以下是我的环境:
我有一台运行 Windows 2008 R2 的物理机,具有 Hyper-V 角色。这台机器有 3 个物理网卡:
- 一个用于互联网
- 一个用于内部网络
- 无线网络专用
所有 3 个虚拟机在 Hyper-V 中都有各自的虚拟网络,并且我有一个额外的私有虚拟机网络作为 DMZ 网络。
在其中一台虚拟机中,我安装了 TMG Forefront 2010 SP1,并且所有 4 个网络都可用。以下是防火墙上的 IPCONFIG /ALL:
Windows IP Configuration
Host Name . . . . . . . . . . . . : FRW-EXP1-02
Primary Dns Suffix . . . . . . . : exp1.eti.br
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : exp1.eti.br
Ethernet adapter Internet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #4
Physical Address. . . . . . . . . : 00-15-5D-01-06-0E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::6d05:6033:4cfc:bdf5%15(Preferred)
IPv4 Address. . . . . . . . . . . : 189.100.110.xxx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Lease Obtained. . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 11:17:24
Lease Expires . . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 16:07:02
Default Gateway . . . . . . . . . : 189.100.96.xxx
DHCP Server . . . . . . . . . . . : 201.6.2.43
DHCPv6 IAID . . . . . . . . . . . : 436213085
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : 201.6.2.163
201.6.2.43
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Rede Interna:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-01-06-0C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::51ff:4723:ce4c:bbc3%14(Preferred)
IPv4 Address. . . . . . . . . . . : 10.50.75.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 352327005
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : 10.50.75.1
10.50.75.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-01-06-0A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d4c5:75cf:e9aa:73e1%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 301995357
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Wireless:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-06-0B
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::459:8ca6:d02:8da1%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 234886493
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
我在 Forefront 有以下网络:
External: IP addresses external to the Forefront TMG Networks
Internal: 10.50.75.0 - 10.50.75.255
Local Host:
Perimiter: 192.168.10.0 - 192.168.10.255
Wireless: 192.168.1.0 - 192.168.1.255
在网络规则中,我有:
1 => Route => Local Host => All Networks
2 => Route => Quarantined; VPN => Internal
3 => NAT => Internal; VPN => Perimiter
4 => NAT => Internal; Perimiter; Quarantined; VPN; Wireless => External
我的问题是,我只能与内部和外部网络通信。如果从 Forefront VM ping www.google.com 或 10.50.75.21,我会毫无问题地得到答复。如果我尝试 ping 外围网络或无线网络上的一台机器,它不会被路由回 Forefront,它是所有网络上的默认网关。以下是 ping 示例:
PS C:\Users\Administrator.TPB1> ping www.google.com
Pinging www.l.google.com [64.233.163.104] with 32 bytes of data:
Reply from 64.233.163.104: bytes=32 time=11ms TTL=58
Reply from 64.233.163.104: bytes=32 time=8ms TTL=58
Ping statistics for 64.233.163.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 11ms, Average = 9ms
Control-C
PS C:\Users\Administrator.TPB1> ping 10.50.75.21
Pinging 10.50.75.21 with 32 bytes of data:
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Ping statistics for 10.50.75.21:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
PS C:\Users\Administrator.TPB1> ping 192.168.10.3
Pinging 192.168.10.3 with 32 bytes of data:
Reply from 192.168.10.1: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.3:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
PS C:\Users\Administrator.TPB1>
对 192.168.10.3 执行 ping 操作后,发现目标主机无法访问。以下是外围虚拟机的 ipconfig:
PS C:\Users\Administrator.Administrator> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : app-exp1-02
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unkown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-06-08
DHCP Enabled. . . . . . . . . . . : No
IPv4 Address. . . . . . . . . . . : 192.168.10.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 201.6.2.163
201.6.2.43
尝试从 DMZ 计算机 ping 192.168.10.1(网关)也不起作用。当我使用日志和报告监控来自无线网络和外围网络的数据包时,我没有收到我尝试发送的任何 PING 或 HTTP 链接数据包。但我确实收到了很多 NETBIOS 广播的欺骗消息……就好像 Forefront 认为它来自不同的网络,但我不知道为什么。请帮忙!
谢谢
答案1
当一切看起来都正确时,很可能就是如此!!!
我通过从 Forefront 中删除无线和外围网络,然后关闭虚拟机,然后从 Forefront 虚拟机中删除网卡,然后启动、关闭、重新添加网卡、启动、使用不同的子网(不知道这一步是否必要,但我还是这么做了),启动,将网络重新添加到 Forefront 解决了这个问题。
经过这么长时间,它开始正常工作了。外围和无线的流量开始被 Forefront 识别,数据包开始按应有的方式流动,配置与以前相同