Help with Port Forwarding

L

lucasBR5

New Member
Nov 14, 2023
11
1
1
Brazil
Hello, can someone help me with port forwarding in Proxmox VE 8.0.3? I want to configure access using my public IP address so that I can still access the virtual environment when I'm outside my network. I have set up port forwarding in my router (see images), but when I try to access it from xxx.x.xx.xxx:9000, I get a connection timeout error.

The firewall in Proxmox VE is active and only port 8006 is open on both the data center and node.

My local Proxmox connection is 192.168.0.14:8006.

What could be missing in this configuration?

Screenshot_1.png(router)

Screenshot_2.png
Screenshot_3.png
Screenshot_4.png
1706657579685.png
 

Attachments

  • Screenshot_5.png
    Screenshot_5.png
    21.4 KB · Views: 10
lucasBR5 said:
I want to configure access using my public IP address so that I can still access the virtual environment when I'm outside my network. I have set up port forwarding in my router (see images), but when I try to access it from xxx.x.xx.xxx:9000, I get a connection timeout error.
Click to expand...
This isn't good practice. A hypervisors management shouldn't be public. If you want to access it from outside your LAN I would highly recommend to install a VPN server on your PVE host as a VM or use your routers VPN server in case it offers this as a feature and then connect remotely to your LAN via VPN client instead of making the webUI public. I personally like to run a OPNsense VM for that with the wireguard plugin. This would also allow you to use the suricata plugin for intrusion protection and to put your public services in an insolated DMZ subnet for additional security.

lucasBR5 said:
The firewall in Proxmox VE is active and only port 8006 is open on both the data center and node.
Click to expand...
Actually there are more ports open. See the hidden anti-lockout rules that always apply and overwrite your "Input Policy: Drop" unless you create a custom rule to block those port explicitly: https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules

And update your PVE. We are on 8.1.4 and not on 8.0.3. Making it public without regularly applying security fixes makes it even worse. You already got half a year of unfixed vulnerabilities. Including unpatched SSH server vulnerabilities for remote access...

And to your actual problem. You only allow packets that come from "source port: 8006" and your router that is doing the NAT will probably send the packets from another port. So I would remove that and only keep the "destination port: 8006".
 
Last edited:
  • Like
Reactions: lucasBR5
Dunuin said:
This isn't good practice. A hypervisors management shouldn't be public. If you want to access it from outside your LAN I would highly recommend to install a VPN server on your PVE host as a VM or use your routers VPN server in case it offers this as a feature and then connect remotely to your LAN via VPN client instead of making the webUI public.


Actually there are more ports open. See the hidden anti-lockout rules that always apply and overwrite your "Input Policy: Drop" unless you create a custom rule to block those port explicitely: https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules

And update your PVE. We are on 8.1.4 and not on 8.0.3. Making it public without regularly applying security fixes makes it even worse. You already got half a year of unfixed vulnerabilities.

And to your actual problem. You only allow packets that come from "source port: 8006" and your router that is doing the NAT will probably send the packets from another port. So I would remove that and only keep the "destination port: 8006".
Click to expand...
Right, I can try to set up a VPN for a more secure access. Do you recommend any tutorials or documentation for a beginner in Proxmox learn about VPN? Additionally, one of the uses I intend for my home server is to host a container for a Valheim dedicated server, which requires port forwarding anyway, doesn't it?
 
lucasBR5 said:
Additionally, one of the uses I intend for my home server is to host a container for a Valheim dedicated server, which requires port forwarding anyway, doesn't it?
Click to expand...
Yes, but it's way worse to make your hypervisor public than just a VM. If a craftsman needs access to the pipes in your basement, give him only the basement key and not the master key to your whole house and safe. ;)
And to do it properly you usually also would put your VMs/LXCs into an isolated DMZ subnet. So in case a VM gets hacked the attacker at least wouldn't be able to access your LAN and cause more damage there.
Dunuin said:
I personally like to run a OPNsense VM for that with the wireguard plugin. This would also allow you to use the suricata plugin for intrusion protection and to put your public services in an insolated DMZ subnet for additional security.
Click to expand...

lucasBR5 said:
Right, I can try to set up a VPN for a more secure access. Do you recommend any tutorials or documentation for a beginner in Proxmox learn about VPN?
Click to expand...
You probably want something with a GUI as doing it manually on the CLI isn't that beginner friendly:
https://github.com/pirate/wireguard-docs
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I remember PiVPN being quite easy to install:
https://www.pivpn.io/
 
Last edited:
lucasBR5 said:
xxx.x.xx.xxx:9000
Click to expand...
don't forget to put httpS:// before ip:port

You can try to forward the ssh port 22 to test.

of course, ssh or webui need behind vpn, to prevent scanners... hosting wireguard on the host itself is better than nothing.
 
Last edited:
_gabriel said:
don't forget to put httpS:// before ip:port

You can try to forward the ssh port 22 to test.

of course, ssh or webui need behind vpn, to prevent scanners... hosting wireguard on the host itself is better than nothing.
Click to expand...
Dunuin said:
Yes, but it's way worse to make your hypervisor public than just a VM. If a craftsman needs access to the pipes in your basement, give him only the basement key and not the master key to your whole house and safe. ;)
And to do it properly you usually also would put your VMs/LXCs into an isolated DMZ subnet. So in case a VM gets hacked the attacker at least wouldn't be able to access your LAN and cause more damage there.



You probably want something with a GUI as doing it manually on the CLI isn't that beginner friendly:
https://github.com/pirate/wireguard-docs
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I remember PiVPN being quite easy to install:
https://www.pivpn.io/
Click to expand...
Thank you for the answers, guys. I'll try to make it work in the next few days, and if I have another question, I'll be back here. :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back