We are just starting with NSX and everything seems to be pretty straight forward but having two issues that are not making sense and wanted to see if anyone else can shed some light on them.
Config:
Public GW -> Public WAN IP ->edge01 ->LAN Public IP-> VM public IP
We are using an edge device that it doing our public layer3 routing (no NAT) and we had too do way more rules then I would expect and having to “Apply To” both the DFW and the Edge device.
All the rules that we created inbound are what to be expected. (ports-> vm public ip –> from any) but the outbound was what seemed a little funky. We ended up doing an outbound VM Public IP ->ALL -> !not Edge01 IP’s and then a block rule from VM Public IP’s -> VM Public IP’s. I have not been able to find a different way to get this to work so if any one has any other suggestions or if this just would be what we need to do?
The down side to this is if we have a rule above all this that allows traffic from any to a VM Public IP and another VM guest needs this access as well we cant seem to get it to access that ANY rule even if it is above the VM Public IP’s -> VM Public IP’s block rule.
The second issue:
The rules that we create for the VM Public IP’s have to be applied to the DFW and the Edge device otherwise the rule does not work. My understanding is that it processes the DFW first so why does it not allow if it is applied to the DWF only.
Thanks!