Cloned VM only reachable in local LAN, but not from outside

[Daviz]

Hello,

i cloned the harddisk of my virtual debian server to make a second server from it. I made an new VM with identical settings. In the debian guest i changed only the content of the web root. So far so good: i can access the machine from inside our local LAN, but when i try it over DynDNS, nothing appears.

If i shoutdown the machine and start the first VM (the original), accessing over DynDNS is no problem.

What can be the reason that the new VM is not reachable from WWW? I looked a few hours for differences in the VM settings or configs in the debian machine, but found nothing.


Regards,
David

[Daviz]

No idea, what could be the reason that my virtual debian server is not reachable from www?

[vbox4me2]

How is port mapping done from the outside? how is traffic going to this vm from the outside? VM using a reference to the outside address or route?

[Daviz]

Hello,
thanks for your help!

The router redirects all TCP packets on port 80 to the virtual server which has a static IP. The VM has a bridged adapter. The web content is placed in the apache default folder.
In the LAN i access the site with the static IP, from WAN with a DynDNS URL.

Regards,
David

[Daviz]

I watched the networks packets with Wireshark, but i have no experience how to read the capture data. So i attach two screenshot of it. Blue is my work station, red is the VM.

The first shows the captured data when trying to reach the "not working VM" over the DynDNS URL, which results in a timeout message in the browser.

packets.png (53.76 KiB) Viewed 3579 times

The second one shows the captured data when trying to reach the "working VM" over the DynDNS URL, which result is oaky, showing the requested site in the browser.

Packets-okay.png (67.73 KiB) Viewed 3577 times

Regards,
David

[vbox4me2]

How do you differentiate between VM1 and VM2 when it comes to port 80 ?? you can only forward port 80 to one machine with one external address.

[Daviz]

I don't let them run together. I shutdown the first before i start the second.

[vbox4me2]

And they use the same internal IP address? do a traceroute to the router from both vm's.

[Daviz]

Yes, they use the same IP. I will do the traceroutes tomorrow, when i am back in the office.

Thanks for your help,
David

[Daviz]

Hi,

this is the traceroute from the VM which is not reachable from WAN:

Code: Select all

traceroute 192.168.X.Y
traceroute to 192.168.X.Y (192.168.X.Y), 30 hops max, 60 byte packets
 1  localhost (192.168.X.Y)  2.209 ms  2.599 ms  2.859 ms

And this is the reachable VM:

Code: Select all

traceroute 192.168.X.Y
traceroute to 192.168.X.Y (192.168.X.Y), 30 hops max, 60 byte packets
 1  localhost (192.168.X.Y)  0.710 ms  0.994 ms  1.390 ms

Regards,
David

[vbox4me2]

Ok now do the same from the outside for each vm. Try also portquery (ms tool) to see if both destinations are listening on port 80.

[Daviz]

Hi,

this is the traceroute from LAN to the VM which is not reachable from WAN:

Code: Select all

traceroute 192.168.Z.Z
traceroute to 192.168.Z.Z (192.168.Z.Z), 30 hops max, 60 byte packets
 1  www.XYZ.dev (192.168.Z.Z)  0.198 ms  0.212 ms  0.278 ms

and from WAN:

traceroute.png (40.48 KiB) Viewed 3565 times

traceroute from LAN to the reachable VM:

Code: Select all

traceroute 192.168.Z.Z
traceroute to 192.168.Z.Z (192.168.Z.Z), 30 hops max, 60 byte packets
 1  www.XYZ.dev (192.168.Z.Z)  0.189 ms  0.207 ms  0.266 ms

and from WAN:

traceroute-okay.png (39.49 KiB) Viewed 3563 times

Regards

[Daviz]

Here also the port 80 check for both VMs:

Code: Select all

nc -z -v -w2 192.168.Z.Z 80
Connection to 192.168.Z.Z 80 port [tcp/www] succeeded!

I have written it above: inside the LAN i have no problem with the webserver, i can access the website from every pc inside the LAN.
With the older VM i can also access the website from WAN (wget from webserver). When i shutdown the older VM and start the newer one, i can only access the website from LAN, not WAN. The port redirection rule on the router is the same, because both VMs are using the same static IP.

Regards,
David

[vbox4me2]

Ok, so that leaves the IP settings of the second VM(new), are the settings really identical(ea. the gateway)? Also check the router again for MAC filters or MAC tables, maybe the router is associating one VM's mac with an IP and refuses the other with a different mac. Can you monitor incoming connections on the new VM, just to see what it is doing with it(ea. dropping or answering them when they come from the router) wireshark should tell you exactly whats going on.

[Daviz]

Ok, so that leaves the IP settings of the second VM(new), are the settings really identical(ea. the gateway)?

That was the answer, thanks! The gateway was not the same, it was another router. I haven't seen that, thier IPs are "nearly identical".
My god, what have i wasted time for this "little typo". But thanks you, it works finaly. Your analytical style helped me a lot!

Have a nice easter weekend,
David