Hyper-V server 2019 – Internet not working for Guest VM - networking

I’m new to Hyper-V, and I’m trying something apparently very simple:
Setup a Hyper-V 2019 server
On that server, install a Gen2 WM Windows server 2016
I have an identical hardware successfully running Hyper-V (and 2 VMs) as a role in Windows Server 2016 Standard. Therefore, that hardware is most likely to be fit for virtualization…. and as been ordered for that purpose only.
But I just can’t get the guest VM to connect to the network! I reviewed former posts about the subject, and did not find any solutions I did not yet already explored.
Setting up a Hyper-Server, and joining it to a domain was pretty straight forward. Event installing the VM was pretty simple.
Here is the current state, after I re-started from scratch (meaning reinstalled the computer from zero), and left the default, as generated by Microsoft:
The host does have access to internet (and is linked to AD) on ethernet NIC#1
Assigned Static IP: 192.168.0.96
Subnet: 255.255.255.0
gateway: 192.168.0.1
DNS: 192.168.0.1
From the remote Hyper-V manager, I did create a new Virtual Switch (only one)
Name: vSwitchExternXyz
Type: external
Linked to the external network using the same NIC#1
Allowed management operating system to share this network adapter (this is by default)
When executing an ipconfig" in command line on the host, I see a new “Ethernet adapter vEthernet (vSwitchExternXyz)” created, having:
Autoconfiguration IP4 Address: 169.254.197.61 (hey, this is a APIPA address !)
Subnet: 255.255.0.0
gateway: none!
From the remote Hyper-V manager, I did assign this vSwitchExternXyz Virtual Switch (the only one I created in the Host)
I left unchecked both options “Enable virtual LAN identification” and “Enable bandwidth management” (those are unchecked by default)
When I start & connect to that only VM, and look at it network config, I get:
Autoconfiguration IP4 Address: 169.254.224.167 (again another APIPA address!)
Subnet: 255.255.0.0
gateway: none!
From that picture, I’m not really surprised I cannot even ping any IP outside the APIPA address range, because the default gateway seems missing. I did try to assign it an IP and valid gateway (same as the host’s), but it made no differences. But I don’t know yet how should a successful configuration looks like.
Questions
I have no running environment to compare to in order to see if those defaults are correct. Do the virtual switch & VM’s vNIC adapter both should be given IP addresses?
Shouldn’t both virtual switch & VM’s vNIC adapter be in the same subnet than the host (meaning 192.168.0.x), and pointing to the same gateway?
What’s wrong with my VM to not access internet?

I resorted to Microsoft support to address this issues (it took 2 tech specialists 2.5 hours total to figure it out).
The problem was with the virtual switch which was corrupted for obscure reasons. It should have pick up the IP of the physical NIC.
It was not enough to just remove the vSwitch and re-create it.
I had to:
leave the faulty vSwitch there,
create a new vSwitch
Assign the new switch to the Guest VM's adapter
only then, delete the faulty vSwitch
Problem fixed, thanks to Raj at Microsoft technical support team.

Related

Proxmox IP is already in use (by pve itself)

I've run into a problem adding IP's to an SME server VM.
Determining if ip address xxx.xxx.xxx.xx is already in use for device eth3...
Error, some other host(mac address) aleady uses address xxx.xxx.xxx.xx.
Now, of course, I started looking at other servers hosted in Proxmox and outside of it as well, finding no other device using the IP addresses in question.
You could ping one of the addresses, but not the other.
More precisely I could ping the local address, but not the public one.
I realised that the device using the IP's is actually Proxmox itself. When I disabled the interfaces in the host (ifdown vmbr6) I could assign the address to the server in question after that.
The IP's are configured like this in the Proxmox network tab.
vmbr6 Linux Bridge enp5s0f0 xxx.xxx.xxx.xx 255.255.255.0
Now I might add that the SME server is being migrated using this guide:
https://www.caretech.io/2017/10/17/migrating-virtualbox-vdi-to-proxmox-ve-5/
Though I don't think it's related to the networking issue.
So steps that I've taken to try and fix the issue are:
Rebooted the SME server
Restarted the networking service on the SME server
Rebooted Proxmox
Removed network interfaces from the SME server
Changed the interface model from VirtIO to IntelE1000
Tried changing the MAC addresses
I've been battling this issue for 2 days and any and all help would be appreciated. Kind of in a hurry to migrate our services from VirtualBox to Proxmox.
Thank you.

