Intervlan connectivity issue with NFC

[woter]

Hi,

For the sake of transparency, I have posted this issue on Serverfault.

I have an ESXi server on VLAN65 (192.168.65.2), a backup server on VLAN60 (192.168.60.203) and a PC on VLAN50 (192.168.50.101).

The backup server needs to talk to the ESXi server on port 902 (Network file copy (NFC)), but it is failing to communicate, however, I am able to perform a successful test between my PC and the ESXi server:

Code:

PS C:\> Test-NetConnection -ComputerName esx01.domain.net -Port 902
WARNING: TCP connect to esx01.domain.net:

ComputerName           : esx01.domain.net
RemoteAddress          : 192.168.65.2
RemotePort             : 902
InterfaceAlias         : Ethernet0
SourceAddress          : 192.168.60.203
PingSucceeded          : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : False

I am able to communicate between VLAN60 and VLAN65 using ping and traceroute.

There are no firewall rules between these VLANs.

I have used the "All Sessions" report to try and troubleshoot, however, the only error I see is "invalid_blocked", however, other posts on this forum suggest I should ignore these. I don't see "invalid_block" when testing from my PC.

There are a lot of moving parts to this problem, and I am not saying it is my Untangle device at fault.

Are there any other reports or tools that I can use on Untangle to use to help resolve the issue?

If anyone has any suggestions or ideas, I'd be very grateful if you could share your thoughts.

Thanks in advance.

[sky-knight]

What modules do you have installed?

And have you tried bypassing traffic between the two networks? That will rule out any modules getting in the way.

[woter]

Thanks for replying @sky-knight.

I don't have access right now, but it is the free version. Firewall and VPN are definitely enabled.

I think it was a bypass rule that I added, which made no difference. I'll confirm tomorrow (+8 hours).

I have just set up a new backup job between the same backup server and a standalone ESXi (v. 7.0) host. This host sits on the same VLAN as the other ESXi hosts. The backup ran successfully and Test-NetConnection cmdlet works too.

Now I'm even more confused over what is going on.

Thanks.

[sky-knight]

That sounds like a local firewall issue on that specific host.

[woter]

It appears to be something to do with Untangle.

I thought I had created a bypass rule, but I had managed to create a filter rule. D'oh.

Once I created the bypass rule, the Test-NetConnection cmdlet started working from VLAN60 to VLAN65.

To answer @sky-night's question, I only have firewall, captive portal, report and OpenVPN modules enabled.

Thanks

[sky-knight]

If bypass works, then something in your modules is doing the blocking. It's also possible there's something about the protocol that's non-standard and Untangle eats it just existing.