Set up port forwarding on Windows 10 NAT Virtual Switch - powershell

I found this excellent blog post which shows the steps to set up a NAT Virtual Switch, which I followed.
https://4sysops.com/archives/native-nat-in-windows-10-hyper-v-using-a-nat-virtual-switch/
First, the cmdlet New-NetNat does not even take an external IP as a parameter. How does NetNat know which external IP to use if there is more than one (which is my case)?
Say my host machine has an external IP "192.168.1.112" and the guest machine behind the NAT has an internal IP "10.0.75.2". I am trying to set up a port forwarding. The obvious syntax to try is:
Add-NetNatStaticMapping -NatName "NAT" -ExternalIpAddress "192.168.1.112" -ExternalPort 4000 -InternalIPAddress "10.0.75.2" -InternalPort 3389 -Protocol TCP
and I am getting the following error:
Add-NetNatStaticMapping : The external IP address 192.168.1.112 and
port number 4000 for the static mapping does not match an existing
ExternalAddress' IP address or port range. Use
Add-NetNatExternalAddress to add an ExternalAddress.
I don't understand what it means, but I follow the suggestion and type:
Add-NetNatExternalAddress -NatName "NAT" -IPAddress "192.168.1.112" -PortStart 4000 -PortEnd 4000
and I get the following error:
Add-NetNatExternalAddress : Element not found.
At this stage I have reached the limits of my competence. I can't find any relevant documentation on this NAT feature, apart from PowerShell's unhelpful tautology ("Add-NetNatExternalAddress: Adds an external address to a NAT instance.").
What does adding an External Address to a NetNat do? What happens if I don't specify the ports? Will it have any impact on the ability of the host to connect? What is the correct syntax to add an External Address in a way that will allow me to set up a Static Mapping?

The link above is to my blog, Cloudpuzzles. The scenario there is when using NVGRE and NAT gateways, and not the new NAT virtual switch. I don't currently have a write up about it, but Thomas here did a bit on it: http://www.thomasmaurer.ch/2015/11/hyper-v-virtual-switch-using-nat-configuration/
Basically, before adding addresses etc, you have to add a new NetNat (which is the NatName you're referring to in Add-NetNatExternalAddress).
PortStart and PortEnd, when it comes to NVGRE at least, is used as a boundary for which ports tenants can use.

I had the same problem and though I am not sure why the Add-NetNatExternalAddress command is failing I was able to get the NetNatStaticMapping to work by doing the below steps:
Run the following command:
Get-NetNatExternalAddress
From the list of External Addresses you get, choose any External IP and External port and use it as the parameter for the Add-NetNatStaticMapping command.

try something like:
Add-NetNatStaticMapping -NatName "NAT" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 10.0.75.2 -InternalPort 3389 -ExternalPort 4000
This will work for sure... and I recommend you to reconsider your IP scopes...because the IP 192.168.1.11 should be in a private network, and vice versa.

First you need to create a Virtual Switch with NAT:
New-VMSwitch -Name "HTTPS-NAT" -SwitchType NAT -NATSubnetAddress 192.168.100.0/24
Then you need to connect the necessary VM to the specified vswitch and enable the address translation rule for all virtual machines connected through this Hyper-V virtual switch:
New-NetNat -Name HTTPS-NAT -InternalIPInterfaceAddressPrefix 192.168.100.0/24
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress "192.168.100.77" -InternalPort 443 -NatName HTTPS-NAT
After executing these PowerShell commands, all HTTPS traffic that comes to port 443 of the Hyper-V host will be forwarded to the private IP address of the virtual machine.

Related

How to enable inbound port in Hyper-V inside Azure VM?

