can't ping my centos machine from outside my LAN

Issues related to configuring your network
Post Reply
melinameline
Posts: 3
Joined: 2019/07/21 16:41:15

can't ping my centos machine from outside my LAN

Post by melinameline » 2019/07/21 22:56:18

Hi everyone,
i installed centos 7 on a vmware virtual machine (vmware esxi 6.7), with two virtual ethernet cards, one with private ip address and the second with public ip address, this machine have to contain a web server.
i disabled firewall service.
on the centos machine all installations went well , i can ping LAN private addresses as well as internet ip addresses and names.
inside the LAN i can ping both the local and the public ip address of the centos machine, BUT from outside the LAN the ping to the centos public ip address doesn't pass

my LAN config is like this:
one router,
DNS server working as gateway and NAT server
there is any firewall in the LAN,
all other servers installed on physical hosts are normally reachable from outside, only centos virtual machine isn't
this is my ens1 ethernet card configuration file:

Code: Select all

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=X.X.X.X
NETMASK=255.255.255.X
BROADCAST=X.X.X.255
GATEWAY=X.X.X.X
DNS1=X.X.X.X
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens1
UUID=59781434-17f4-4cad-8327-7388530dcff9
DEVICE=ens1
ONBOOT=yes
ZONE=
and ens2 config file:

Code: Select all

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=X.X.X.X
NETMASK=255.255.X.X
BROADCAST=X.X.255.255
GATEWAY=X.X.X.X
DNS1=X.X.X.X
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens2
UUID=527d1434-27f4-4cfd-8327-7382530dfffdea
DEVICE=ens2
ONBOOT=yes
ZONE=
how can i fix this issue??
thank you for help.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: can't ping my centos machine from outside my LAN

Post by jlehtone » 2019/07/22 08:15:03

Think about the meaning of "default". Default option is what you default to unless you have more specific instructions. Therefore, there can be only one default.

Your config shows that the default route to outside is via ens1 and via ens2. However, you will not send packets via both interfaces. Just one. What is your default route?


Lets say that packet arrives via ens1 and the reply depends on default route. The default happens to be via ens2. Someone did send a packet to address X. Machine Y attempts to send a reply to that someone. The someone does not know Y nor accept replies to questions the someone did not send. The someone waits a reply from X until timeout.

melinameline
Posts: 3
Joined: 2019/07/21 16:41:15

Re: can't ping my centos machine from outside my LAN

Post by melinameline » 2019/07/22 22:10:32

Thank you jlehtone for the reply, you helped me a lot, thanks to you i can now ping the public ip address of my server, but a second problem appears,
when i try to access my web server via web browser it takes a lot of time indicating waiting for centos private ip address at the bottom left corner of the web browser and finally it redirect me to the private ip address of my server rather than displayingmy web page.

how can i fix this problem?
thank you

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: can't ping my centos machine from outside my LAN

Post by jlehtone » 2019/07/23 16:15:02

Let me see ... probably because YYY=X.X.X.X ...

Some obfuscation is understandable in order to avoid leaking public data, but you have masked almost everything. It is impossible to say anything when X.X.X.X is not the same as X.X.X.X. I don't even know what you changed based on my previous comment (who is LAN and who is WAN interface).

melinameline
Posts: 3
Joined: 2019/07/21 16:41:15

Re: can't ping my centos machine from outside my LAN

Post by melinameline » 2019/07/23 21:08:21

sorry for the obfuscation,

ens1=X.X.X.X ===> public ip address
ens2=172.16.0.14 ===> private ip address

this is ens2 config file

Code: Select all

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=172.16.0.14
NETMASK=255.255.0.0
BROADCAST=0.0.255.255
GATEWAY=172.16.0.1 
DNS1=172.16.0.1 
DEFROUTE=no
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens2
UUID=527d1434-27f4-4cfd-8327-7382530dfffdea
DEVICE=ens2
ONBOOT=yes
ZONE=
the only thing i changed is the DEFROUTE value from yes to no as you advised me on ens1 and ens2 config files.
NB: my centos 7 server is on a vmware (esxi 6.7) virtual machine
i also, checked the net.ipv4.ip_forward value, it is set to 0

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: can't ping my centos machine from outside my LAN

Post by aks » 2019/07/24 18:27:58

Okay your routes should be as follows (pseudo code):

172.16.0.0/16 via ens1
0.0.0.0/0 via ens2

Roughly, all things to 172.16.0.0/16 got via public. Everything else go via public.

If there's something else you need to access (say 192.168.0.0/16) that's on (say) private - you would need a route for that too.

More info on routable and non routable addresses cabn be found in rfc3330 (and yes it's changed since the original definition - albeit 2002).
Also don't use ICMP ping to test - it's pretty meaningless. Use TCP socket connectivity (or if you're really clever UDP).

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: can't ping my centos machine from outside my LAN

Post by jlehtone » 2019/07/29 11:44:44

How have those configuration files been created?

CentOS 7 has two systems to manage network configuration: NetworkManager.service (NM) and network.service (initscripts). The NM is the default.
One does not edit files directly with the NM: NM has tools (nmcli, nmtui, nm-connection-editor) to modify configuration.

NM does not add all the shown entries to the config file. Initscripts does not use all those entries either; some of them are redundant and thus unnecessary. A further issue with redundant values is that they are far too easy to set inconsistently.

For example:

Code: Select all

IPADDR=172.16.0.14
NETMASK=255.255.0.0
BROADCAST=0.0.255.255
That is not the correct broadcast address. This is simpler (and what NM has written for me):

Code: Select all

IPADDR=172.16.0.14
PREFIX=16
The netmask and broadcast can and will be calculated from the prefix.

Code: Select all

GATEWAY=172.16.0.1 
DEFROUTE=no
Why define a gateway, if you also say: "do not use"?

The default route has to use one of the interfaces. Therefore, they should not all use DEFROUTE=no.


A simple command to display current routes:

Code: Select all

ip ro
melinameline wrote:
2019/07/22 22:10:32
when i try to access my web server via web browser it takes a lot of time indicating waiting for centos private ip address at the bottom left corner of the web browser and finally it redirect me to the private ip address of my server rather than displayingmy web page.
You run browser on machine X that has IP address Y and try to access machine Z that has IP address W. The Z has httpd listening on Z.
Somehow, the request is redirected to url V that is not the page you are looking for.

The X could be the Z, or in 172.16.0.0/16, or in some public subnet. You could tell.

Post Reply