I’m not sure where to start with to troubleshoot this. I segregated my network into a few different VLANs (servers, workstations, wifi, etc…). I have VMs and LxC containers running in Proxmox, routing is handled by Opnsense, and I have a couple tplink managed switches. All of this is working fine except for 1 problem.

I have a couple systems (VM and LxC) that have interfaces on multiple VLANs. If I SSH to one of these systems, on the IP that’s on the same VLAN as the client, it works fine. If I SSH to one of the other IPs it’ll initially connect and work but within a minute or so the connection hangs and times out.

I tried running ssh in verbose mode and got this, which seems fairly generic:

debug3: recv - from CB ERROR:10060, io:00000210BBFC6810
debug3: send packet: type 1
debug3: send - WSASend() ERROR:10054, io:00000210BBFC6810
client_loop: send disconnect: Connection reset
debug3: Successfully set console output code page from 65001 to 65001
debug3: Successfully set console input code page from 65001 to 65001 

I realize the simple solution is to just use the IP on the same subnet, but my current DNS setup doesn’t allow for me to provide responses based on client subnet. I’d also like to better understand (and potentially) solve this problem.

Thanks

  • Yeah, I did some packet captures this afternoon and realized that’s exactly what’s happening.

    I want the VM to have multiple interfaces. I was just being lazy about connecting to it (wanted to use dns). The way I see it I have 3 options.

    1. Connect via IP to the interface on the same subnet.
    2. Separate A records for each IP. Feels like #1 with extra steps.
    3. Overcomplicate things with bind views on my internal zone so it returns the best IP for the client.

    I did also find something online about policy based routing on the VM. But, all of this reeks of me overcomplicating things when I could just use the IP the couple times a month I ssh to these boxes.

    • towerful
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      We have gone through the exact same process!
      Multiple NICs, fancy DNS, Linux not replying on the same interface.

      I ended up being super lazy about it and using somewhat sensible IP addresses.
      And only using 1 NIC - which also massively simplified firewall rules.
      Everything turned into zone based rules (ie mgmt has access to dmz, vms, wan. VMs has access wan. DMZ has access to nothing. anything else is a specific rule).
      I’m even thinking about swapping to a more zone oriented firewall solution.

      However, if I were to do it again, I’d ditch the multiple vlans (well, almost. I’d have a proxmox/hardware vlan, and a VM vlan). I’d manage VM firewalls in proxmox, and network firewalls on opnsense.
      Then I can be precise about who talks to who.