Direct attach network connection Firewall questions - A La Jellyfish Fryer/Save 45k.

[Nemesis158]

In LTT's Recent revisit to the Jellyfish Fryer:

They have the server connected to its client machines using a Direct-Attach configuration, with manual IP addressing.

I have a question Im hoping someone here, or maybe some LMG staff; Can help me with.

 

In my home Setup, i have a fairly built gaming tower, with minimal SSD storage, and a second box, somewhat of a home-lab focused system built with some older HEDT parts, and use it to expand the storage from my primary box with a few Mellanox Connect-x 3s and a direct-attach configuration. Both boxes are running windows 10 pro.

When i initially set up the direct attach link, I came across an issue where the PCs refused to talk to each other over the direct link.

I didn't find much info on doing this when i looked, and the only way i found to get them to talk to each other, was to set the adapters as "public" networks and disable the "public" firewall on both machines.

 

In the recent LTT video, Linus made no mention of any special firewall configuration on the client windows box to get both machines talking to each other, so i have to assume that one of the following is why:

1. They didn't have any issues because the client machine wasn't connected to a separate DHCP enabled network.

(windows seemed to only care about blocking traffic on a manually assigned network when also connected to a DHCP network on another NIC)

2. Windows firewall doesn't block a connection with a non-windows machine for some reason....

3. Updates to windows/windows firewall make this just "work" now.

4. they did need to do additional firewall configuration and just didn't mention it.

 

I am planning on migrating the home-lab box to a new tower i am currently putting together (which i have loaded with Windows 10 Pro for Workstations), and I want to maintain the direct attach configuration.

But hopefully this time do it without disabling any firewalls.

What other ways can I accomplish this?

 

Thanks.

[Electronics Wizardy]

Do you need a direct attached setup, switches work better for most uses.

 

THe lazy way is to make the server a switch here, and make that direct attach connection carry all the data.

 

But seems like a firewall issue, since this isn't a super comon setup, you have to set it up as you want to.

[Nemesis158]

5 minutes ago, Electronics Wizardy said:

Do you need a direct attached setup, switches work better for most uses.

 

THe lazy way is to make the server a switch here, and make that direct attach connection carry all the data.

 

But seems like a firewall issue, since this isn't a super comon setup, you have to set it up as you want to.

QSFP Switches are not made in a form factor i would keep in my apartment and i don't know if any of them really support Ethernet operation.

 

I did also try linking the NICs together on the server box and connect to the internet through it, but for some reason this limited any file transfer speeds to the speed of the host network (1Gbps) which made it pointless. I might consider this again if there is some other way to do it that doesnt involve making the second box also my dns/dhcp server..

[Electronics Wizardy]

Just now, Nemesis158 said:

QSFP Switches are not made in a form factor i would keep in my apartment and i don't know if any of them really support Ethernet operation.

 

I did also try linking the NICs together on the server box and connect to the internet through it, but for some reason this limited any file transfer speeds to the speed of the host network (1Gbps) which made it pointless. I might consider this again if there is some other way to do it that doesnt involve making the second box also my dns/dhcp server..

That seems like something was setup wrong, I have a 10gbe direct connections with 1gig uplinks and it works fine.

 

BUt if its just the firewall, you can turn off the firewall and your good.

 

What os is the storage server running?

[Nemesis158]

2 minutes ago, Electronics Wizardy said:

That seems like something was setup wrong, I have a 10gbe direct connections with 1gig uplinks and it works fine.

 

BUt if its just the firewall, you can turn off the firewall and your good.

 

What os is the storage server running?

Both current boxes are running windows 10 pro. The only way i knew to pass the uplink through to the direct attach link was to bridge the NICs.

Turning the firewall off for "public" connections is what i have already done, i just wasn't sure if that's something people do and windows really likes to nag you about it if you don't disable firewall notifications.

[Electronics Wizardy]

1 minute ago, Nemesis158 said:

Both current boxes are running windows 10 pro. The only way i knew to pass the uplink through to the direct attach link was to bridge the NICs.

Turning the firewall off for "public" connections is what i have already done, i just wasn't sure if that's something people do and windows really likes to nag you about it if you don't disable firewall notifications.

Well you can just add a firewall exception for the port/programs you need, so probalby 139 and 445.

 

It should work fine using a bridge, seems like windows is doing something weird there.

[Nemesis158]

3 minutes ago, Electronics Wizardy said:

Well you can just add a firewall exception for the port/programs you need, so probalby 139 and 445.

 

It should work fine using a bridge, seems like windows is doing something weird there.

Those ports should already be open for private networks though correct? Because initially the NICs were set as private networks. Windows firewall was just blocking all traffic on them anyways. are there maybe some local security policy settings that have to do with auto/manual nics and the firewall?

 

As far as the bridge is concerned, it seemed to me like the secondary box (where the bridge was) was treating the network bridge as a 1Gbps network instead of a 40Gbps network.

[Electronics Wizardy]

Just now, Nemesis158 said:

Those ports should already be open for private networks though correct? Because initially the NICs were set as private networks. Windows firewall was just blocking all traffic on them anyways. are there maybe some local security policy settings that have to do with auto/manual nics and the firewall?

 

You sure there private, but should be set it.

 

Can you test the speeds with iperf over the bridge, windows should be able to do it.

 

 

[Nemesis158]

2 minutes ago, Electronics Wizardy said:

You sure there private, but should be set it.

 

Can you test the speeds with iperf over the bridge, windows should be able to do it.

 

 

They are not currently set as private, but i am fairly certain they were when i set the manual IP addresses on both boxes. im not 100% sure but i think i did try an iperf test with the bridge. i may have to try that again this weekend.

[camieabz]

Maybe setup access control lists (or whatever they're called in Windows) to allow packets from the other PC?

 

i.e. Whitelist it (although I would perhaps specify type of traffic).