Problem Description
We used to set up an Ubuntu Azure VM (consider Private IP as 109.11.23.11) for sending some simulated data. We need to set up multiple azure VM's for each one for every simulator.
For that simulator to send data outside we specify an inbound rule for the specific port as below
Here for data receiver we specify the connection details as below
:
Ex: 109.11.23.11:50000
Instead of doing that I want to try out having one Azure Windows Server VM which contains multiple Ubuntu Hyper-V machines
Then I set up that Windows server machine and then enabled Hyper-V. And then setup a virtual network to be used by Hyper V using the below Powershell script
New-VMSwitch -Name VmNAT -SwitchType Internal
New-NetNat -Name LocalNAT -InternalIPInterfaceAddressPrefix "192.168.49.0/24"
Get-NetAdapter "vEthernet (VmNat)" | New-NetIPAddress -IPAddress 192.168.49.1 -AddressFamily IPv4 -PrefixLength 24
Install-WindowsFeature -Name 'DHCP' –IncludeManagementTools
Add-DhcpServerV4Scope -Name "DHCP Scope" -StartRange 192.168.49.50 -EndRange 192.168.49.250 -SubnetMask 255.255.255.0
Set-DhcpServerV4OptionValue -DnsServer 168.63.129.16 -Router 192.168.49.1
Now I am a bit confused about how to open up port 50000 as in the earlier method for this Hyper-V.
What I tried
I created an inbound rule in the host VM as we have done in the Ubuntu VM earlier. And in the receiver tried giving the public IP of the host machine/Ubuntu Hyper V separately. Both of these things failed. The receiver is not getting connected to this simulator VM as earlier. I did not try with the host machine's private IP yet. Any suggestions?
• Since, you have created a ‘NAT’ subnet and attached an additional NIC (Network Interface Card) to the Azure VM in this subnet which communicates and manages the IP addresses for the nested VMs on the Azure VM, and a regular LAN (Local Area Network) subnet on which the host Azure VM is placed, please ensure that an inbound rule exists for Port 50000 in the NSG (Network Security Group) for the ‘NAT’ subnet NIC. Also, ensure that the network architecture of the nested VMs hosted on Azure VM is as below: -
• Then, also ensure that a virtual switch is created on the Azure VM to forward traffic from the nested VMs via host Azure VM to the internet and vice versa. Execute the below powershell command to add NAT static mapping with the external IP address used by the Azure VM: -
Add-NetNatStaticMapping -NatName "NestedSwitch" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 10.4.2.2 -InternalPort 5000 -ExternalPort 5000
Also, create an inbound firewall rule on the Azure host VM by executing the below powershell command for internal switch created on Hyper-V: -
New-NetFirewallRule -RemoteAddress 192.168.217.0/24 -DisplayName "Allow217net" -Profile Any -Action Allow
Also, ensure that port forwarding is enabled for inbound access to happen from the RDP port to the nested VMs on the nested VMs subnet. So, execute the below command on the host Azure VM to forward the traffic to the concerned ports: -
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 50004 -Protocol TCP -InternalIPAddress "192.168.0.4" -InternalPort 3389 -NatName NATNetwork
Also, ensure that the below command is executed on the Azure VM to map the listening port to the required NIC on the nested VMs: -
netsh interface portproxy add v4tov4 listenaddress=<nat address> listenport=<random port> connectaddress=<nested vm address> connectport=<nested vm service port>
The above solutions should help you to resolve your issue for inbound rules on the nested VMs.

I am not able to send/receive messages with public IP in kafka

I am not able to send/receive messages with public IP in Kafka. I tried by changing IP with private and public. I also tried by changing advertised.host.name to 0.0.0.0.
What am I missing in Kafka ?
I suppose you are running Kafka on one machine and trying to access it from other machine.
It can be debugged as follows:
Try pinging the public IP from your machine. ping public_ip
If ping works, then try doing a telnet to that public IP along with the Kafka bootstrap server port.
For example, telnet 1.2.3.4 9092
If you are able to telnet means, that you are able to connect to the public IP (here, 1.2.3.4) and port from your machine.
If you are not able to connect, check your iptables rules on your Kafka server. You may want to allow the port to be accessible from outside.
Example to allow 9092 port.
iptables -A INPUT -p tcp --dport 9092 -j ACCEPT
You may also want to check if any firewall is blocking access like UFW or firewalld. Try disabling them or allow Kafka port there and check.
If you are using OpenStack or similar software, you may want to check Security group rules there and allow those ports. This can be applicable to AWS also.
Check that your advertised.listeners have the public IP which you are using to connect to. By default this property is found in etc/kafka/server.properties file.
Change it to something like (if you are using PLAINTEXT)
advertised.listeners=PLAINTEXT://<PUBLIC_IP>:<PORT>
For example,
advertised.listeners=PLAINTEXT://1.2.3.4:9092
advertised.host.name seems to be DEPRECATED now (see documentation)

