none
On VM firewall is not working properly

    Question

  • Hi,

    I have problems with VM windows server 2012 R2. My firewall on hyper-v virual machine want to open ports when i added them. I need to turn firewall off and on to it works.

    This issue is only on VM not on when i install on physical server.

    Do any have experience in this issue ? 

    Best regards

    Zlatan

    Friday, March 3, 2017 8:48 AM

Answers

  • Hi Leo,

    I didn't found the right solution yet. I think I need to move this issue to another forum.

    Regards

    ZS

    • Marked as answer by Bosancero Thursday, March 16, 2017 7:24 AM
    Thursday, March 16, 2017 7:24 AM

All replies

  • Hi Bosancero,

    please provide mor informations about the Hyper-V network configuration.

    Maybe you have set "Allow management operating system to share this network Adapter" option for your Hyper-V virtual switch?
    https://integrationblocnotes.wordpress.com/2011/11/12/disable-hyper-v-host-connection-to-virtual-switch/

    I saw many strange problems if this option is set.

    Regards

    Sebastian

    Friday, March 3, 2017 1:53 PM
  • Hi Sebastian,

    Thanks for your information. I tried this option but only challenges I have with this is that physical server cannot set static ip on. Do you have some solution for that.

    Best regards

    ZS 

    Monday, March 6, 2017 9:17 AM
  • Hi Sebastian,

    Thanks for your information. I tried this option but only challenges I have with this is that physical server cannot set static ip on. Do you have some solution for that.

    Best regards

    ZS 

    Hi,

    you need to create static IP on newly created network adapter virtual switch - vSwitch.

    After you set "Allow management operating system to share this network Adapter" you than need to set IP address on the vSwitch adapter.

    Additionally you can set firewall rules over VM Network adapter using:

    Add-VMNetworkAdapterExtendedAcl

    Radek


    Monday, March 6, 2017 12:05 PM
  • Hi Radek,

    Still not working, I have tried but still not helping. 

    Best regards

    ZS

    Monday, March 6, 2017 1:08 PM
  • Hi Radek,

    Still not working, I have tried but still not helping. 

    Best regards

    ZS

    Ok, so can you somehow more explain what excatly is not working for you?

    Maybe some screenshot could help to explain where is the problem.

    Radek

    Monday, March 6, 2017 1:46 PM
  • I agree with Radek that more detail is required.  The firewall on the host and the firewall on the VM are two completely separate things.  Your VM can use a virtual switch that is either dedicated to the VM or is shared with the host, but in either case, firewall rules in one environment are not affected by firewall rules in the other.  So it does not make any difference whether or not the host has a static address or not.  If you are trying to set firewall rules in the VM, set them in the VM.

    Simply saying it does not work is not helpful.  We need to know your VM's network configuration in relation to its virtual switch configuration, and exactly what you have tried to do to set the firewall rule in the VM.


    . : | : . : | : . tim

    Monday, March 6, 2017 1:52 PM
  • Also note that there are three firewall profiles (domain, public, private) Setting rules in one profile would not carry over to another profile. Until you connect the VM vEthernet to something NLA may have trouble deciding which profile is applicable.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, March 6, 2017 2:42 PM
  • Hi Radek and Tim,

    Thanks for your feedback, I'm understand that you need some more information about issue. I will try to give more information and I hope it will help, if you have some suggestion what I can bring please tell. On my physical server I have installed hyper-v VM on it and its running MS SQL and my problem is that I had added rule in firewall to open port 1433. My issue is that doesn't work even if the rule is enabled. So when I turn firewall off on my domain then it works perfectly. I hope now that I come with better response if there need further questions write please.

    Best regards
    ZS

    Tuesday, March 7, 2017 7:16 PM
  • Which firewall did you change? The firewall on the VM or on the physical host? Making changes on the physical host would have no impact on the virtual machine. You have to configure the firewall rule on the system on which you want that rule to take effect, just as though the virtual machine were a physical machine.

    . : | : . : | : . tim

    Tuesday, March 7, 2017 8:04 PM
  • Hi Tim,

    I have done it on VM and only there. Do you have some suggestions.

    Best regards

    ZS

    Tuesday, March 7, 2017 8:14 PM
  • Hi Tim,

    I have done it on VM and only there. Do you have some suggestions.

    Best regards

    ZS

    Hi,

    I would recommend following procedure:

    1) Let's say your Hyper-V host is HOST1 and your VM with SQL is VM1.

    2) Virtual machine VM1 is connected to virtual switch that is shared with Hyper-V operating system, right? ("Allow management operating system to share this network Adapter" ) 

    3) On VM1 you set static IP address (for example 192.168.1.10 /24) and set Firewall exceptions for port 1433 + add rule to allow you ICMP pings ( https://social.technet.microsoft.com/Forums/getfile/640225 )

    4) From Hyper-V host HOST1 (it resides in same subnet for example 192.168.1.15/24) try to ping to VM1 192.168.1.10

    5) In next step you can install Telnet Client on Hyper-V HOST1 (or some other machine in same subnet) and try to telnet on port 1433 to your VM1

    telnet 192.168.1.10 1433

    So any success with this?

    Radek

    Wednesday, March 8, 2017 9:28 AM
  • Hi Radek,

    I get this when I test it.

    Wednesday, March 8, 2017 9:45 AM
  • Hi,

    that actaully means you are communicating with 10.0.0.102 on port 1433 ..otherwise you would get

    C:\>telnet 10.0.0.102 1443
    Connecting To 10.0.0.102...Could not open connection to the host, on port 1443: Connect failed


    And that means firewall on port 1433 is not your problem.

    You should also check what else you need to configure on VM1 except to allow port 1433. And if you still think it is firewall issue, you can try to temporary disable firewall on VM1 using:

    netsh advfirewall set allprofiles state off
    Radek

    Wednesday, March 8, 2017 10:36 AM
  • Hi Radek,

    This is strangest thing I have ever seen. I tried to connect my sql database with managment tool and could't get connection. So when I turn firewall off then it works. 

    Can you please see configuration what I maybe make wrong. 


    Wednesday, March 8, 2017 11:26 AM
  • It's been quite a while since I did anything with SQL in a cluster, but I remember there were some dynamic ports that had to be configured as non-dynamic.  Without doing that, you could not access things.  I suggest you ask in the SQL HA forum where you will find a lot more experts in running SQL on clusters - https://social.technet.microsoft.com/Forums/en-US/home?forum=sqldisasterrecovery

    . : | : . : | : . tim

    Wednesday, March 8, 2017 2:08 PM
  • Hi Radek,

    This is strangest thing I have ever seen. I tried to connect my sql database with managment tool and could't get connection. So when I turn firewall off then it works. 

    Can you please see configuration what I maybe make wrong. 


    Hi,

    I think you should add another inbound firewall rules for all firewall profiles:

    1) add rule for programs and services "%ProgramFiles%\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"  this one depends on what MS SQL version are you using and where sqlservr.exe is located.

    2) Port 1433 TCP

    3) Port 1434 UDP

    This should match default SQL configration. But I am not really SQL guy. You can also try 8798 + 8796 TCPs as I see it in your port configuration.

    Radek

    Wednesday, March 8, 2017 2:08 PM

  • Hi,
    Are there any updates on the issue?
    You could mark the reply as answer if it is helpful.
    Best Regards,
    Leo

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 16, 2017 7:17 AM
    Moderator
  • Hi Leo,

    I didn't found the right solution yet. I think I need to move this issue to another forum.

    Regards

    ZS

    • Marked as answer by Bosancero Thursday, March 16, 2017 7:24 AM
    Thursday, March 16, 2017 7:24 AM