1

I have some Linux VMs on an ESXi 7 host, which all have addresses 172.16.0.x in the 172.16.0.0/24 subnet. They are all connected to a portgroup called internal_network on my vSwitch and they can all see each other.
Then, I created a new Linux VM called jumpbox on the same ESXi host with 2 NICs, one in the internal_network portgroup and one in the VM Network portgroup on the same vSwitch, with the following IP addresses:

  • ens160 connected to VM Network: 192.168.131.222
  • ens192 connected to internal_network: 172.16.0.1

From jumpbox I can ping all the VMs in the 172.16.0.0/24 subnet, and they can all ping jumpbox. If I set a default route using 172.16.0.1 as gateway, all of them can reach other machines in my network and the internet.
The last thing I'd like to do is ping any of the VMs, say VM_1 on 172.16.0.101, from my PC using jumpbox as a router. My PC has IP 192.168.250.182 (by DHCP) and can be pinged from any of the VMs and the jumpbox, but the reverse does not work.

To summarize:

  • jumpbox to PC: works.
  • VM_1 to PC: works.
  • PC to jumpbox on IP 192.168.131.222: works.
  • PC to jumpbox on IP 172.16.0.1: DOESN'T WORK.
  • PC to VM_1 on IP 172.16.0.101: DOESN'T WORK.

These are the things I've done which I am pretty sure I should have done:

  • Adding net.ipv4.ip_forward=1 to /etc/sysctl.conf on the jumpbox.
  • Enabling promiscuous mode on the vSwitch.
  • Adding a route on my PC with the command 
    route add 172.16.0.0 mask 255.255.255.0 192.168.131.222
    Ping from VM_1 to my PC works even without the route.

I think I need to do something in iptables on the jumpbox, but I don't know much about it.
Right now, this is the output of iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Can someone help me figure this out? Thanks!

EDIT: all the machines have their firewalls disabled.

Improve this question
New contributor
Andrea Di Stefano is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
7
  • Do 192.168.250.182 and 192.168.131.222 belong to the same IP subnet and broadcast domain?
    – Tom Yan
    Dec 1 at 15:25
  • No, they each belong to their /24.
    – Andrea Di Stefano
    Dec 1 at 15:35
  • Do you not thing that this isn't very robust for a production environment?
    – Chopper3
    Dec 1 at 15:39
  • I don't think you can use 192.168.131.222 as a route gateway unless there's a direct route for it on the PC (and that they are in the same broadcast domain). You probably need to configure route on the PC's default gateway (and maybe more).
    – Tom Yan
    Dec 1 at 15:40
  • @Chopper3 This is not a production environment.
    – Andrea Di Stefano
    Dec 1 at 15:45

0

Reset to default

Browse other questions tagged .