Cannot connect to internet from behind corporate NTLM proxy

Abhi123 · 2014-12-15 16:54:24

Hi,
Moved to Arch on VMware after getting fed up with the bloated distro that starts with 'U'. Spent a day setting everything up, which made me feel like 2002. Then got stumped with internet access at work.
Internet (wired/wireless) works fine at home, wired doesn't work at work (no wireless). ping complains of unknown host. Followed Network configuration and dhcpcd, didn't help. Of course installed and configured cntlm. 'U' distro connects to internet fine and as far as I compared, has the same settings (/etc/hosts, /etc/cntlm.conf, .bashrc)

Any suggestions?

ewaller · 2014-12-15 18:17:33

This post is a bit confusing.

First, is this something that is permitted by your corporate policy?
Second, there is no 'Wireless' on Arch running in a VM. There are 'virtual' network interfaces that talk to the host. The host can either bridge these, consider them to be 'host only' whereby the VM can communicate only with its host, or the host can provide NAT forwarding.

I assume the host is Windows. Are you using the same host and VMWare configuration you had been using with Ubuntu?

Edit: BTW, Welcome to Arch Linux

Last edited by ewaller (2014-12-15 18:18:08)

Abhi123 · 2014-12-15 19:16:34

ewaller wrote:

is this something that is permitted by your corporate policy?

Assuming you're asking if accessing internet is permitted, yes it is. I can get on the web from Windows host and Ubuntu guest.

ewaller wrote:

there is no 'Wireless' on Arch running in a VM?

I don't need one at work, I'm on LAN.

ewaller wrote:

I assume the host is Windows. Are you using the same host and VMWare configuration you had been using with Ubuntu?

Yes, Windows 7 host. AFAIK, and checked, same config. If you'd like to see any data, I can post it.

ewaller wrote:

BTW, Welcome to Arch Linux

Thank you.

ewaller · 2014-12-15 19:53:25

Thanks for the clarification. You missed my point about the wireless though. When you are running a virtual machine, the guest only 'sees' the virtual interfaces defined by the VM. That does not include a wireless network -- it is kind of hard to virtualize a wireless network. What the guest 'sees' is a wired network that connects it to the rest of the world. For a virtual machine, that 'rest of the world' is the software running on the host (VMware). The VMware software can do a few things. It can treat that 'Network' as a means to talk to the guest OS, but deny that guest OS the ability to talk to anything else. This is handy if you don't want the guest talking on your real-world network. The host can bridge the virtual network to a physical network. That physical network can be either wired, or wireless. Both of those networks are administrated by the host, including association with any APs. In a bridged configuration, the guest can see DHCP servers on the real-world network and can (if the network is in promiscuous mode) open ports that are visible to the entire real-world network. The third option is NAT. In this configuration, the virtual network consisting of the host and the guest is not bridged, but rather the host software pretends to be a router and performs network address forwarding between the virtual network and the real-world network. In this mode, the guest can talk on the real-world network, but cannot open any ports that are available to the real world network unless they are explicitly forwarded in the VMware software.

These three methods can be used to control the degree of lock down of the guest and determining access rights to the real-world network. Are you configured for NAT, Bridged, or Host Only?

Abhi123 · 2014-12-15 20:48:30

Thanks for the detailed explanation. Unfortunately, I'm not sure how to tell what mode I'm using. I followed the instructions in Network configuration, which doesn't have separate instructions for the categories you mentioned. Is there a command that'd tell me?

ewaller · 2014-12-15 21:49:21

It is a setting in VMware. I do not use VMware personally -- I use VirtualBox. You probably need to shut down your guest and, from the VMWare GUI, look at the settings for your Arch Linux VM. There is likely to be a network interface defined, There may be more than one. Note if there are more than one -- perhaps you are configuring the wrong one inside the guest. Regardless, look around and see if there are any settings like NAT, Bridged, or Host-Only. Knowing nothing of your needs, I recommend NAT unless you intend to offer services to the network (like a web server, or shared volume). If you want to provide web services, use bridged.

Abhi123 · 2014-12-15 22:47:13

It's set to NAT, just like Ubuntu. I'm guessing that's the default because I didn't change it.

ewaller · 2014-12-15 22:54:12

Okay, what is the output of ip link and of ip addr from your Arch running in the VM?