Proxmox with OPNsense as pci-passthrough setup used as Firewall/Router/IPsec/PrivateLAN/MultipleExtIPs

This setup should be based on a proxmox, being behind a opnsense VM hosted on the Proxmox itself which will protect proxmox, offer a firewall, a privat LAN and DHCP/DNS to the VMs and offer a IPsec connection into the LAN to access all VMs/Proxmox which are not NATed.
The server is the typical Hetzner Server, so only on NIC but multiple IPs or/subnets on this NIC.
Proxmox Server with 1 NIC(eth0)
3 Public 1IPs, IP2/3 are routed by MAC in the datacenter (to eth0)
eth0 is PCI-Passthroughed to the OPNsense KVM
A private network on vmbr30, 10.1.7.0/24
An IPsec mobile client connect (172.16.0.0/24) to LAN
To better outline the setup, i create this [drawing][1]: (not sure its perfect, tell me what to improve)
Questions:
How to setup such a scenario using PCI-Passthrough instead of the Bridged Mode.
Follow ups
I) Why i cannot access PROXMOX.2 but access VMEXT.11 (ARP?)
II) is why do i need a from * to * IPSEC chain rule to get ipsec running. That is most probably a very much opnsense related question.
III) I tried to handle the 2 additional external IPs by adding virtual ips in OPNsense, adding a 1:1 nat to the internal LAN ip and opening the firewall for the ports needed ( for each private lan IP ) - but yet i could not get it running. The question is, should each private IP have a seperate MAC or not? What is specifically needed to get a multi-ip setup on WAN
General high level perspective
Adding the pci-passthrough
A bit out of scope, but what you will need is
a serial console/LARA to the proxmox host.
a working LAN connection from opnsense (in my case vmbr30) to proxmox private ( 10.1.7.2 ) and vice versa. You will need this when you only have the tty console and need to reconfigure the opnsense intefaces to add em0 as the new WAN device
You might have a working IPsec connection before or opened WAN ssh/gui for further configuration of opnsense after the passthrough
In general its this guide - in short
vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"
update-grub
vi /etc/modules
vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd
Then reboot and ensure you have a iommu table
find /sys/kernel/iommu_groups/ -type l
/sys/kernel/iommu_groups/0/devices/0000:00:00.0
/sys/kernel/iommu_groups/1/devices/0000:00:01.0
Now find your network card
lspci -nn
in my case
00:1f.6 Ethernet controller [0200]: Intel Corporation Ethernet Connection (2) I219-LM [8086:15b7] (rev 31)
After this command, you detach eth0 from proxmox and lose network connection. Ensure you have a tty! Please replace "8086 15b7" and 00:1f.6 with your pci-slot ( see above)
echo "8086 15b7" > /sys/bus/pci/drivers/pci-stub/new_id && echo 0000:00:1f.6 > /sys/bus/pci/devices/0000:00:1f.6/driver/unbind && echo 0000:00:1f.6 > /sys/bus/pci/drivers/pci-stub/bind
Now edit your VM and add the PCI network card:
vim /etc/pve/qemu-server/100.conf
and add ( replace 00:1f.6)
machine: q35
hostpci0: 00:1f.6
Boot opnsense connect using ssh root#10.1.7.1 from your tty proxmox host, edit the interfaces, add em0 as your WAN interface and set it on DHCP - reboot your opnsense instance and it should be up again.
add a serial console to your opnsense
In case you need a fast disaster recovery or your opnsense instance is borked, a CLI based serial is very handy, especially if you connect using LARA/iLO whatever.
Do get this done, add
vim /etc/pve/qemu-server/100.conf
and add
serial0: socket
Now in your opnsense instance
vim /conf/config.xml
and add / change this
<secondaryconsole>serial</secondaryconsole>
<serialspeed>9600</serialspeed>
Be sure you replace the current serialspeed with 9600. No reboot your opnsense vm and then
qm terminal 100
Press Enter again and you should see the login prompt
hint: you can also set your primaryconsole to serial, helps you get into boot prompts and more and debug that.
more on this under https://pve.proxmox.com/wiki/Serial_Terminal
Network interfaces on Proxmox
auto vmbr30
iface vmbr30 inet static
address 10.1.7.2
address 10.1.7.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
pre-up sleep 2
metric 1
OPNsense
WAN is External-IP1, attached em0 (eth0 pci-passthrough), DHCP
LAN is 10.1.7.1, attached to vmbr30
Multi IP Setup
Yet, i only cover the ExtraIP part, not the extra Subnet-Part. To be able to use the extra IPs, you have to disable seperate MACs for each ip in the robot - so all extra IPs have the same MAC ( IP1,IP2,IP3 )
Then, in OPN, for each extern IP you add a Virtual IP in Firewall-VirtualIPs(For every Extra IP, not the Main IP you bound WAN to). Give each Virtual IP a good description, since it will be in the select box later.
Now you can go to either Firewall->NAT->Forward, for each port
Destination: The ExtIP you want to forward from (IP2/IP3)
Dest port rang: your ports to forward, like ssh
Redirect target IP: your LAN VM/IP to map on, like 10.1.7.52
Set the redirect port, like ssh
Now you have two options, the first one considered the better, but could be more maintenance.
For every domain you access the IP2/IP3 services with, you should define local DNS "overrides" mapping on the actually private IP. This will ensure that you can communicate from the inner to your services and avoids the issues you would have since you used NATing before.
Otherwise you need to care about NAT reflection - otherwise your LAN boxes will not be able to access the external IP2/IP3, which can lead to issues in Web applications at least. Do this setup and activate outbound rules and NAT reflection:
What is working:
OPN can route a]5]5ccess the internet and has the right IP on WAN
OPN can access any client in the LAN ( VMPRIV.151 and VMEXT.11 and PROXMOX.2)
i can connect with a IPSec mobile client to OPNsense, offering access to LAN (10.1.7.0/24) from a virtual ip range 172.16.0.0/24
i can access 10.1.7.1 ( opnsense ) while connected with IPsec
i can access VMEXT using the IPsec client
i can forward ports or 1:1NAT from the extra IP2/IP3 to specific private VMs
Bottom Line
This setup works out a lot better then the alternative with the bridged mode i described. There is no more async-routing anymore, there is no need for a shorewall on proxmox, no need for a complex bridge setup on proxmox and it performs a lot better since we can use checksum offloding again.
Downsides
Disaster recovery
For disaster recovery, you need some more skills and tools. You need a LARA/iPO serial console the the proxmox hv ( since you have no internet connection ) and you will need to configure you opnsense instance to allow serial consoles as mentioned here, so you can access opnsense while you have no VNC connection at all and now SSH connection either ( even from local LAN, since network could be broken ). It works fairly well, but it needs to be trained once to be as fast as the alternatives
Cluster
As far as i can see, this setup is not able to be used in a cluster proxmox env. You can setup a cluster initially, i did by using a tinc-switch setup locally on the proxmox hv using Seperate Cluster Network. Setup the first is easy, no interruption. The second join needs to already taken into LARA/iPO mode since you need to shutdown and remove the VMs for the join ( so the gateway will be down ). You can do so by temporary using the eth0 NIC for internet. But after you joined, moved your VMs in again, you will not be able to start the VMs ( and thus the gateway will not be started). You cannot start the VMS, since you have no quorum - and you have no quorum since you have no internet to join the cluster. So finally a hen-egg issue i cannot see to be overcome. If that should be handled, only by actually a KVM not being part of the proxmox VMs, but rather standalone qemu - not desired by me right now.

