1

Hi,

I have the below setup on a ESXi host.

Firewall Router has no restrictions.

For context, I have a Windows Server 2022 running Veeam, and Starwind SANAndNAS configured for backup storage as Hardened Linux Repository, and a user veeam is created for managing VHR.

image
image576×578 39.3 KB

Starwind has 2 interfaces, 10.11.30.178 for management (not shown), and 10.11.40.178 for Data.

SSH works fine when accessed via Management interface but not when accessed via the Data interface.

image
image1341×1260 145 KB

I can ping from VM1 to VM2 but cannot SSH into it, and shows the below error.

key_exchange_identification: read: Connection timed out

image
image1098×598 80.3 KB

SSH service is running fine on VM2.
image
image955×647 73.4 KB

Any thoughts what might be wrong ?

If everything is on the same network, everything works fine.

Thank You

2

What is your router VM? If it has a firewall on it, like Pfsense/OPNsense, make sure the two VLANS can communicate on port 22 or all ports if they are trusted internal networks - both ways

3

the router VM is a Fortigate firewall VM, all ports and protocols are allowed on all interfaces, both ways…

4

is 10.11.x.x your data interface, if so, isn’t it by design that the management interface is the only one that should work?

5

I tested this in a different setup with no router involved, and I could reach both interfaces via SSH, nothing in documentation about SSH access via management interface either…

Just done some ping checks, seems Data interface is not reaching firewall interface 10.11.30.100…

TestSTarWind-2024-05-25-11-11-33
TestSTarWind-2024-05-25-11-11-33800×600 4.49 KB

In this case is there suppose to be a Static route between them ?

if yes, I was under the assumption as both interface are on the same firewall explicit Static need not be set ?!

6

Firewalls and routers are different things, while firewalls can route, you have to create firewall rules between the two VLANs and depending your firewalls configuration, you may also have to create the routes.

1 Spice up
7

Thanks @Rod-IT

I have policies between both VLAN interfaces, will dig further…

8

If you are using VLANs, then you would need 2 vSwitch on the ESXi which are VLAN-tagged and then the vSwitches would also have physical NICs to your physical switches that are VLAN tagged ? And above that, I would also assume that the subnets are /19 or smaller.

I do not really understand the design of the router-VM ?

  • The VMs should be linked to their respective vSwitch
  • The Router-VM should be linked to both vSwitches
  • If you are using a firewall as a router, you will also need to open the required port(s) as some SSH applications uses all 4 ports (21, 22, 23, 25)

Then a bit out of context…

  • which Veeam product are you using
  • why storing backup data sets on a VM
  • security of out, even if you have a VLAN and different subnet when ping, SSH, FTP or SMB is enabled (this is like basic loophole) ?
1 Spice up
9

I have 2 vSwitches, Portgroup 1G is on vSwitch 1G, and Portgroup 10G is on vswitch 10G…

This is correct and is how you have mentioned (the VM connectivity in the diagram is not accurate but both VMs are in their respective Portgroups connecting to their respective vSwitch, and the Router VM is connected to both vSwitches)…

The firewall has no restrictions, all traffic is allowed on all ports…

  1. Veeam 12
  2. This is just a lab environment
10

Hi @tryllz and thank you for your interest in our products!

We have SSH up without binding to the interface. Therefore, it should work on any link. SSH is also used for communication between StarWind VMs and gets enabled automatically as soon as you create an HA device.

image

You most likely have some specific network configuration that prevents you from connecting to SSH on the data network. Let me know if you need any assistance with that, and I will gladly ask one of our engineers to help you.

Should you have any questions, do not hesitate to ping me directly. A complete guide on setting up our Veeam Hardened Repository can be found here https://www.starwindsoftware.com/blog/starwind-vsan-as-hardened-repository-for-veeam-backup-and-replication.

I wish you a perfect weekend!

11

Thanks @supaplex-starwind

@Rod-IT guided me right, it was a routing problem and nothing to do with StarWind. As StarWind had 2 interfaces the Firewall was disabled for Asymmetric Routing, which is why SSH wasn’t responding.

Enabled Asymmetric Routing in Fortigate…

config system settings
    set asymroute enable
end

And now I’m able to reach SSH over the Data interface…

image
image1099×599 20.8 KB

Thanks @Rod-IT and @adrian_ych

12

Excellent! Glad to hear that :slight_smile: