How hard can it be to find the correct IP
I guess for some of you this is somehow obvious, but for me it was a refreshing experience that everything is pretty straight forward in the networking world.
I ran into an environment with NSX-t where I had a DMZ like network area which included a HTTPS web service. I had control of a stripped-down firewall configuration wizard with no other access
to NSX-t or firewall areas.
Simple things first: “Source ANY” to “Destination <myservicePublicIP>” Port TCP443 worked as expected and I was able to access the service by his public IP.
The goal was to only allow access to this service from another NSX-t network area which where somehow only connected with each other over public IP and NSX-t internal routing.
OK so I googled whatismyip and to my surprise I was not able to connect to the service when I entered this IP in the firewall rule.
There was no way to get any additional access to NSX-t management (blackbox) and no Admin accessible. The IPs shown by tracert and other such tools didn´t worked neither. So something
“special” was configured within NSX-t. Dead end?
Remembering in my head if you always half the IP addresses it will take only some tries to find out the correct IP address for the firewall rule source entry.
So, I started to guess the class A subnet based on other IPs that I had tested above and where shown at the tracert output. Third try with class a Class Subnet 54.0.0.0/8 was a hit and it worked.
From there I started to increase the subnet mask by 1 and tried to refresh the webpage. If the webpage was shown I increased again the subnet mask by one. If not, I had to switch to the other remaining subnet and try again.
Example:
If 54.0.0.0/9 worked I set the firewall rule to 54.0.0.0/10
If 54.0.0.0/10 did not worked anymore I had to switch to the other remaining subnet in that subnet mask scope. So, I continued by testing 54.64.0.0/10. This worked again and I increased the subnet mask again by 1 to 54.64.0.0/11. And so on … and so on…
After only ~30 tries I had
found the correct IP. Overall it took me just some minutes for the 30
connection tests and 30 firewall rule updates o filter out the single IP out of the 4.294.967.296 “possible” IPs (IPv4) in the world.
I was lazy with the subnet calculation and just used a tool for it:
http://www.ip-tools.net/ipcalc
You can type in any IP address and a subnet mask and it will show you the subnet (“net”), broadcast IP and IP range, so it was easy to find the other remaining subnet if needed.
I was just surprised how fast it was to manually track down the IP out of the possible amount of all Internet IPs. It is always refreshing that in the network world everything has it´s place and “just work” ;-)