Abhi123 · 2014-12-15 23:23:39

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:07:87:22 brd ff:ff:ff:ff:ff:ff

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:07:87:22 brd ff:ff:ff:ff:ff:ff
    inet 192.168.19.133/24 brd 192.168.19.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::82cb:f7cc:81d:bcd/64 scope link 
       valid_lft forever preferred_lft forever

Abhi123 · 2014-12-15 23:25:02

I'm going home so any test I do from here is going to produce different results. I can get on VPN on my host and then test from the guest but since simple wired connection doesn't work, I doubt VPN would.

ewaller · 2014-12-15 23:34:41

Wow, not what I expected. I did not expect to see an address like 192.168.19.xx/24.

Let's back up a little. You said it was NAT, not bridged. So the address is not coming from the real world network. When you set the network up, did you set it up with static or dynamic addresses? What are you using, if anything, to control your network? Netctl? NetworkManager?

I suggest that, for now, you disable whatever you may have enabled in systemd to control the network. reboot, then run (as root) dhcpcd from the command line. Let's see what that does.
On the host, can you open a command shell (open a run box and enter cmd) and post the output of ipconfig
Note that command will provide the address of the host on the corporate network, but that address is not routable on the Internet -- sharing it is not a security concern.

Abhi123 · 2014-12-16 17:02:59

I was using Network Manager, uninstalled it and installed Wicd. Disabled wicd service, rebooted and ran dhcpcd as shown below. The ping response is exactly the same as with wicd running.

[root:~]# dhcpcd
dhcpcd[548]: version 6.6.4 starting
dhcpcd[548]: DUID 00:01:00:01:1c:1c:d2:b7:00:0c:29:07:87:22
dhcpcd[548]: eno16777736: IAID 29:07:87:22
dhcpcd[548]: eno16777736: soliciting an IPv6 router
dhcpcd[548]: eno16777736: rebinding lease of 192.168.19.133
dhcpcd[548]: eno16777736: changing route to 192.168.19.0/24
dhcpcd[548]: eno16777736: changing default route via 192.168.19.2
dhcpcd[548]: forked to background, child pid 560
[root:~]# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 172.29.186.252 icmp_seq=1 Destination Host Unreachable
From 172.29.186.252 icmp_seq=2 Destination Host Unreachable
From 172.29.186.252 icmp_seq=3 Destination Host Unreachable

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2004ms

[root:~]# ping -c 3 www.google.com
ping: unknown host www.google.com

On host:

>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : xxx
   Link-local IPv6 Address . . . . . : fe80::21c9:d3c1:e840:f11%11
   IPv4 Address. . . . . . . . . . . : 172.29.186.53
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.29.186.254

Wireless LAN adapter Wireless Network Connection 2:

   Connection-specific DNS Suffix  . : xxx
   Link-local IPv6 Address . . . . . : fe80::7930:bc9c:aec:45d%17
   IPv4 Address. . . . . . . . . . . : 10.122.122.174
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.122.123.254

Ethernet adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4119:e09d:4a1e:7cf1%20
   IPv4 Address. . . . . . . . . . . : 192.168.23.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4c36:8ea5:2477:af7b%21
   IPv4 Address. . . . . . . . . . . : 192.168.19.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VirtualBox Host-Only Network:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::f1f8:a2b:10ca:58fa%42
   IPv4 Address. . . . . . . . . . . : 192.168.56.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{4A93F9F8-0055-4DB8-B8B2-C01EE422955B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{C74142C2-C218-47AD-B66F-D20C761E1B9F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{6D3F2902-4C13-44AE-859D-D8E70F54972B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Last edited by Abhi123 (2014-12-16 17:47:04)

ewaller · 2014-12-16 17:29:09

Interesting. Okay, you are getting an address on 192.168.19.xxx/24. That the network known as VMnet8 on the Host. The host also has WMware network known as VMnet1.
Curiously, there is also a VirtualBox network on the host

By default, VMnet8 does indeed use NAT.

There are two things I note that I would chase down. Your default route is via 192.168.19.2, but the host says it is at 192.168.19.1. Can you ping 192.168.19.1? How about 192.168.19.2 ? How about yourself at 192.168.19.133 ?
Also, your host has two private addresses, one for your LAN, and one for your WAN. Do you have internet connectivity on both of those networks? If not, is it possible that the NAT is binding to the wrong real-world network? You had said that there was no wireless at $DAYJOB. I wonder if you are associating with a router that is isolated. Try turning off your wifi and try everything with just the wired connection.

Abhi123 · 2014-12-16 18:35:54

I made some progress, I'll respond to your points one by one. There're a lot of moving pieces so bear with me.

ewaller wrote:

you are getting an address on 192.168.19.xxx/24. That the network known as VMnet8 on the Host. The host also has WMware network known as VMnet1.
Curiously, there is also a VirtualBox network on the host

I disabled VMNet 1, VirtualBox network (which I've because I played with it before I moved to VMware) and wireless on host. Ping still failed. Then someone told me that ping is blocked by the corporate firewall. I tried Google chrome. It failed too but some research indicated that no one has got it working without a system wide proxy setting like GNOME. I then tried wget and voila! I was able to download stuff. I configured pacman to use wget and it seems to be working too though some mirrors are failing.

ewaller wrote:

By default, VMnet8 does indeed use NAT.

