Do how can I reach a Debian Web Server installed in Hyper V VM from Internet?

Question

I do not know what I am missing, any help will be appreciated.

(all updated) Host: Windows 10 Pro, WebServer: Debian 11 (Hyper-V VM), Mysql MariaDb 10.5.15, php 7.4.28, Wordpress 5.9.3, 80, 443 Port forwarded in gateway (Ubiquiti USG Pro-4) to Debian WebServer Private IP/vlan x, Firewall (EsedNod32) disable -Host, Firewall (UFW) Debian WebServer (22, 80, 443 opened), Firewall (Windows Firewall) disable -Host,

Wordpress: wp-config.php all setting ok (database, url, etc)

/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpressdb' );
/** Database username */
define( 'DB_USER', 'user' );
/** Database password */
define( 'DB_PASSWORD', 'Pass' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/* Add any custom values between this line and the "stop editing" line. */

define('WP_SITEURL', 'http://example.com');
define('WP_HOME', 'http://example.com');

apache2: domain.com.conf all setting ok (virtualhost)

<VirtualHost example.com:80 *:80>
    ServerName example.com
    ServerAlias example.com
    DirectoryIndex index.htm index.html index.php
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html/example.com

    <Directory "/var/www/html/example.com">
            Options -Indexes +FollowSymlinks
            AllowOverride All
            Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
            ServerName example.com
            ServerAlias www.example.com
            ServerAdmin email@xxxmail.com
            DocumentRoot /var/www/html/example.com
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
            SSLEngine on
            SSLCertificateFile      /etc/ssl/certs/server.crt
            SSLCertificateKeyFile /etc/ssl/private/server.key
            SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>

News (Edited)

I found a related post and take action, I was able to make it work (NatNetwork) but still I can not reach access to my Debian WebServer from Internet(outsize) and one more issue, I lost ssh access from my host (win10Pro) to Guest VM(Debian), normally I do it trough SSH-Agent with my Private-Key, and even with passwork do not work anymore;

Fixed: Add Allow user <myuser>@10.0.0.1 in /etc/ssh/sshd_config file

Aditional comment how is Network now, Host 192.168.x.x, and new NatNetwork in 10.0.x.x.

New-VMSwitch  -SwitchName "NATSwitch"  -SwitchType Internal

New-NetNat  -Name NATNetwork  -InternalIPInterfaceAddressPrefix 10.0.0.0/24

New-NetIPAddress -IPAddress 10.0.0.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)"

NatMapping

Add-NetNatStaticMapping  -NatName NATNetwork  -Protocol TCP  -ExternalIPAddress 0.0.0.0/24  -ExternalPort 80  -InternalIPAddress 10.0.0.24  -InternalPort 80

I can go into my webpage with private Ip in LAN (because is in my host file /Manually added)
I can not from Internet (outsize/public ip)

Get-NetRoute -AddressFamily IPv4 -InterfaceIndex 2 | Format-Table DestinationPrefix, NextHop

DestinationPrefix  NextHop
-----------------  -------
255.255.255.255/32 0.0.0.0
224.0.0.0/4        0.0.0.0
10.0.0.255/32      0.0.0.0
10.0.0.1/32        0.0.0.0
10.0.0.0/24        0.0.0.0

Get-NetRoute -AddressFamily IPv4 -InterfaceIndex 28 | Format-Table DestinationPrefix, NextHop

DestinationPrefix  NextHop
-----------------  -------
255.255.255.255/32 0.0.0.0
224.0.0.0/4        0.0.0.0
192.168.1.255/32   0.0.0.0
192.168.1.64/32    0.0.0.0
192.168.1.0/24     0.0.0.0
0.0.0.0/0          192.168.1.1


