I have 2 instances running on Compute engine, although the documentation says that I'm able to ping and establish a communication between these VMs I can't. I've tried the ping with VM name and ipv4 address. I also tried to configure new work-group for both VMs and nothing.
Here's the link: https://cloud.google.com/compute/docs/vm-ip-addresses
If you are communicating between instances in the same network, you
can send packets to an instance using the instance name, and the
network automatically resolves the name to the internal IP address of
the instance.
My VMs configuration:
Both are in the same network
I even turn off the firewalls
But no connection between at all.
Anyone passed for the same? someone knows what is going on?
How do I solve this issue?
This is due to firewall rules. You need to add the allow-icmp network tag in the Network tags section of the instances edit page >
You can create new Network tags to open up new ports/protocols in the VPC Network>Firewall rules section:
EDIT 1:
Please note that the 0.0.0.0/0 subnet used on the screenshot above opens up the ports to the entire internet and I only used it for demonstration purposes to avoid sharing my IPs. I would STRONGLY advise against using that subnet for firewall rules in a production environment. The internet is a dark and scary place.
This happens to us from time to time - suddenly our 2 instances cannot reach each other through API or even ping. Even though we haven't changed any firewall rules or anything. I guess it's some GCloud glitch.
Nothing we have tried works, except for restarting the instances, then everything works again. So, if anyone has the same, and nothing seems to help the issue, I suggest, as a last resort, to reboot the instances.
Each network in Google Compute Engine has its own firewall configuration which by default will block incoming traffic to your VM. See the firewall documentation to see how the default network is configured and how to apply similar rules to your custom network.
Be sure the firewall rules include the GCE subnet. In your case, it would mean that 10.10.0.0/24 has icmp allowed.
I'm not sure why the firewall rules apply within the network subnet, but apparently they do.
If you did not change network and or firewall rules and use default network and firewall rules then simply edit hosts file (open hosts on all vm, copy hosts line for each vm and add its all other vm) and then try ping. I have tried same between three centos instance and its working.
Make sure you restart the network on VMs in order to work it fine.
This helped me pretty well.
Related
I have followed the guide https://www.azerothcore.org/wiki/installation to the letter and everything is working great, but friends cannot connect through my external IP though and I'm out of ideas.
I have:
No firewall or AV in the way
Forwarded ports 8085 and 3724
Added my computer to the router's DMZ (Nuclear option when forwarding didn't seem to work)
Changed the address field in the DB realmlist table to my external IP
authserver and worldserver running and allowing local connections
An extra note is https://www.yougetsignal.com/tools/open-ports/ says the ports are not open while I have the servers running as if they aren't listening on them.
I just learned that my modem from CenturyLink is also acting as ANOTHER router so fun stuff. Making it a transparent bridge is just a bag of cats I'm not gonna open so I guess I get to play WoW with myself for now.
I probably don't have the solution for u but thought id share some thoughts
People can connect to my server but that website u linked at the end does also say that the ports are closed for me as well so I'm not sure how trustworthy it is
When I first made my server the DB realmlist change was the fix that worked for me but since u already seem to have done that I'm afraid Ive no idea
With that said. In Heidisql at least there were 2 places in realmlist u had to change the IP, in the Table:Realmlist and Data tabs
CentOs 7 with whm
Compute Engine VM Instance was working fine and GCP given external static ip xx.135 and internal 10.xx.x.2
Upon checking it is found that network settings was DHCP hence I
modified /etc/sysconfig/network-scripts/ifcfg-eth0 with BOOTPROTO=static with static ip given by GCP and restart network service. After that I lost the
control of VM. What is wrong? How to resolve the issues and get the control?
I do not think you needed to modify the DHCP configuration. You could follow the link here for Reserving a Static External IP Address. Also, this is the documentation if you would like to Reserve a Static Internal IP Address.
The way to fix a messed up config like this is to use the console, where the user can revert that config. Just to note here that you might have to have set the password. This is, in fact, one way.
Another way is if the disk attached is a Persistent Disk, you could attach it somewhere else and replace the config. Here is the documentation for that. There is a caution, some types of VMs that won't allow for this. It won't work if it's a local SSD.
We are attempting to use a Cisco ASA as a VPN as well as forward traffic to two servers.
Our ISP has given us a range of IP addresses that are sequential.
154.223.252.146-149
default GW of 154.223.252.145, we're using netmask 255.255.255.240
We have the first of these, 154.223.252.146, assigned to the external interface on our ASA and it’s successfully hosting our VPN service. It works great.
The next and final goal is to have 154.223.252.147 forward https traffic to 10.1.90.40 and 154.223.252.148 forward https traffic to 10.1.94.40.
Our current blocker is our inability to get the outside interface of the asa to respond to these ip addresses.
We’ve been able to use 154.223.252.146 to forward https traffic correctly. So we know that works.
