cant ping guest vm from vpn client

S

SoftyCraft

n00b
Joined
Aug 19, 2011
Messages
11
at work i have the following 02 physical machines:
(physerver1) (windows 2003 server) used as vpn server (windows built-in vpn)
(physerver1) is also used as vmware host (hosting the virtual machine virguest1 (windows 2003 server also))
(physerver2) (windows 2003 server)
at home i have the physical machine
phypc1 (windows xp)
i can connect to my vpn server with no problem
i can ping physerver1 and physerver2 with no problem
but i can’t ping virguest1
virguest1 is bridged

anyone can help me resolve that ?
 
on your VPN client do you get a regular internal IP address from the standard DHCP server on the network, or is the VPN server giving you an IP on a different subnet and then routing packets to the network?
 
the VPN server is giving me an IP on a different subnet :

phyServer1 LAN : 192.168.1.1
phyServer2 LAN : 192.168.1.2
virGuest1 LAN : 192.168.1.3

phyPC1 LAN : 10.0.0.1

phyServer1 VPN : 192.168.1.31
phyPC1 VPN : 192.168.1.32
 
that is why then

double check that you don't have any firewalls running on the host machine or the vm. if you don't it looks like there is some sort of filtering going on.

if it still doesn't work after you turn off any firewalls then i would say start looking in the settings for whatever software you are running the VM on. Sometimes there are rules that exclude non-local networks from accessing the VM's for security purposes.

What are you using to run the VM's anyways?

could also be a routing table issue.
 
wait a min, so your remote(VPN) systems are 192.168.1.0/24 and your local systems (on lan that you are initiating the vpn from) are 192.168.1.0/24 also? if so, there is your problem.

i guess i need a better description of your network layout both VPN server side and VPN client side. like this:

VPN server side:
Router is 10.10.25.1, router is also VPN server - vpn clients get 10.10.3.10-10.10.3.20 addresses
local machines are 10.10.25.100-10.10.25.254
Router does site-to-site VPN with 10.10.50.1 over 192.168.0.1 via 192.168.0.2 gateway
Router does site-to-site VPN with 10.10.75.1 over 192.168.5.1 via 192.168.5.2 gateway

client side network:
local address are 192.168.1.100-192.168.1.254
router is 192.168.1.1
local client machine for vpn is 192.168.1.101

i just need to get a sense if there are any overlapping IP address issues.
 
Last edited:
well i'll put details...

1 - at work :
__________

- adsl modem rooter is : 10.0.0.138

- physerver1 NIC1 : (used to connect to internet)
ip 10.0.0.1
mask 255.255.255.0
gw 10.0.0.138
dns 10.0.0.138

- physerver1 NIC2 : (used to connect to LAN)
ip 192.168.1.1
mask 255.255.255.0
gw N/A
dns N/A

- physerver1 VPN is configured to give static IP to clients
from 192.168.1.31 to 192.168.1.39
(configured in : Incomming connections)

- physerver2 NIC : (used to connect to LAN)
ip 192.168.1.2
mask 255.255.255.0
gw N/A
dns N/A

- virguest1 NIC : (bridged mode in VMWARE) (used to connect to LAN)
ip 192.168.1.3
mask 255.255.255.0
gw N/A
dns N/A

2 - at home :
__________

- adsl modem rooter is : 10.0.0.138

- phypc1 NIC : (used to connect to internet)
ip 10.0.0.1
mask 255.255.255.0
gw 10.0.0.138
dns 10.0.0.138

when i connect to work VPN, i get the IP 192.168.1.32
and i can see that server IP is 192.168.1.31

______________________________
so now from work :
everything pings fine .... from phy to vir ... from vir to phy .... etc.

from home and after i connect to VPN:
ping 192.168.1.31 ... OK
ping 192.168.1.1 ... OK
ping 192.168.1.2 ... OK
ping 192.168.1.3 ... PROBLEM

all firewalls disabled
no antivirus installed

everything is a clean installation
 
If it is a "fresh install" of server 2003, depending on the service pack, the windows firewall most likely is enabled. It never hurts to check the windows control panel to see, trust me, we have all made that mistake.

gateway needs to be configured on all your systems, especially your VM. VMWARE acts as a router, so if it doesn't have a default gateway, it won't know how to get to your VPN clients.

