Accessing WebGUI from Off Primary/Home Subnet? - RESOLVED
Hi folks, I've noticed that I'm unable to access the webgui from off the same LAN where NexentaStor resides. I know it's not a firewall/port forwarding issue, so I looked into it and checked out the command from the NMC:
setup appliance authentication
and I went to "dbus-iptable" and added a single IP address from which I was connecting from, but this didn't seem to change things. I also added "0.0.0.0" as a source IP thinking this might just allow blanket access, but that didn't do it either.
I'd like to simply allow all webgui access from any external IP, accepting the security risks inherent in that choice for now. Could anyone explain how to accomplish this?
Thanks much! AJM
can you show me from nmc
show network interface
Linda, thank you in advance for anything you can offer that might help. FYI, i can successfully ping outbound from the command line console.
==== Interfaces ====
Sorry, double post...
so what is the ip of the system you are trying to access the webgui from?
The test LAN it's on is obviously 192.168.0.0/24 but that's behind a NAT to the real world.
There's port forwarding established from the external interface of the NAT to the IP of the NexentaStor(192.168.0.75) on port 2000.
Basically, I'd like to be able to access port 2000 from any IP anywhere in the world for now. I can lock it down more tightly later, but right now it apparently doesn't answer port 2000 requests originating anywhere outside it's home LAN.
Hope that helps, let me know how else I might clarify things.
Thank You, AJM
Are you sure the nexenta has a valid default IP gateway?
I thought that sounded like it too, but there it is in the GUI. I even removed and re-added it to make sure.
Dropped to a CLI and did the following to double-check:
root@SYCORAX:/export/home/admin# cat /etc/defaultrouter
I can ping outbound to all sorts of DNS names and IPs beyond the test LAN, so it's definitely getting out.
How about running tcpdump on the nexenta, matching on port 2000, and then try to connect from an outside host and report what you see?
I see tcpdump is not built-in to NS, any pointers on adding it? -AJM
I'm guessing 'apt-get install tcpdump'?
Sorry, should have mentioned I tried that and it can't find the package.
root@SYCORAX:/export/home/admin# apt-get install tcpdump
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package tcpdump
Bummer, maybe Linda can comment on how to get tcpdump? You could try running tcpdump/wireshark on the other host and see if anything at all is coming back?
You said it's behind a firewall, have you setup a rule to pass through traffic on port 2000?
We currently have nexenta boxes on several different subnets without problems, but we don't have any NAT in between the different subnets just routing (like 192.168.0.1/24 and 192.168.5.1/24).
Thanks, yes, I did have port forwarding on TCP 2000, but the problem seems to have resolved itself.
I wanted to re-arrange the underlying physical storage under the syspool so I just blew away the whole instance and resintalled from scratch. Same IP, so I know the forwarding rule must have been OK. Now it works! I don't think I did anything different or special in either case, but it's working, so perhaps I inadvertantly knocked a lever or knob in the wrong direction previously.
Thanks everyone, regardless! AJM
RE: Accessing WebGUI from Off Primary/Home Subnet? - RESOLVED - Added by Reuben Bryant 11 months ago
Just another thing to watch for that I found was:
Is that if you are going through a Cisco ASA 5510, you will need to change the web GUI port. I wasted hours on this issue. For some reason the ASA blocks port 2000 even if you have it wide open!! Change the port to any other number and you are sweet.
Hope this helps someone in the future.