External access to VMs thought firewall (NAT)

[jodgi]

I'm using VE 1.7 behind a pfSense box. Standard setup of VE. pfSense is DHCP server.

I can ping, ssh, rdp and vnc to my VMs from within my LAN without any trouble, both with ip's and hostnames.

I tried to setup NAT in pfSense to access my VMs from WAN using portforwarding as you would with normal machines (this works with my other physical boxes). I also successfully accessed the VE webinterface from the outside (as a check).

I cannot access the VMs in any way from the outside. Is this impossible or do I need to setup the firewall in an special manner?

 

[mmenaz]

Check the default gw setting of the VM, must point to your internet gateway (since web access to proxmox works, use the same settings).
Install tshark or tcpdump in proxmox and check packets on the interface the VM is connected to and for the IP of your VM, so you can see if packets are really coming and if they are replied. You can run it also inside the VM, just in case.
Just for record, what kind of VM are you running, and what is the networking model you have choose? (veth, venet, bridged nat...?).

 

[jodgi]

My VMs are connected to a vmbr0 (bridged, right?) which have my pfsense box as gateway, all VMs get their ip from the pfsense DCHP server. I can access the web from all VMs, I currently run a ubuntu minmal, ubuntu desktop and a winxp VM. So I think my VMs have pfsense as gateway.

I'm no expert by far, so I afraid I don't know what to do with tshark or tcdump - I have to read up on those. You're suggesting that I log the packages coming (or not) to the vmbr0/eth0 interface when I try to access the VM from outside my lan?

Sidenote: I can still access all my physical boxes from the outside, it's just the VMs I can't get to.

This may be a pfsense question for all I know, I just don't quite know where to start.

 

[mmenaz]

So, through a different internet connection, you are able to go to the proxmox web interface pointing to the public IP address of the connection where pfSense is connected (Internet -> pfSense -> proxmox), since you can't test this from the same connection, right?
From pfSense you have redirected i.e. tcp port 2222 to internal VM private IP and port 22, or something like that, and ssh user@publicip -p 2222, right?
If your VM ip is, for instance, 192.168.1.44, enter in proxmox console, and after installing tshark do:
# tshark -ni vmbr0 host 192.168.1.44 and port 22
then go to the computer that is linked to internet through a different modem/router and try to ssh as mentioned before. You should see packets with destination IP 192.168.1.44 pass.
If this is true the problem should be in outgoing packets, otherwise something in incoming one is misconfigured
Is really difficult give you tips on this subject (not that I'm a guru, but usually I'm good in these basic networking setups)
Let me know

 

[jodgi]

I'm sorry. I would need pointers on how to install tshark.
"aptitude install tshark" doesn't work. Do I need to somehow activate aptitude?

 

[mmenaz]

Well, this is a very very basic Debian task, you should learn how to install packages in debian. Also "does not work" does not give useful informatio at all in trying to help you.
in any case, as root
proxmox:~# aptitude update
proxmox:~# aptitude install tshark
(proxmox:~# is the root prompt, you don't have to enter it, just to make clear you have to issue those commands as root)

 

[jodgi]

I noticed tcpdump already was installed and I tested from inside the LAN, tcpdump reported plenty traffic.

Hehe, sorry, I simply forgot "aptitude update". Tshark is installed. I'll prepare for testing from outside the LAN and let you know.

 

[jodgi]

Ok, I got tshark working. When I vnc'ed a VM from outside the LAN, tshark showed a lot of traffic to and from the VM and the external ip. The vnc session had garbled visuals, but that's an issue I won't dwell on now, at least the routing worked.
When I tried to ssh a different VM from the outside I got no response from the VM (Operation timed out). There was absolutely no report of any kind of traffic from tshark. If there is something wrong in my NAT setup I am not able to make out what that error is. I have setup NAT for vnc and ssh many times for physical machines, I do not know what to set differently to accomodate for proxmox (eth0>vmbr0>VM).

 

[madjeff]

I run an identical environment (pfSense box) with several ProxMox boxes and some other servers running behind it. It's a great match and works perfectly in my environment.

You didn't mention setting up any firewall rules. Have you created a rule allowing traffic from your external IP to your internal VM IP's?

 

[jodgi]

I'm blushing here, but I do need help like that

 

[madjeff]

I'm blushing here, but I do need help like that

No problem, we all start somewhere.

First a recommendation, if you are using pfSense I highly recommend picking up the book pfSense: The Definitive Guide (check Amazon). A must-have for new and experienced pfsense users, it really explains how to set things up.

There are 3 things you need to configure. First, setup your virtual IP addresses. These will be your external IP addresses. Next, config 1:1 NAT to map your outside IP's to inside IPs. Finally, create your rule on the WAN interface to allow your selected port in to your internal IP address of the VM you want to connect to.

I actually use openVPN on pfsense to create a VPN tunnel into the back-end network that all the VMs reside on and only allow a few ports through to my VM's from the outside. Much more secure.

 

[jodgi]

Yeah, maybe later. Right now I get a headache looking at the OpenVPN howto.

 

[jodgi]

Everything is working now. I can vnc, nx, ssh and rdp my way to the VMs.
Thanks for helping me out, guys!

 

[madjeff]

No problem, glad to help.