Azure RDP using public IP not DNS....?

I and unable to RDP Azure VM on my corporate network using "DNS:Port" (like vmname.cloudapp.net:3389). It works fine on my home network, which means, endpoints are set correctly.
However, it was possible to RDP VM using Public IP but not anymore. With public IP, I was able to RDP VM on my corporate network, but not sure this has restricted recently?
Any way of to access a VM using Public IP rather DNS:Port format?
Thanks
It is common for enterprise IT to block outbound ports because some argue this provides better security. I don't think this necessarily makes sense, but here's what you can do to verify. As a best practice, always connect to Windows Azure VMs using DNS names rather than IP addresses because the addresses are subject to change, while DNS names will not.
1 Confirm the port you're trying to connect to. By default, Windows Azure assigns a port in the dynamic range (49152–65535) for Remote Desktop, which is mapped internally to the usual RDP port 3389. You can see which one this is by checking your VM endpoint public port in the Windows Azure portal (Select Virtual Machines > Your VM > Endpoints tab > RemoteDesktop entry). You need to connect using this port after the name (using the Connect button in the portal gives you an RDP shortcut file that does this for you). If my public port is 62472, I put this in the Remote Desktop Connection computer field:
percepten-VM1.cloudapp.net:62472
If you like, you can edit the public port here in the portal using the "Edit the endpoint" option on the RemoteDesktop entry. That way you can make it 3389 if your IT department asks you for a single port number to allow outbound.
2 Test your DNS resolution to your VM using nslookup or ping. If you get "non-existent domain", then your corporate DNS is blocking Windows Azure resolution. This is what you want to see:
>nslookup percepten-vm1.cloudapp.net
Non-authoritative answer:
Name: percepten-vm1.cloudapp.net
Address: 157.56.182.135
3 If you can resolve DNS, then try using an outbound port scan tool to verify port 3389 is allowed out. I found a nice one at portquiz.positon.org. To use, open the site with a port appended in the URL. In this case, open "http://portquiz.positon.org:3389". You should see this on the page:
Outgoing port tester
This server listens on all TCP ports, allowing you to test any
outbound TCP port. You have reached this page on port 3389.
...
4 If you receive "page not available", then the port is blocked. Try contacting IT to ask them to open port 3389 (or the entire dynamic range if you're feeling ambitious). If they want to open it only to specific places on the Internet, provide them this list of all Windows Azure IP address ranges:
Windows Azure Datacenter IP Address Ranges
Hope that helps!
Noah Stahl
Percepten

