0

I have two virtual machines on a VMWare ESXi server - a Sophos Firewall and a Windows Server. On the LAN side of my network, I have a bunch of devices and a Cisco ATA connected to a real switch. This switch is connected to nic0 on the server. I am trying to fully segregate VOIP traffic onto VLAN=4. This is the only VLAN in use.

vSwitch0 Topology: The following port groups are connected to physical adapter vmnic0...

  1. Sophos Port Group. VLAN = 4095 (trunked). VM = Sophos XG Firewall. IP = 192.168.2.1/24.
  2. Management Port Group. VLAN = 0. VMKernel port vmk0. IP = 192.168.2.2/24.
  3. Windows Server Port Group. VLAN = 0. VM = Windows Server 2016 IP = 192.168.2.3/24 As I mentioned, nic0 is wired to a real switch. This port trunks VLANs = 1 (untagged) and 4 (tagged).

From a computer attached to another of the real switch ports (PVID=1, IP=192.168.2.40/24), I am able to access the Sophos Firewall and the VMWare Management Server, but NOT the Windows Server.

This seems strange because both VMWare and the Windows Server port groups have the same setup on the virtual switch (VLAN=0 off).

When I add the Windows Server VM into the Sophos Port Group (VLAN=4095 trunked), all works fine and all devices can communicate. However, I don't particularly like this because all my VLAN=4 traffic can be seen on Wireshark on the server, and I'd like to properly segregate VLAN=4 traffic such that the Windows machine cannot see any VOIP data. This should only be seen by the firewall, which forwards it to a WAN virtual switch and physical adapter and out to the internet.

Question...

  1. Why am I able to access VMWare Management (192.168.2.2), but not the Windows Server (192.168.2.3), from a computer (192.168.2.40) attached to the real LAN switch? Their setup on the vSwitch and port groups are identical.
oneslyfox
  • 1
  • 1
    Since they are all on the same VLAN that does not seem to be the problem. Probably windows server has some firewall settings configured preventing correct access. – Overmind May 07 '19 at 05:44
  • Could be the windows firewall, could be the routing, we don't know without seeing the complete relevant configuration. Also remember that windows treats new networks as "public" networks and closes down the firewall. This usually happen if you move a windows server from one subnet into another one. – Gerald Schneider May 07 '19 at 05:58
  • Interesting thoughts. I turned off the Windows firewall with no change. I did find something interesting however. I am performing a ping for 192.168.2.3 from the computer 192.168.2.40. On the Windows Server, I can see the ARP requests coming in, and the Windows Server responding to those requests. However, when I do a tcpdump on the Sophos Firewall, I see the ARP requests from my computer but nothing coming back from the Windows Server. I have confirmed that there are no packets being dropped. Yet the Windows Server is able to use the Sophos Firewall to access the internet without drama. – oneslyfox May 07 '19 at 07:04

1 Answers1

0

I ended up simplifying my setup by removing the VLANs and most VMs. The Windows Server port group still couldn't communicate with the physical NIC. Same deal when I created a new Linux VM.

I recreated all vSwitches and Port Groups, exactly the same setup otherwise, and it started working. There appeared to be a bug - I moved my firewall VM off one port group and onto another, then it said that the original port group never existed to begin with.

Basically my problem appeared to be a VMWare ESXi bug. My version is HPE 6.0U2 because I am running it on an older HP ProLiant DL380 Gen5.

oneslyfox
  • 1