In some cases, there may be problems setting up a virtual router. For example, port forwarding (NAT) does not work and/or there is a problem in configuring the Firewall rules themselves. Or you just need to get the logs of the router, check the operation of the channel, and conduct network diagnostics. How this is done, tells the cloud provider Cloud4Y.
Working with a virtual router
First of all, we need to configure access to the virtual router - EDGE. To do this, we enter its services and go to the corresponding tab - EDGE Settings. There we turn on SSH Status, set a password, and be sure to save the changes.
If we use strict Firewall rules, when everything is disabled by default, then we add rules that allow connections to the router itself via the SSH port:
After we connect with any SSH client, for example PuTTY, and get into the console.
In the console, commands become available to us, a list of which can be seen using:
list
What commands can we use? Here is a list of the most useful:
- show interface - will display available interfaces and set IP addresses on them
- showlog - will show the logs of the router
- show log follow - will help you watch the log in real time with constant updates. Each rule, be it NAT or Fierwall, has the Enable logging option, when enabled, events will be recorded in the log, which will allow diagnostics.
- show flow table - will show the entire table of established connections and their parameters
Example1: tcp 6 21599 ESTABLISHED src=9Х.107.69.ХХХ dst=178.170.172.XXX sport=59365 dport=22 pkts=293 bytes=22496 src=178.170.172.ХХХ dst=91.107.69.173 sport=22 dport=59365 pkts=206 bytes=83569 [ASSURED] mark=0 rid=133427 use=1 - show flowtable topN 10 - allows you to display the required number of lines, in this example 10
- show flowtable topN 10 sort-by pkts - will help sort connections by the number of packets from smallest to largest
- show flowtable topN 10 sort-by bytes - will help sort connections by the number of bytes transferred from smallest to largest
- show flowtable rule-id ID topN 10 - will help to display connections by the desired rule ID
- show flowtable flowspec SPEC - for more flexible selection of connections, where SPEC - sets the necessary filtering rules, for example, proto=tcp:srcip=9X.107.69.XXX:sport=59365, for selection by TCP and IP source address 9X.107.69.XX from the sender port 59365
Example> show flowtable flowspec proto=tcp:srcip=90.107.69.171:sport=59365
1: tcp 6 21599 ESTABLISHED src=9Х.107.69.XX dst=178.170.172.xxx sport=59365 dport=22 pkts=1659 bytes=135488 src=178.170.172.xxx dst=xx.107.69.xxx sport=22 dport=59365 pkts=1193 bytes=210361 [ASSURED] mark=0 rid=133427 use=1
Total flows: 1 - show packet drops - allows you to view statistics on packets
- show firewall flows - Shows firewall packet counters along with packet flows.
We can also use basic network diagnostic tools directly from the EDGE router:
- ping ip WORD
- ping ip WORD size SIZE count COUNT nofrag - ping with the size of the transmitted data and the number of checks, as well as prohibit fragmentation of the set packet size.
- traceroute ip WORD
The sequence of diagnosing the work of Firewall on Edge
- Run show firewall and look at the set custom filtering rules in the usr_rules table
- We look at the POSTROUTIN chain and control the number of dropped packets using the DROP field. If there is a problem with asymmetric routing, we will fix the increase in values.
Let's do some additional checks:- The work of ping will be in one direction and the absence in the opposite direction
- ping will work, but TCP sessions will not be established.
- We look at the output of information about IP addresses - show ipset
- Enable logging on the firewall rule in Edge services
- We look at the events in the log - show log follow
- We check the connections by the desired rule_id - show flowtable rule_id
- By means of show flowstats we compare the currently established connections of Current Flow Entries with the maximum allowable (Total Flow Capacity) in the current configuration. Available configurations and limits can be viewed in VMware NSX Edge. If you are interested, I can talk about this in the next article.
What else can you read on the blog?
→
→
→
→
→
Subscribe to our -channel, so as not to miss the next article! We write no more than twice a week and only on business. We remind you that startups can receive 1 rubles. by Cloud000Y. Conditions and a questionnaire for those who wish - on our website:
Source: habr.com