I have 2 EC2 instances (one window and one linux) in same subnet. I am trying to access one instance from another via private IP but I am not able to do so.
In security groups, both instances belong to same security groups and security group allows all traffic from the same security group.
I am not even able to ping one instance from another using private IP address.
Any pointers what could be wrong here.
By default the Windows firewall will deny all inbound requests (including ping), but the firewall also contains a list of Exceptions (otherwise it would block everything!). Those Exceptions are a set of rules that describe what connections should be allowed in out-of-the-box.
To allow any additional connections, you just add a new rule to the firewall. There is a Wizard in the Windows Firewall GUI for viewing and creating rules, but i find it easier to use a PowerShell one-liner like this to allow ping:
New-NetFirewallRule -DisplayName "Inbound LAN Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.1.0/24 -Action Allow
Above will allow any IP's between 192.198.1.1 ... 192.168.1.255 to send ping requests to your Windows host (all other RemoteAddress will still be ignored). I'm assuming here your Linux machine's IP is for example 192.168.1.1 and your Windows machine's IP is 192.168.1.123.
As a rule of thumb, you should only open up the minimal number of ports, to as few IP/IP ranges as possible.
This will likely be the result of Windows firewall being enabled, with default settings it will block ping access (among other things).
Disabling it should enable inbound/outbound access to work for ping. This is a temporary measure and should not be considered a permanent workaround.
You should enable whitelisting in the Windows firewall to allow the ports you would like inbound or outbound to have network access to/from other resources within the network.
More information is available in this link.
Related
I have a dedicated windows 2012 server with 12 dedicated IPs.
I want to be able to make connections simultaneously from two different ips that I choose.
This will be used for two different browser applications.
I have tried the following:
ForceBindIP %IP_ADDRESS% %APP_EXE%
But the IP doesn't change, the browser always displays the lowest IP from my added range.
I have also experimented with a script that removes all the ips, and then just adds one.
netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0
This changes the address BUT I end up having only one IP for both applications.
If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).
For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).
Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).
Basically what you need to do is:
install Squid
add ACL for loopback IP mapping, such as:
acl IP110 src 127.0.0.1/32
acl IP111 src 127.0.0.2/32
[...]
tcp_outgoing_address 104.251.111.110 IP110
tcp_outgoing_address 104.251.111.111 IP111
[...]
And the default, which is just formally needed:
tcp_outgoing_address 104.251.111.110
Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:
for outgoing connection using IP .111, use proxy on 127.0.0.2
for outgoing connection using IP .110, use proxy on 127.0.0.1
.. and so on.
Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.
This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.
It looks like you're searching for a fix involving little rework of the browser applications. Assuming that you're using IIS to serve the applications, you should:
Using File Explorer or command line, soft-link the application configuration in another root folder for each instance of the browser application.
Using IIS, recreate the application as a site for each of the above browser application folders.
Using IIS, bind each instance of the browser application to the IP address you wish to serve it with.
Caveat: It's tempting to use the same app pool for all instances, but evaluate your hardware before! Remember that (depending on the application requirements) you create a single point of failure when using a single app pool. Create separate app pools with identical parameters to reduce this risk.
I am using a Juniper firewall device that our incoming internet connection receives, then a switch that connects a bunch of servers that is connected to the firewall.
For some reason, some of the traffic between the hosts connected to the switch are showing up as sessions on the Juniper firewall. The hosts are using the same network address. I thought the traffic should be strictly going through the switch to other host, not out to the firewall and then back to the switch then the host.
I created a test environment, with a small switch, and the traffic between the hosts did not show up on the firewall sessions.
Is there anything particular to the Cisco SG200-50 that would cause traffic bound from one port to another, same network address, to be sent out to the firewall before switching the traffic to the other port?
The switch will not be looking at the layer-3 packet, it only delivers known unicasts to the port where the destination MAC address is located. It will flood unknown unicasts and broadcasts to all switch ports, including the router. To the switch, the router is just another host.
I have seen this when one or more hosts have either an incorrect mask or an incorrect gateway configured.
Is there a way to access a machine from outside the LAN without port forwarding?
I have two scenarios in my current setup port forwarding is complicating:
I have two FTP servers on the same router I want to access from outside
I want to Remote Control/Access files on Windows computers on the network
Right now, the first option is possible, but it needs reconfiguring the router, while other one seems impossible outside the LAN.
Is there something like [global IP address]/[machine name] or [global IP address]/[Local IP address]?
We need more information. Are these addresses IPv4 RFC 1918 addresses, publicly routed addresses, or IPv6?
If they are in the RFC1918 (10.x.x.x, 172.16.x.x, 192.168.x.x) address space then, simply no. Those addresses are not publicly routed and therefore must be translated to a non-RFC 1918 address.
Otherwise, yes, you can.
If your servers should be available to the public - the answer will be "no".
If you plan to give a limited number of users (for example, only you) access to this servers then you have some options:
Use SSH tunnels with, for example, PuTTY and set up a Forwarding for each service you want to expose to your computer and access it over localhost:port.
localhost:21001 --> 192.168.1.3:21 (FTP1)
localhost:21002 --> 192.168.1.4:21 (FTP2)
Advantage: you can setup your "port-forwardings" at clinet-side
Disadvantage: you need a router or another computer running the SSH server
Use a VPN (for example, OpenVPN, PPTP, etc.) to get access to your LAN from outside. Then you can act like you are in your LAN.
Advantages:
easy to use if setup properly
you can use almost every protocol
Disadvantage: Need to setup VPN Service/Gateway
I am splitting an application into a tray application and a Windows Service and I want to use TCP to communicate between the two*. They will both be running on the same machine.
My question is do firewalls block TCP communication between applications running on the same machine? I want to know whether firewalls are something I need to worry about when testing.
(*note that I want to use TCP instead of named pipes for communication because the apps might one day run on separate computers but that will be far in the future)
The primary objective of the firewall is to control the incoming and the outgoing network traffic! Firewall's are designed to work on IP or PORT basis.
So yes, it is 100% capable of blocking connection on same machine.(I guess you are using Class A IP [127.x.y.x] address used mainly for loopback testing and interprocess communication on the local computer).
Some firewall are preconfigured not to block local machine connection while other are configured to block them. But either way a firewall can be configured to allow/deny such connection.
I am trying to implement server auto discovery so that clients will be able to see a list of servers available to connect to. I would like to auto discover servers even if they are in different subnets.
I have read that windows does not respond to broadcast ping, but is it possible to make all these servers to join a multicast group and use multicast ping on the group to see what servers are up?
Thanks
Try Zero configuration networking (Zeroconf).
Note multiple LAN segments requires routers to be configured to route multicast traffic, they do not by default. Similarly IGMP enabled switches are usually recommended for computer connectivity.