subnet subset blocked

Discussion:

(too old to reply)

Adam Weremczuk

2024-09-24 20:40:01 UTC

Hi all,

I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed
apache2 / php / postgres stack on it + ssh access.

Generally we have 3 subnets (IPv4 only):

- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254

- 10.10.10.0/24 (VPN1)

- 10.10.20.0/24 (VPN2)

The new VM runs at 192.168.4.12

I'm having a weird issue with accessing it:

DNS resolves fine.
I can ping and arp it from all addresses.
There is nothing is switches' config to restrict traffic.

I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and
10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).
I have no active 192.168.6.x or 192.168.7.x hosts to test from.

I've done nothing special during OS installation and config.
There is no local iptables running on the VM.

I've run tcpdump on the VM and connections from all 192.168.5.x hosts
are rejected with R (reset) flag.
It looks like some OS default or some kind of silent auto-ban causing it.
Access rejection only affects TCP services, ICMP - ping go through fine.

I've deployed probably a hundred of various machines in this environment
but never had this kind of access issue before.

Any ideas?

Regards,
Adam

Dan Ritter

2024-09-24 21:50:01 UTC

Permalink

Post by Adam Weremczuk
Hi all,
I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed
apache2 / php / postgres stack on it + ssh access.
- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254
- 10.10.10.0/24 (VPN1)
- 10.10.20.0/24 (VPN2)
The new VM runs at 192.168.4.12
DNS resolves fine.
I can ping and arp it from all addresses.
There is nothing is switches' config to restrict traffic.
I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and
10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).
I have no active 192.168.6.x or 192.168.7.x hosts to test from.
I've done nothing special during OS installation and config.
There is no local iptables running on the VM.
I've run tcpdump on the VM and connections from all 192.168.5.x hosts are
rejected with R (reset) flag.
It looks like some OS default or some kind of silent auto-ban causing it.
Access rejection only affects TCP services, ICMP - ping go through fine.
I've deployed probably a hundred of various machines in this environment but
never had this kind of access issue before.

What does

ip route show

give you on the VM in question?

Are there other VMs on the same host that work properly for the
same tests?

-dsr-

Adam Weremczuk

2024-09-25 10:40:01 UTC

Permalink

Post by Dan Ritter
What does
ip route show
give you on the VM in question?

ip route show
default via 192.168.4.1 dev ens192 onlink
192.168.4.0/24 dev ens192 proto kernel scope link src 192.168.4.12

BINGO!

192.168.4.0/24 is wrong, should say 192.168.4.0/22

Do you know why?

In /etc/network/interfaces looks correct:

allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0
gateway 192.168.4.1
dns-nameservers 192.168.4.3
dns-search mydomain.co.uk

Dan Ritter

2024-09-25 12:20:02 UTC

Permalink

Post by Dan Ritter

Post by Dan Ritter
What does
ip route show
give you on the VM in question?

ip route show
default via 192.168.4.1 dev ens192 onlink
192.168.4.0/24 dev ens192 proto kernel scope link src 192.168.4.12
BINGO!
192.168.4.0/24 is wrong, should say 192.168.4.0/22
Do you know why?
allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0

^^^^
Spell this netmask instead.

-dsr-

Andy Smith

2024-09-26 02:00:01 UTC

Permalink

Hi,

Post by Dan Ritter

Post by Adam Weremczuk
allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0

^^^^
Spell this netmask instead.

Spell it

address 192.168.4.12/22

(with no "netmask" line at all)

instead. 😀

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Erwan David

2024-09-25 12:40:01 UTC

Permalink

Post by Dan Ritter

Post by Dan Ritter
What does
ip route show
give you on the VM in question?

ip route show
default via 192.168.4.1 dev ens192 onlink
192.168.4.0/24 dev ens192 proto kernel scope link src 192.168.4.12
BINGO!
192.168.4.0/24 is wrong, should say 192.168.4.0/22
Do you know why?
allow-hotplug ens192
iface ens192 inet static
address 192.168.4.12
mask 255.255.252.0
gateway 192.168.4.1
dns-nameservers 192.168.4.3
dns-search mydomain.co.uk

It should be "netmask 255.255.252.0" or (I prefer) just set
"address 192.168.4.12/22"
without netmask (man says it is deprecated)

--
Erwan

Adam Weremczuk

2024-09-25 13:40:01 UTC

Permalink

That was it, thanks everyone.

Post by Erwan David
It should be "netmask 255.255.252.0" or (I prefer) just set
"address 192.168.4.12/22"
without netmask (man says it is deprecated)

George at Clug

2024-09-24 22:40:01 UTC

Permalink

Adam,

I doubt this is your issue. But there has been times when my VM's [virtual] MAC address is the same as another in the network.

You have not mentioned about firewalls? Have you installed and configured any firewalls?

From your VM can you ping and/or connect to a computer in the 192.168.5.x network?
From at least two computers in the 192.168.5.x network can you ping or connect to your VM ? (I presume not, from what you said).

George.

Hi all,
I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed
apache2 / php / postgres stack on it + ssh access.
- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254
- 10.10.10.0/24 (VPN1)
- 10.10.20.0/24 (VPN2)
The new VM runs at 192.168.4.12
DNS resolves fine.
I can ping and arp it from all addresses.
There is nothing is switches' config to restrict traffic.
I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and
10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).
I have no active 192.168.6.x or 192.168.7.x hosts to test from.
I've done nothing special during OS installation and config.
There is no local iptables running on the VM.
I've run tcpdump on the VM and connections from all 192.168.5.x hosts
are rejected with R (reset) flag.
It looks like some OS default or some kind of silent auto-ban causing it.
Access rejection only affects TCP services, ICMP - ping go through fine.
I've deployed probably a hundred of various machines in this environment
but never had this kind of access issue before.
Any ideas?
Regards,
Adam

Michael Kjörling

2024-09-25 06:50:01 UTC

Permalink

Post by Adam Weremczuk
I've just launched a Debian 12 VM in VMware (ESXi 7.0.2) and installed
apache2 / php / postgres stack on it + ssh access.
- 192.168.4.0/22 (Ethernet LAN) - which starts with 192.168.4.1 and ends
with 192.168.7.254
- 10.10.10.0/24 (VPN1)
- 10.10.20.0/24 (VPN2)
The new VM runs at 192.168.4.12
I can access TCP services (22, 443) from 192.168.4.x, 10.10.10.x and
10.10.20.x but not from 192.168.5.x (a subset of Ethernet LAN).

To me this smells like a subnet mask length issue.

Triple-check that `ip a sh` shows the IP address and subnet mask that
you expect.

--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”