take the Vyatta of the picture i will kill the subnet where they are
vyatta is router for my private network
Alright, let’s do it this way: connect a pc directly to the ISP router and then try accessing the site. You should be able to determine if there’s anything blocking traffic that way.
That wont give us any information about the VM’s behaviour though…
Also, when the problem occurs, does the server that you’re trying to RDP into still have network access?
Would it be possible for you to quickly throw together a network diagram? Not sure ive got all pieces correctly in my head…
thank you for your support,
here is my diag
http://virtuallymikebrown.files.wordpress.com/2013/01/networkdiagram.jpg
Vmnet0 is the ESXI Network Card
from the Vlan’s i can ping my laptop, but from my laptops i can’t reach the Vlan’s or the VM are behind the Vlans
thank you for your support,
here is my diag
http://virtuallymikebrown.files.wordpress.com/2013/01/networkdiagram.jpg
Vmnet0 is the ESXI Network Card
from the Vlan's i can ping my laptop, but from my laptops i can't reach the Vlan's or the VM are behind the Vlans
Since the PING is going through and also since you have the necessary ports open, it doesn’t look like there’s a problem with the network connectivity.
My mind is drawn towards 2 possibilities:
– RDP access is disabled on the VMs in the VLANs which are not reachable
– The local firewall is blocking connections to the RDP
Can’t think of anything else but will post back if i have a “Eureka” moment
the RDP is already Enable
i can RDP between the VM’s on the Vlan
when i am connected to the network 192.168.1.8 and want to reach the VM behind 10.10.10.1/24 i want to rdp to the VM using it LAN IP 10.10.10.64 when i do this i don’t get any responde at all
it works only if i use the eth0 Vyatta IP 192.168.1.8 which already been configured on the NAT and Firewall
what i want is all subnets need to be reachable from all subnets.
so in the mean while Vlan’s 10, 20 and 40 are pingbale with each others, and this is exactly what i want!
the only thing is now i want the network 192.168.1.0/24 to be the same, can ping 192.168.1.0/24
i hope you understand me