Also, if your VPN is in bridge mode, you wouldn't have to set what IP's the clients get because it would go to the DHCP server running on the network. Since it isn't in bridge mode, change it so your VPN clients get a address on a different subnet, like 192.168.2.31-192.168.2.40, that'll prevent/fix any routing issues.

Also, your modem IP's at home and at work are the same, change that.

That way 192.168.1.2 will use GW 192.168.1.1, 192.168.1.3 will use GW 192.168.1.1, and because 192.168.2.30 isn't on your local subnet, it will go to the gateway next.
 
If it is a "fresh install" of server 2003, depending on the service pack, the windows firewall most likely is enabled. It never hurts to check the windows control panel to see, trust me, we have all made that mistake.

no, its disabled. i always disable firewall after i install windows to prevent port blocking problems.

gateway needs to be configured on all your systems, especially your VM. VMWARE acts as a router, so if it doesn't have a default gateway, it won't know how to get to your VPN clients.

physerver2 has no GW too and it get pinged just fine.
Anyway, i just added the GW to virguest1 and same probleme, cant get pinged from home (vpn client)

Also, if your VPN is in bridge mode, you wouldn't have to set what IP's the clients get because it would go to the DHCP server running on the network. Since it isn't in bridge mode, change it so your VPN clients get a address on a different subnet, like 192.168.2.31-192.168.2.40, that'll prevent/fix any routing issues.

all ips in all my networks (work / home ) are static, there is no dhcp server anywhere.

Also, your modem IP's at home and at work are the same, change that.
That way 192.168.1.2 will use GW 192.168.1.1, 192.168.1.3 will use GW 192.168.1.1, and because 192.168.2.30 isn't on your local subnet, it will go to the gateway next.


if i configure vpn server to give ips range in a completely different sub-net, so i can't ping any of the machines in the work LAN, so that will be useless.
 
well, if you don't want to listen then there is no sense of helping you.

If you don't understand that your VPN server is acting as a router and you will still be able to ping the servers just fine (as long as it is acting as a router) then mabie you shouldn't be doing VPN in the first place. The fact that the VPN is acting as a router means that ALL the computers need a default GW.

THE REASON YOU CAN PING THE VM HOST MACHINE, AND NOT THE VM CLIENT IS BECAUSE VMWARE ACTS AS A ROUTER. WITHOUT A DEFAULT GATEWAY ON THE HOST AND THE CLIENT, IT WILL HAVE NO CLUE WHERE TO SEND THE PACKET.

There is a DHCP server running on your network, it is running on the client side VPN. THERE IS NO SUCH THING AS "- physerver1 VPN is configured to give static IP to clients". THAT IS CALLED A DHCP SERVER.

If you don't want to listen, then don't ask for help.

If you still don't understand how having a differnt IP assigned to the VPN will work, let me break it down for you:

Google.com's IP address is: 74.125.225.18

74.125.225.18 is not on your local network
Your computer sees that 74.125.225.18 is not on your network so it sends the request to your default gateway
your default gateway sees that 74.125.225.18 isn't on your network so it sends it to it's default gateway (your isp)
Your isp sees that 74.125.225.18 isn't on it's local network, so it sends it on to it's default gateway
the next hop might be the backbone, and it realizes that it knows how to get to 74.125.225.18 so it sends it to another router
that router sees that the machine is on it's network and delivers the packets.

Simple networking, you need to configure your network correctly for VPN to work, because A VPN SERVER ACTS AS A ROUTER
 
Last edited:
well, if you don't want to listen then there is no sense of helping you.
if i didnt ; i think i wont be here... i just need to clearly understand what i'm doing.

If you don't understand that your VPN server is acting as a router and you will still be able to ping the servers just fine (as long as it is acting as a router) then mabie you shouldn't be doing VPN in the first place. The fact that the VPN is acting as a router means that ALL the computers need a default GW.

