Forum Widgets
Latest Discussions
OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC
I am trying to set up OPNSense VM inside a Proxmox, which is running in a Azure VM with nesting enabled. I have my reasons to do it, so please spare me the "why not go native" questions. Since azure VMs don't support vIOMMU (note the "v" in vIOMMU stands for virtualized IOMMU, for L2 instances), I cannot pass the interface further from Proxmox to OPNSense, so I need to get by using bridges. The host configuration is: – eth0 – vmbr0 with eth0 assigned to it The configuration is: iface eth0 inet manual auto vmbr0 iface vmbr0 inet manual bridge-ports eth0 bridge-stp off bridge-fd 0 The guest configuration is: – VirtIO NIC attached to vmbr0, with MAC overridden using same address as the eth0 – Firewall: NO – MAC Filter: NO Running dhclient on eth0 or vmbr0 correctly discovers and assigns an IP address. Now, I am trying to get the OPNSense in a VM to get that IP address instead and to relay its traffic via the vmbr0 transparently outside of the host. I have done something very similar previously between OpenWRT running in a VM and another VM, using OpenWRT's "trivial relay" (kmod-trelay, see https://forum.openwrt.org/t/howto-kmod-trelay/49610/2, also https://github.com/openwrt/openwrt/commit/c3bba7f8c61ee98265bcffef8ee86e22aa89bbe9), and despite that this particular case is much simpler, I can't get the VM to communicate with the ISP properly. I tried simply by spoofing the eth0's MAC address by setting the OPNSense VM's interface to it, but that's not enough. I also checked the traffic on both ends using tcpdump, and, interestingly, vmbr0 does see the DHCP requests coming from the VM, and the ISP does respond, but that response never reaches the VM, nor the tap interface corresponding to the VM that Proxmox assigned to the bridge. What am I missing here?
Asav on azure
I need help creating a vpn from my Azure ASAV. As it stands right now the trace Capture on my Asav from my Azure Vm to the Remote site Asa private network says my Azure VMs aren't pushing traffic to the ASav. my question when each Azure vm has a public ip how can one then route the traffic tru the Asav. Anyone that has deployed asav on azure shld pls assist.Access to the delegated container subnet from the rest of the network
Hi All, We have an on-premise network: ONPREM-VLAN which is connected to an Azure VLAN: AZUREVLAN1 using Site to Site VPN connection. This AZUREVLAN1 is in subscription-1. We have another subscription: subscription-2 which has two more VLANs: AZUREVLAN2 and AZUREVLAN3. AZUREVLAN2 is one Azure region (same as AZUREVLAN1 i.e. Australia Southeast) and AZUREVLAN3 is in another Azure region (i.e. In Australia East). We have enabled Vnet peering between all the three VLANs. We have also established routing from our on-premise network: ONPREM-VLAN to all the three Azure VLANs. However, when we created a delegated container subnet in AZUREVLAN3 it is only accessible from other subnets within AZUREVLAN3. it is not accessible from any other VLANs (AZUREVLAN2, AZUREVLAN1 and ONPREM-VLAN) in the network. Here is the screenshot of that delegated container subnet: Is there a way i can enable routing from the rest of the network to this delegated subnet?
Azure Firewall query
Hi Community, Our customer has a security layer subscription which they want to route and control all other subscription traffic via. Basically, they want to remove direct VPeers between subscriptions and to configure Azure Firewalls to allow them to control and route all other subscriptions traffic. All internet traffic would then be routed down our S2S VPN to our Palo Alto’s in Greenwich for internet access (both ways). However, there may be some machines they would assign Azure Public IP’s to for inbound web server connectivity, but all other access from external clients would be routed via the Palos inbound. Questions: Which one (Azure Firewall or Azure WAN) would be best option? What are the pros and cons? Any reference would be of great help.Azure load balancer - n-tier application
Hi, I have a n-tier application, so the usual roles: web, processing, data. The would all go into a single vnet, but each tier will be deployed as active/passive, in this case using availability zones. Subnet 1 Web-1 (active in AZ 1) Web-2 (passive in AZ2) Subnet 2 Processing-1 (active in AZ1) Processing-2 (passive in AZ2) Subnet 3 Data-1 (active in AZ1) Data-2 (passive AZ2) I am planning to use a single Azure Standard LB, which would be in subnet 4 and have 3 front-ends (FE) and 3 backends (BE). There would be a LB rule using HA to map each FE to a BE. Additionally each subnet would be controller with NGS. The question I have is weather using a single Azure LB vs using one for each tier as well as the consideration for availability zones. To explain each app tier has a VM instance in zone 1 (active) and zone 2 (passive), however the LB also has zone redundancy options and I want establish what may be the best option to meet the best HA?
Azure IP Geolocation
Hi, While we are using more and more Azure AVD, lately we have been dealing with a few problems regarding geolocation. Some of the sites in specific countries will accept connections only from IP addresses registered for that country. So for example, we have AVD resources in Netherland and we can't access some of the Danish sites. Is it possible for Microsoft to publish a different location for it's public IP addresses through RIR or geolocation data file? For instance, change the geolocation from Netherland to Denmark for the public IP Addresses we are using for AVD? Or is there any other solution as this is going to be a bigger problem when more people use AVD and there is no Azure Data Center in their country.IKEv2 and Windows 10/11 drops connectivity but stays connected in Windows
I’ve seen this with 2 different customers using IKEv2 User VPNs (virtual wan) and Point to Site gateways in hub and spoke whereby using the VPN in a Always On configuration (device and user tunnel) that after a specific amount of time (56 minutes) the IKEv2 connection will drop the tunnel but stay connected in Windows. To restore the connection, you just reconnect. has anyone else had a similar experience? I’ve seen the issue with ExpressRoute and with/without Azure firewalls in the topology too.
Azure vWAN (hybrid connectivity enabled with OnPrem DC) data packet flow - inbound and outbound
Could anyone explain me the end to end to Inbound and Outbound data packet flow in Azure vWAN Hub connectivity through EC between OnPrem and Azure Cloud? Consider we've Azure FW enabled. Multiple Branches and VNET connected to the Secured Hub. I want to understand what would be the best practice to integrated with when a vWAN is in place i.e. Ingress Traffic - On-Pre data packets through GW>EC GW>Hub Router>Azure FW>NSG>VMs Egress Traffic - VMs>NSG>Azure FW>Hub Router>EC GW>OnPrem GW
Can only remote into azure vm from DC
Hi all, I have set up a site to site connection from on prem to azure and I can remote in via the main dc on prem but not any other server or ping from any other server to the azure. Why can I only remote into the azure VM from the server that has Routing and remote access? Any ideas on how I can fix this?
