ESXi 6.5 Refusing Connections on 2nd Management Interface - vsphere

I need to remotely migrate the management interface on an ESXi 6.5 host. Ideally, I would create the new interface, confirm it works and then delete the old.
I have successfully created the new interface using these commands:
esxcli network ip netstack add -N VMManagement
esxcli network ip interface add -i vmk0 -M 00:50:56:67:89:10 -N VMManagement -p mgmt-vm
esxcli network ip interface ipv4 set -i vmk0 -P 1 -t dhcp
esxcli network ip interface tag add -i vmk0 -t Management
Here is the outputs of esxcli network ip interface ipv4 address list -i vmk0 -N VMManagement
Name IPv4 Address IPv4 Netmask IPv4 Broadcast Address Type
Gateway DHCP DNS
---- ------------ ------------- -------------- ------------ ----------- --------
vmk0 10.0.4.27 255.255.255.0 10.0.4.255 DHCP 10.0.4.1 true
I can ping vmk0 but it refuses ports 22 and 443. I am able to access ssh/https on the default management interface. I am testing from a host in 10.0.4.0/24 to eliminate routing/firewall variables.
I have tried completely disabling the ESXi firewall as well as running services.sh restart.
Any ideas?

I was able to make this work by putting both management interfaces in the default netstack. Initially, I didn't think a single netstack could handle multiple gateways, but this turned out not to be the case.
That said, if anyone does know how to get multiple management interfaces running on separate netstacks, please chime in, as that will be a better answer to this question.

Related

Wireguard can not connect to Qnap NAS

Port 51820 already mapped in my router. Points to my Qnap NAS ip.
My Linux client configuration set in /etc/wireguard/wg0.conf
[Interface]
Address = 198.18.7.2/32
SaveConfig = true
ListenPort = 37636
FwMark = 0xca6c
PrivateKey = <client key>
[Peer]
PublicKey = <qnap key>
AllowedIPs = 0.0.0.0/0
Endpoint = <mydyndns>:51820
PersistentKeepalive = 10
When I try to connect
╭─ender#ender-PC ~
╰─$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 198.18.7.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
╭─ender#ender-PC ~
╰─$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7168ms
Qnap "server" configuration
Publick key of the client has been added.
I've also tried to connect from the Android app and does not work.
I've been able to check the logs in the Linux client wg0: Handshake for peer 3 (<nasIP>:51820) did not complete after 5 seconds, retrying (try 2) which are the same logs as in the Android app. The issue seems to be pointing in the NAS side.
PS: I have already another VPN working (QBelt, which is a proprietary of Qnap) and is reachable from outside.
QTS version 5.0.0.1837
Hope I come with good, if partial news: I managed to fix OpenVPN through a TeamViewer on a Pi4 linked to the NAS's LAN. Also set up L2TP/IPSec as a second connection solution.
Diagnostic on what went wrong during QTS4->5 update (1828 20211020): NAT still properly set on the routeur, but somehow the OpenVPN server was affected to the secondary LAN. So yes, NAT was pointing to the wrong IP address… There is no telling if the glitch came from QVPN or the network & virtual switch.
Please note the list of issues and changes is impressive. Not surprising for a major release, but still… Next step: I'll set up a WireGuard connection. More later…
I may have missed QTS version on your configuration. Do you mind giving us a few details? Wireguard means a fairly recent version, but which one is important.
I recently updated a new NAS to QTS 5, and a perfectly working OpenvPN server stopped working altogether. Worked like a charm in version 4, being overzealous in updating the server was (sadly predictably) a mistake. Concrete result is, I now get an infinite timeout on port 1194, which ends up with "TLS handshake failed".
Same situation after dropping the OpenVPN configuration on the NAS and recreating it from scratch. So the answer to your problem may be as simple as having to wait for QNAP to fix either QVPN or LAN management on QTS 5.
Unfortunately I cannot access the NAS remotely anymore, so I can't corroborate your feedback that Qbelt is not affected. I will have a TeamViewer set up on the LAN tomorrow ta get access to the NAS again, and I'll give it a try.
This looks like an error on the keys.
Can you please try to recreate public and private server and client keys, ensure the public server key and private client key are in the client configuration files, and public client keys is in the server configuration table?
On a side note, you shouldn't use RFC 2544 IP, even if QNAP tutorial is using them.
the ip of the nas was not correctly set in the port forwarding mapping...

How to test postgres database connection on host?

I used pg_isready -h localhost which gives output as localhost:5432 - accepting connections
But when i used my host-ip instead of localhost ,it gives output as
pg_isready -h 18.191.7.185
output is 18.191.7.185:5432 - no response
My localhost isn't my ip-address?
No, it isn't. Verify with
ping localhost
which will show you the IP address that localhost resolves to.
The “loopback interface” is a special network interface that only contains your computer.
The cause of the problem is probably that the PostgreSQL parameter listen_addresses, which specifies the network interfaces on which PostgreSQL is listening, is set to the default value localhost.
Change the value to * and restart PostgreSQL, and it should work.
A second possibility is that you have restrictive firewall settings on your machine. Actually, reading your question again, that is probably your problem, since you are receiving no response rather that an error saying that nothing is listening on that port.