How did you infer this from the output above? It's true though, I'm just curious.

ewaller wrote:

Can you ping 192.168.19.1? How about 192.168.19.2 ? How about yourself at 192.168.19.133 ?

As mentioned above, ping is apparently blocked by the corporate firewall.

ewaller wrote:

Also, your host has two private addresses, one for your LAN, and one for your WAN. Do you have internet connectivity on both of those networks? If not, is it possible that the NAT is binding to the wrong real-world network? You had said that there was no wireless at $DAYJOB. I wonder if you are associating with a router that is isolated. Try turning off your wifi and try everything with just the wired connection.

Did that and the result is explained above. I'll now turn it back on and see what, if anything, changes.

So the question now is how to get Chrome use the proxy.

Abhi123 · 2014-12-16 19:38:28

Abhi123 wrote:

So the question now is how to get Chrome use the proxy.

Answering my own question for the sake of others who might stumble upon this thread in the future...the SwitchyOmega Chrome extension forces Chrome to use a proxy. Of course it can't be installed from the Web store without an internet connection (ironical, isn't it), so download the CRX file from Github to a shared folder on host that's accessible on the guest and follow the installation instructions here.

Last edited by Abhi123 (2014-12-16 19:39:34)

ewaller · 2014-12-16 19:51:07

Abhi123 wrote:

ewaller wrote:
By default, VMnet8 does indeed use NAT.
How did you infer this from the output above? It's true though, I'm just curious.

I didn't. I Googled it

ewaller wrote:
Can you ping 192.168.19.1? How about 192.168.19.2 ? How about yourself at 192.168.19.133 ?
As mentioned above, ping is apparently blocked by the corporate firewall.

Not true. The 192.168.19.x/24 "Network" is a virtual network that only exists between your guest and host. The corporate firewall never even sees it.

Abhi123 · 2014-12-16 20:41:06

ewaller wrote:

Can you ping 192.168.19.1? How about 192.168.19.2 ? How about yourself at 192.168.19.133 ?
Abhi123 wrote:
As mentioned above, ping is apparently blocked by the corporate firewall.
Not true. The 192.168.19.x/24 "Network" is a virtual network that only exists between your guest and host. The corporate firewall never even sees it.

I was able to ping anything from Ubuntu. May be ping uses some proxy too that doesn't work on Arch. I'm not worried about ping for now.

Thanks a lot for your help. I hope to have fun with Arch.

Arch Linux

#1 2014-12-15 16:54:24

Cannot connect to internet from behind corporate NTLM proxy

#2 2014-12-15 18:17:33

Re: Cannot connect to internet from behind corporate NTLM proxy

#3 2014-12-15 19:16:34

Re: Cannot connect to internet from behind corporate NTLM proxy

#4 2014-12-15 19:53:25

Re: Cannot connect to internet from behind corporate NTLM proxy

#5 2014-12-15 20:48:30

Re: Cannot connect to internet from behind corporate NTLM proxy

#6 2014-12-15 21:49:21

Re: Cannot connect to internet from behind corporate NTLM proxy

#7 2014-12-15 22:47:13

Re: Cannot connect to internet from behind corporate NTLM proxy

#8 2014-12-15 22:54:12

Re: Cannot connect to internet from behind corporate NTLM proxy

#9 2014-12-15 23:23:39

Re: Cannot connect to internet from behind corporate NTLM proxy

#10 2014-12-15 23:25:02

Re: Cannot connect to internet from behind corporate NTLM proxy

#11 2014-12-15 23:34:41

Re: Cannot connect to internet from behind corporate NTLM proxy

#12 2014-12-16 17:02:59

Re: Cannot connect to internet from behind corporate NTLM proxy

#13 2014-12-16 17:29:09

Re: Cannot connect to internet from behind corporate NTLM proxy

#14 2014-12-16 18:35:54

Re: Cannot connect to internet from behind corporate NTLM proxy

#15 2014-12-16 19:38:28

Re: Cannot connect to internet from behind corporate NTLM proxy

#16 2014-12-16 19:51:07

Re: Cannot connect to internet from behind corporate NTLM proxy

#17 2014-12-16 20:41:06

Re: Cannot connect to internet from behind corporate NTLM proxy

Board footer