Server Connection with public IP

I have setup a simple HTTP java server running locally on port 8000. It simply prints a message "Hello world" when a request comes. When I try to ping it from the browser by running http://localhost:8000/test I get my message printed.
I want to get the same results from another computer that is not local. When I try to use my public IP lets say http:/43.xxx.xxx.xxx:8000/test (even from the same machine) I get an ERR_CONNECTION_REFUSED .
I probably suspect that has something to do with the firewall. Can anyone guide me a little more because I lack the experience?
Thanks in advance
You don't specify what host OS your server/firewall is running so I'll keep this generic...
Without knowing your application, it seems like the server is sending a reset (RST packet) when the first SYN packet shows up indicating that the port (on that interface [your external]) is closed. You can do a quick port scan from here (https://mxtoolbox.com/PortScan.aspx) if you don't have access to a remote machine to test with. Odds are, TCP/8000 will not be open.
If it is, in fact, closed, you'll have to look at the firewall that your host OS is running and find out how to allow TCP/8000 to your host. In a major firewall vendor, your rule would look similar to this:
Source: Any
Destination: Your Public IP Address
Service: TCP/8000
Action: Allow
Logging: Full
That being said, you mentioned this was a PC so look into "iptables" (if you're running *nix) or the Windows Firewall (if you're running Windows) on adding firewall rules (Unfortunately I just joined and can't ask questions/comments, yet).
If you really want to find out what packet is being sent, run a tcpdump on your external interface (let's say eth1) (assuming your remote IP is 1.2.3.4 and your home public IP is 4.5.6.7):
tcpdump -nn -vvv -e -s 0 -X -c 100 -i eth1 host 1.2.3.4 and host
4.5.6.7 and port 8000
Here you're looking for the SYN/SYN-ACK/ACK for a successful TCP negotiation or SYN/RST if there is a firewall rejecting (not dropping) the TCP stream to the port.
Once the port is open on the host OS firewall, take a look at the application to make sure it's configured properly. If this were a standard webserver, you could take a look at the configuration files for the "Allow from" directives to make sure that everyone can access the site. If this is a custom application that you've created, you'll have to check this yourself.
I finally solved my problem. I needed to open a forwarding port in my router that maps my local ip address to the public. My router is TP Link so this what I did:
http://www.tp-link.com/us/faq-72.html
Also in order for this to work every time and not to have to reconfigure this every time I reconected to the router (because I get a new local IP), I have created a static local ip for my server following this guide:
http://www.tp-link.com/us/faq-182.html
Thanks for all the replies.

Amazon EC2 Cannot access port 80 even though app is running

I have my free-tier EC2 containing my Scala application. The app is running on port 8080 but I have declared redirection from port 80 to port 8080. Security group of EC2 includes inbound rules of port 8080 and 80 to all IPs. Nonetheless, I couldn't access the service with browser.
Outputs from netstat and iptables
Security group
Browser returns ec2-35-157-211-142.eu-central-1.compute.amazonaws.com refused to connect.
I'd really appreciate if someone could help me.
Thanks.
Ensure that your EC2 instances are located in public subnets. If that's fine, then ensure that they have public IPs assigned, otherwise they won't be accesible from the internet.
If they have public IP, then you should check that the security group has outbound rule allowing those ports for all IPs (or at least the ones you want to allow to connect). If you have inbound rule but no outbound rule your instance won't be able to serve traffic, so please define the outbound rule the same way that the inbound rule.
If that's properly set, then ensure that the network ACL allows inbound/outbound rules for the same ports (and of course: it does not deny them).
I hope this helps :).
If you're able to connect locally but not remotely, chances are that you aren't binding your server to the external interface. To bind to all interfaces, just make host = "0.0.0.0" similar to the following:
For Spray:
IO(Http) ! Http.Bind(service, "0.0.0.0", port = 8080)
For Akka HTTP:
Http().bindAndHandle(route, "0.0.0.0", 8080)

How to drop the incoming packet from openVswitch integration bridge for specific IP?

I have installed the openvSwitch server on my two centos server (KVM). I have created two VM’s and bridged using openvSwitch. I am able to ping between the two VM’s. I am using VLAN for differentiating the private network.
Below is the VM IP
VM1 IP : 198.0.0.2 (resides in host1)
VM2 IP : 198.0.0.3 (resides in host2)
VLAN: 1000
I have followed the steps from the below link to configure the openvSwitch and it works fine.
http://openvswitch.org/support/config-cookbooks/vlan-configuration-cookbook/
Now I want to block few ports. I want to block the incoming traffic to the port 443, 80 for the VM1. One option is I can modify the iptables in my VM to drop the traffic to the ports. But I don’t want to modify the firewall rules in the VM. I want to drop the packets from the OVS integration Bridge itself.
Thanks,
Kalpeer