I’ve plugged my laptop into the switch from our ISP and have successfully manually assigned 154.223.252.147 and 154.223.252.148 with the default gw of 154.223.252.145 and was happily connected. So we know the IP’s are there and available, we just need to convince the ASA to respond to them and use them to forward https.
We’ve tried plugging cables from the switch into other interfaces on the firewall. This failed because the netmask overlaps with our first outside interface 154.223.252.146 255.255.255.240, Cisco hates this and doesn’t allow it.
We’ve read documentation and have heard that it’s possible to assign a range of IPs to the ouside interface by defining a vlan. We do not know how to successfully make this work and out attempts have failed.
What's the best way to accomplish this configuration with a Cisco ASA?
You don't need to assign multiple IPs from the same range to more than one interface. That doesn't work with Cisco. Instead try a static one to one NAT for your Web server and terminate your VPN traffic on the IP address assigned to the interface.
Watch this video for one to one NAT:
https://www.youtube.com/watch?v=cNaEsZSsxcg
Cisco has an active scanning technology that was enabled on this ASA. We were able to diagnose it by intermittent bad behavior. After troubleshooting long enough we realized that some of the behavior couldn't be consistent with the changes we were making. So we started looking for things that the firewall would be trying to do by itself. That ended up helping us narrow it down. Disabling active scanning allowed our external vlan configurations to work. Now moving on to tightening up the configs.
I did a script that launch several amazon instances with the same security group which is the default one, with ICMP and all the TCP/UDP connection allowed... so no firewall problem.
I am running an ubuntu 11.4 64 bits ami working fine.
Usually in the bunch of machine I launch some do not respond to any ping or telnet connection. They can ping other machines but cannot be pinged. The other machines can ping each other in two directions without any problem, but usually one or two just don't respond to any ping. There is no difference in the way I launch them, so I don't understand where this bug comes from...
How to avoid this problem and recover from it without restarting the EC2 instance?
Thanks a lot tender developpers :D.
try this
Log into AWS account.
Click on Security Groups. Choose the required security group.
Click on the Inbound tab.
Create a new rule:
Custom ICMP rule
Type: Echo request
Source: 0.0.0.0/0
0.0.0.0 will allow everyone to ping your server. You can specify your own addresses if you want.
Assuming all the instances you launch have the same security group and same ami, you need to contact amazon about this.
https://forums.aws.amazon.com/thread.jspa?threadID=22640
In particular I'm looking for an IP address that I can put in my hosts file that will black-hole a given DNS name. Right now I'm using 127.0.0.1 but that would start acting odd if I installed any services.
How can I prevent a 3rd party program from contacting a given server?
RFC-3330 seems to be the goldmine
The best option seems to be:
192.0.2.0/24 - This block is assigned as "TEST-NET" for use in
documentation and example code. It is often used in conjunction with
domain names example.com or example.net in vendor and protocol
documentation. Addresses within this block should not appear on the
public Internet.
Actually the loopback IP 127.0.0.1 is ideal for ad blocking. If you run Apache anyway, you setup a virtual server that returns 404 for requests on 127.0.0.1. That way your browser is not constantly waiting for the connect to an unknown host to timeout. All those ad requests return instantly, freeing up resources in your browser to get the actual page content.
I've used 0.0.0.0 in my hosts file to block ad web sites. Not sure if there are any side affects?!?!
I see that you've correctly found that 192.0.2.0/24 is reserved for testing, and won't appear on the Internet.
However if your local area network relies on a default route to get to the rest of the Internet then you'll still be sending this traffic out of your network towards your ISP.
Best case is that your ISP will send back ICMP_NET_UNREACHABLE errors and your applications will notice those and act accordingly. Worst case is that the traffic is completely blackholed, at which point your applications will sit around until the connections timeout.
The correct strategy for avoiding this depends on your OS and local network configuration. On a Linux system I'd just add a route for that /24 with "reject" as a target.
Addresses 127.0.0.0 to 127.255.255.255 can be used for loopback connections.
So have your httpd listening on 127.0.0.1 and use any of the others for the blacklist.
If you use any of the private IP address ranges (10.whatever, 192.168.whatever) that you aren't connected to that should work.
One advantage of using 127.0.0.1 is that an attempt to contact the server will return immediately with failure (as long as you're not running a local server, of course). If you use any other address that does not refer to a specific machine, such as 192.0.2.x, then attempts to connect to a server at that address will take some time to time out (at least a minute or more).
I use denyhosts for ssh. http://denyhosts.sourceforge.net/ It attempts to block known malicious sources. Is this what you're talking about?
0.0.0.0 ( as another poster put ) shouldn't be used - it has a distinct meaning that isn't "nothing" and it isn't reserved for what in most cases is a dead-end. As for BCS's comment to dulaneyb about DCHP and private ranges - a private range is a private range. If you're kicking to your private range, then you're routing to an empty slot. If you're kicking to one of the other private ranges, then an upstream device should drop it.