adding Virtual PC 2007 to host network

I am using Virtual PC 2007 with Windows xp Pro as the Guest.
Is it possible to add the Virtual PC to the network of the guest PC and to the domain of the Guest PC?
I enabled NAT shared networking but that only allows internet access on the guest..
Thanks
This shouldn't be a problem when you add the guest to host's physical adapter:
In the settings for your VM, go to Networking and instead of "Shared networking (NAT)", select the NIC that's connected to the network on your host (e.g. "Realtek RTL8116 Gigabit Ethernet", or whatever your NIC is; this is equivalent to VMWare's Bridged Mode). That way, the guest will appear as a real computer on your network, and will work like a physical box on the network.
IIRC, MS VPC bypasses the default Windows firewall on the host, so only the guest's firewall applies; for other FW products, you may need to enable something like "permit packets not destined for this host".
Just to add to the above answer-
1.
Inside the Local Area Connection
Properties- VM Network Services Driver
wasnt installed without which the NIC
option wont appear in the Virtual
machine Network Adapter Configuration.
I reinstalled the Virtual PC and that
entry Virtual Machine Network
Driver appeared.
2.
Another helpful resource-
http://blogs.msdn.com/virtual_pc_guy/archive/2007/01/15/fixing-broken-virtual-networking.aspx
Shouldn't be a problem as long as you can connect to a domain controller from the virtual computer.
If you know the IP address of a domain controller, try to ping it. Then try to ping it using the computer name, to see if name resolution is working correctly. What happens when you join a domain using Control Panel | System. Do you receive an error message?
I have not used Virtual PC, only VMWare workstation on Linux, so I do not know how the networking setup is on Virtual PC. On VMWare, you can choose between bridged and NAT networking for a virtual machine. I have been able to set up Windows guest computers as members of a windows domain using both kinds of network setup.

Network: Virtual PC 2007 Can't Access Host Using NAT

I can't access my host machine from my guest machine using the computer name (i.e. WINS). I can access it using whatever IP address it happens to have at the time, but I need a consistent way of accessing it (even if I'm not online).
I have a Windows Server 2003 guest virtual machine and a Vista host. I'm using Shared Networking (NAT). I'm running Microsoft Virtual PC 2007 SP1. I've set my DNS server to 192.168.131.254 and everything else is DHCP. Any help is appreciated.
Make a domain name in the windows hosts file on the Vista Host system:
C:\WINDOWS\system32\drivers\etc\hosts
172.16.16.4 localserver
Here is the blog that explains it:
http://blog.flexuous.com/2007/02/04/virtual-pc-ip-routing-enabling-vpc-nat-loopback-connector-at-the-same-time/
You didn't mention the network setup. If you happen to control the router, such as a home network, you've got a couple of options.
Dynamic DNS updates. When a host gets it's IP address via DHCP, it can automatically update it's DNS records with it's hostname. This is similar to services such as dyndns, but also works on your local network without net access.
Static DHCP Assignments - Assign an IP address to MAC Address relationship on the router, so that every time a DHCP request is sent out from that MAC, it will always get the same IP address. Then you can add this address to your hosts file for access via name.
Another option would be to setup a static loopback device on both the host and the guest and place them in their own private network. That way, the IP address will never change. Then, you can add the corresponding IP addresses into the host files of each respective machine to reference by name.

Resources