C Find Computer on LAN With Open Server

Im trying to figure out a way for one user to open a server, on a port of their choice, and for a user on the same LAN, to be able to see that server without manually putting in the ip and port. Think like when you open a minecraft LAN server, and people on the LAN can see the server, even though they never put in the ip, and the port is different every time. Is there a way to do this in c on linux with the Berkley Sockets API, with TCP sockets?
There's plenty of articles out there on how to use Unix built-in's to scan your Local Area Network for other hosts.
You can find your own IP address and Network using ifconfig, like in this article.
It's then a simple task to get a list of IP's/hostnames on your LAN using a command like nmap, and then sort through the output.
Here's an example:
sudo nmap -sn 10.84.32.54/24 | grep -Po "(\d{1,3}\.){3}\d{1,3}"
Which will return you a list of ip-addresses on your network like:
10.84.32.1
10.84.32.11
10.84.32.12
10.84.32.14
10.84.32.17
You could then go about scan each of the ports on these by running:
nmap -p- 10.84.32.1
To get an output like:
PORT STATE SERVICE
22/tcp open ssh
2581/tcp open unknown
2443/tcp open unknown

Why is 'localhost' the default host used when trying to connect to MariaDB?

I have recently installed MariaDB on Fedora 19 in VirtualBox on Windows 7.
When I run:
MariaDB [(none)]> SELECT user, host, password FROM mysql.user;
I get:
+------+----------------------+-------------------------------------------+
| user | host | password |
+------+----------------------+-------------------------------------------+
| root | localhost | ***************************************** |
| root | my.hostname | ***************************************** |
| root | 127.0.0.1 | ***************************************** |
| nusr | my.hostname | ***************************************** |
+------+----------------------+-------------------------------------------+
my.hostname is the hostname I changed the default hostname to in Fedora.
I created the user 'nusr' with:
CREATE USER 'nusr'#'my.hostname' IDENTIFIED BY 'my_password';
When I try and connect to MariaDB with:
[me#my ~]$ mysql -u nusr -p
Enter password:
I get:
ERROR 1045 (28000): Access denied for user 'nusr'#'localhost' (using password: YES)
I am guessing this is because it is referring to 'nusr'#'localhost' instead of 'nusr'#'my.hostname'.
Why is 'localhost' the default host used when trying to connect to MariaDB?
Do the host's 'localhost' and '127.0.0.1' need to be kept?
As a context to this question, I am not really sure what the terms 'host' and 'hostname' mean, I just wanted to 'customise' my experience of learning MariaDB commands, so perhaps I have gone awry by completing the steps above.
Very old question but..
ERROR 1045 (28000): Access denied for user 'nusr'#'localhost' (using password: YES)
I am guessing this is because it is referring to 'nusr'#'localhost' instead of 'nusr'#'my.hostname'.
YES.
Why is 'localhost' the default host used when trying to connect to MariaDB?
Because the assumption is that you will connect to the database from the same machine the database is in (localhost).
If you define the user as being #my.hostname it means the connection to the database will be made from another machine, called my.hostname.
Do the host's 'localhost' and '127.0.0.1' need to be kept?
Only if you want to be able to access the database from there..
In that setup, if you delete root user #localhost and #127.0.0.1 then you will not be able to log into the database from inside the virtualbox where the database resides. And you will only be able to access if you connect from a machine called my.hostname. But for that to work you must make sure that the database environment knows my.hostname.
The MariaDB server (also MySQL) treats localhost in a special way. Where other software treat it like an alias of the loopback address 127.0.0.1, MariaDB will interpret it as a UNIX domain socket connection to the server. By default this socket file is located in /var/lib/mysql/mysql.sock.
To connect via the network to the local server, use the -h 127.0.01 parameter. This tells the mysql client to connect via the loopback network interface instead of the socket.
Regardless of other grants, MariaDB will always translate localhost to a local socket connection. If you want to prevent this and only allow access via the network, drop the users that have localhost as their host.
You can view all users in the database by executing the following query:
SELECT * FROM mysql.user
You must create properly user on system Fedora 19:
[root#localhost ~]# useradd nusr
[root#localhost ~]# passwd nusr
Changing password for user fedora.
New UNIX password:# set password
Retype new UNIX password:# confirm
passwd: all authentication tokens updated successfully.
[root#localhost ~]# exit # logout
So, a database didn't find user nusr and it will not to handle user nusr because isn't created on system wide.
Hostname is from IP address named as "mydomain.com", but "host" can be IP address or name lookup host "mydomain.com".

Client-server in C and ethernet connection

I'm trying to develop a little client-server application in c. For that, I took a source code : http://www.iprelax.fr/outils/c_prog5.php
It's working in local without changing the ip address or the port. I tried with 2 computers (mac os and ubuntu). They are connected with an ethernet cable and we defined a static ip addresses 10.0.0.10 and 10.0.0.20 on this interface (eth0). In the client, we changed the line :
char *msg, *htoname = "127.0.0.1";
with the server ip address but it doesn't work, there is no error.
We tried to change the port number but still the same problem.
We saw anything with the netstat and netcat commands.
How to run the application between 2 computers ?
Thank you for your help
When going between two machines, generally a firewall blocks incoming connections i.e. your server machine should allow client to connect to itself.
If your server is on Ubuntu, you are using Linux IP tables. Either add a rule to allow the server port for incoming connections or disable IP tables entirely.
vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5800 -j ACCEPT
The answer to this question list it in detail
using ip tables on stack overflow

Resources