THE REASON YOU CAN PING THE VM HOST MACHINE, AND NOT THE VM CLIENT IS BECAUSE VMWARE ACTS AS A ROUTER. WITHOUT A DEFAULT GATEWAY ON THE HOST AND THE CLIENT, IT WILL HAVE NO CLUE WHERE TO SEND THE PACKET.

i didn't put default GW for servers cause they don't need to connect to internet, theses servers are meant to be for internal local network use only.

thus, can u explain me please how i could ping phyServer2 from vpn client, even if there is no default GW set in its NIC ?? i could even connect and work with mssql server hosted on it.

phyServer2 HAS NO DEFAULT GW and its working fine from vpn client,
why virGuest1 should have one ???

and i said that i put a default GW pn virServer1, and nothing happened anyway.


If you still don't understand how having a differnt IP assigned to the VPN will work, let me break it down for you:

Google.com's IP address is: 74.125.225.18

74.125.225.18 is not on your local network
Your computer sees that 74.125.225.18 is not on your network so it sends the request to your default gateway
your default gateway sees that 74.125.225.18 isn't on your network so it sends it to it's default gateway (your isp)
Your isp sees that 74.125.225.18 isn't on it's local network, so it sends it on to it's default gateway
the next hop might be the backbone, and it realizes that it knows how to get to 74.125.225.18 so it sends it to another router
that router sees that the machine is on it's network and delivers the packets.

obvious...

maybe i'm slow to understand... but the thing is that ITS NOT WORKING
(just explain me the stuff in yellow plz)
and thank you for your patience. :)
 
think of it like this:

VPN is it's own network, routed by the VPN server (which is why you can change to a different subnet for the addresses, it will prevent routing issues)
Local network is it's own network
the VMWARE bridge is it's own network, routed by VMWARE

to get from one network to another, you need a router. Because the VMWARE host and client don't have a default gateway, the VMWARE router doesn't know how to talk to the VPN, so it has no clue where to send the packets for the vpn so it just drops them. You can get to the non VMWARE machines because the VPN server routes the traffic to them, but the VMWARE router doesn't know where to send the packets.

Because you are using VPN, you really need to have everything except DNS entered in your network configs. It will save you a lot of trouble and prevent issues like this one. Because you won't have DNS configured, you can't resolve domain names so it's not like anyone could just go surfing.
 
Last edited:
ok..

- virguest1 NIC : (bridged mode in VMWARE) (used to connect to LAN)
ip 192.168.1.3
mask 255.255.255.0
gw 192.168.1.1 ( i added this compared to the last settings )
dns N/A

but still cant ping this machine from the VPN client...

i'm still having something wrong ?? :rolleyes:
 
did you change your VPN addresses to a different subnet and fix the issue that the ADSL modem was the same IP?
 
yes
vpn range is now 192.168.3.31 to 192.168.3.39
different from home and work subsets..

now i understand why i need gw set everywhere...

first i put vpn subnet in the same work subnet...
so there was no need to root from a subnet to other..

but now gw need to be set.
cause these are diferent subnets.

but i still have the same problem with VMs... they are all not pinged...
(they all have GW set like physical machines to 192.168.1.1 )
i feel that the problem is in VMWARE itself...

is there any option to make vmware understand to use the GW.... ?
 
Obvious question I dindt see(or over looked, this is pre mornign coffee responce.) can you ping the VM from inside your network ?
If not a very common problem is that you bridged to the wrong physical interface on the server and thus it is impossible to reach it.

As for everyone saying that the vmware is acting as a router , this is wrong IF your server is setup correctly, within the same subnet and directlly connected one would not need a route or default gateway , networking 101.
 
yes , my VMs work perefctly (with or without a GW) inside my LAN ...
as they are all in the same subnet as the physical ones.

i really tried evry single thing i thought about, and the ... VMs can't get pinged from vpn clients...

what can i try more ?
 
alright, going into little known territory now, what version of VMWare are you using?
 
and what device/os are you using on your router, and your router is also your VPN server right?
 
no
I have ADSL modem router with VPN port forwarded to : Win2k3 Server Sp1 configured as VPN Server.
 
You must log in or register to reply here.
Back
Top