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.64    281
         10.0.0.0    255.255.255.0         On-link          10.0.0.1    271
         10.0.0.1  255.255.255.255         On-link          10.0.0.1    271
       10.0.0.255  255.255.255.255         On-link          10.0.0.1    271
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.23.144.0    255.255.240.0         On-link      172.23.144.1   5256
     172.23.144.1  255.255.255.255         On-link      172.23.144.1   5256
   172.23.159.255  255.255.255.255         On-link      172.23.144.1   5256
      172.31.80.0    255.255.240.0         On-link       172.31.80.1   5256
      172.31.80.1  255.255.255.255         On-link       172.31.80.1   5256
    172.31.95.255  255.255.255.255         On-link       172.31.80.1   5256
      192.168.1.0    255.255.255.0         On-link      192.168.1.64    281
     192.168.1.64  255.255.255.255         On-link      192.168.1.64    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.64    281
      192.168.2.0    255.255.255.0         On-link      192.168.2.64    281
     192.168.2.64  255.255.255.255         On-link      192.168.2.64    281
    192.168.2.255  255.255.255.255         On-link      192.168.2.64    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.2.64    281
        224.0.0.0        240.0.0.0         On-link      192.168.1.64    281
        224.0.0.0        240.0.0.0         On-link          10.0.0.1    271
        224.0.0.0        240.0.0.0         On-link      172.23.144.1   5256
        224.0.0.0        240.0.0.0         On-link       172.31.80.1   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.2.64    281
  255.255.255.255  255.255.255.255         On-link      192.168.1.64    281
  255.255.255.255  255.255.255.255         On-link          10.0.0.1    271
  255.255.255.255  255.255.255.255         On-link      172.23.144.1   5256
  255.255.255.255  255.255.255.255         On-link       172.31.80.1   5256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.1.1  Default
===========================================================================

Debian (WebServer) is into Vlan (10.0.x.x vlan x) vlan ID is setting in VSwitch Manager setting and VM Network Adapter setting too, not in debian VM configuration (/etc/interface) am I ok? it is working in this way so I think I am.

INTERFACES SETTING

I can do ping to internet, host and eth0 interface. Do I Need static route in (USG Router), or any iptable rule, or mascarade (in Server)? are my interfaces file setting ok? (/etc/network/interfaces)

<myuser>@terrawp:~$ ip route
default via 10.0.0.1 dev eth0 onlink
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.24


<myuser>@terrawp:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:00:69:3a brd ff:ff:ff:ff:ff:ff
inet 10.0.0.24/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe00:693a/64 scope link
valid_lft forever preferred_lft forever

Thank you and GOOD FIXING !!

I assume you can access your site from the Hyper-V host…? Did you set the VM to use bridged networking? Are you on a wired connection? Can other devices in your local network access the site by using its IP address? — Daniel B, May 19 '22 at 06:58
Yes @Daniel B, I can access locally using Private IP (but not domain that is what I want to), Bridged Network is used in wired connection (VM), everyone on local can access to webserver using Private IP. — HillSonMX, May 23 '22 at 21:42
Bridged? So you are using a different IP subnet for the VM(s) even when it is in the same broadcast domain / LAN as your physical LAN hosts do? What's the reason for that? (Typically you use one single IP subnet within a LAN. And either way you can/should just port forward from your router in such case.) — Tom Yan, Jul 05 '22 at 00:23
Also even if it's not really bridged, you still need to *additionally* port forward from the router to the VM host first (unless maybe your VM host is set as the so-called "DMZ"). And obviously your router's WAN IP need to be an actual public IP (i.e. no CGNAT posed by your ISP). Btw it should be `0.0.0.0/0` for `-ExternalIPAddress`. — Tom Yan, Jul 05 '22 at 00:26
@Architect Jamie gave a solution in this post https://serverfault.com/questions/914482/how-to-dnat-forward-all-ip-traffic-on-windows-10-from-ip1-to-ip2 than I had applyed but did not work, NatNetwork lost internet connection, maybe he could give us a hand with this, Regards! — HillSonMX, Sep 10 '22 at 23:20

score 0 · Answer 1 · answered May 20 '22 at 20:06

You need to make sure both of the following are in place before Internet-based traffic will reach your webserver.

Valid Network route to your network gateway/firewall VM needs to have a network adapter connected. If applicable, it needs a VLAN tag. Then inside your VM you need to make sure it has an IP address assigned (Static or DHCP w/reservation), DNS and gateway assigned. You know it's successful when you're able to ping out from the VM https://windowsreport.com/add-network-adapter-windows-10-hyper-v/#:~:text=In%20the%20Hyper%20V%2DManager,you%20the%20Network%20Adapter%20window
Firewall rule with port forwarding OR a reverse proxy configured. By default inbound traffic is blocked on all firewalls. You need to setup a rule to forward traffic to your VM on port 80

https://help.ui.com/hc/en-us/articles/235723207-UniFi-USG-UDM-Port-Forwarding-Configuration-and-Troubleshooting

1. Webserver has internet with no problem, and can be reach locally but not from Internet (outside). 2. All was done, still the issue, Thank you @Usta . — HillSonMX, May 23 '22 at 21:46

Do how can I reach a Debian Web Server installed in Hyper V VM from Internet?

1 Answers1