All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Virtual router with external and internal network - how to block (firewall) external from scanning?
Hello.
I have a TestLAB server at Hetzner, and I have used this guide for creating a router.
http://deploymentresearch.com/Research/Post/285/Using-a-virtual-router-for-your-lab-and-test-environment
I have created one external NIC, that are using a public IP from Hetzner. I have then created two internal NIC's (site1 and site2).
All is connected on the router, there the Internal NICs has been connected to the external NIC via NAT. (see the guide)
I have then some Hyper-V servers and Workstations that all use the Site1 network. (they all get 192.168.1.xxx IP's). But they have Internet access from the Router.
I use a program called Ncentral, and it has a probe on one of my internal servers.
The probe is scanning my local IP's
Today Hetzner blocked my external IP (the IP used by the Router) and gave me a abuse report:
The time is correct with the time the probe is scanning my internal 192.168.1.1-254
Still Hetzner is saying that the probe is scanning other internal networks also, not just my internal network.
It's strange, for I can only see that the probe is scanning one 192.168.1.1 network, and they could not provide any more logs showing that the probe is scanning more.
So they want me to create a firewall rule on the external IP so it do not scan local networks.
How can I do that? I sure if this should work, I have to create this firewall rule on the router?
Or is there any way to stop this issue? I can't understand that Hetzner don't allow me to scan my own internal network with this probe.
Please ask if there are any more info you need to help me with this.
Comments
If you have bound the internal network to your physical card it can cause leakage to rest of the Hetzner network.
Same thing happens on some providers where you install plex servers. It allows traffic from 'local' networks.
Vmware can create internal NiCs not connected to the physical card to avoid this.
Stupid that I'm using Hyper-V then...and still, I need to have internet connection on my internal network because all the devices on my local network need to speak with our central Ncentral server.
I think I just have to disable the probe scanning and hope that do the trick.
If nobody have a better solution??
Have you setup a VLAN ? Maybe it can solve your issue ?
Hyper-V has the same capabilities.
Have you setup a VLAN ? Maybe it can solve your issue ?
Did you see the guide I posted? I have just did that.
Any guide that is not the guide I have used?
Maybe i missed it but, no, enabling vlan configuration is not mentioned on the guide you linked in your original post.
And by setting a VLAN i am talking about this https://blogs.msdn.microsoft.com/adamfazio/2008/11/14/understanding-hyper-v-vlans/
@ikoula I see. But I don't understand if this vLAN gives internet connection to the devices inside the vLAN?
VLAN is some kind of subnet and regarding connection to internet the vrouter is meant to take over that.