Another ERR_ADDRESS_UNREACHABLE issue

R

Ruprecht

New Member
Aug 6, 2025
16
1
3
Hello everyone,
I have similar problem as discussed in threads I find:
But I did not get any answer, therefore I decided to create a new thread instead of re-activate the old ones.
My proxmox is 8.4.0 instaled on bookworm, and tested on proxmox 6.8.12-13-pve and proxmox 6.14.8-2-bpo12-pve with the exactly the same result.

proxmox IPv4 = 192.168.253.130/30
router IPv4 = 192.168.253.129/30
notebook IPv4 = 192.168.253.119

192.168.253.130 proxmox added to the /etc/hosts and dnsmasq returns resolved IP.

Network is working, proxmox is installed and is running on the iSCSI target, and I am logged-in via ssh from notebook - router - proxmox without any problem.

My problem should not be caused by the router as mentioned here, because I am able to tcpdump ICMP response directly on proxmox host:
1. start tcpdump on router
2. start tcpdump on proxmox
3. open https://192.168.253.130:8006 (or even https://proxmox:8006) on notebook - resulted to ERR_ADDRESS_UNREACHABLE

I can tcpdump on the router and even proxmox :

Code: 
IP 192.168.253.119.44086 > 192.168.253.130.8007: Flags [S], seq 738448291, win 64240, options [mss 1460,sackOK,TS val 1037160350 ecr 0,nop,wscale 7], length 0
IP 192.168.253.130 > 192.168.253.119: ICMP host 192.168.253.130 unreachable - admin prohibited filter, length 68

pve-firewall stop did not change anything. I checked that iptables are empty and with ACCEPT default policy.

I dig around a bit, and I can see that pveproxy is running and listening on the port 8006. Whenever i stop it and run with --debug 1 there is never nothing shown. It looks like the request was not delivered to the pveproxy. :confused:

When I run directly from the proxmox host curl --insecure 192.168.253.130:8006
I can get http response returned, and this response looks like this one .

I decided to try DNAT with MASQUERADE from port 8007 to the 8006 on the proxmox host:
Code: 
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/16 --dport 8007 -j DNAT --to 192.168.253.130:8006
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/16 --dport 8006 -j MASQUERADE

After this, I can get the http response on my notebook from https://192.168.253.130:8007

Now I try: pveproxy stop; pveproxy start --debug 1 and refresh my browser with URL: https://proxmox:8007
I got this result:

Code: 
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3368988)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH11 CONN2
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH10 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db338ac00)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH13 CONN3
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3353d40)
worker[9187]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db333ec68)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH10
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH10 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH10 CONN2
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3372168)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH11
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN2
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db33681a8)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3721cb8)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH13
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH11 CONN2
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +203: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db335e9a8)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9188]: PVE::APIServer::AnyEvent +203: client_do_disconnect: DISCONNECT CONN1
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3396590)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH10
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db2d09a70)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db338aae0)
worker[9187]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db33689d0)
worker[9187]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH10
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3721c88)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH11

When I try curl --insecure https://proxmox:8006 on the proxmox host, I get the same http response and page source, and pveproxy debug:

Code: 
worker[9345]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9345]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9345]: PVE::APIServer::AnyEvent +1913: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5b10a7213218)
worker[9345]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9345]: PVE::APIServer::AnyEvent +1913: client_do_disconnect: DISCONNECT CONN0

I assume, that pveproxy debug is much longer because of more established connections from browser, instead of curl opens just only 1 connection.


And at this point I have 2 questions:

  1. What is in front of pve-proxy and could cause the "ICMP host 192.168.253.130 unreachable - admin prohibited filter" response?
  2. Why is proxmox serving empty page / short response without any login, etc?
 
Last edited:
Ruprecht said:
proxmox IPv4 = 192.168.253.130/30
router IPv4 = 192.168.253.129/30
notebook IPv4 = 192.168.253.119
Click to expand...

That is not "normal". Usually you would have all of those in one network, e.g. "/24".
 
OK, I will re-formulate my last question: Does it is possible that routing of subnets smaller than /24 could cause any accessibility issue?
And does it could be possible even when the proxmox is accessible via ping and ssh somehow?
 
hi, this looks like a firewall answer:

Code: 
ICMP host 192.168.253.130 unreachable - admin prohibited filter

maybe you got nftables running if iptables are empty?
 
ce3rd said:
hi, this looks like a firewall answer:

Code: 
ICMP host 192.168.253.130 unreachable - admin prohibited filter

maybe you got nftables running if iptables are empty?
Click to expand...
Thanks for pointing me!
I did not need use nftables yet and never saw the message "admin prohibited filter". Now I can see that it is set-up in chain filter_output.
Now I know what I am looking for and what to learn. :)
 
Playing with the nftables solves the problem with the "unreachable" response, but it does not solve the "blank" web page sent by proxmox.
Based on this page, I created /etc/pve/access.cfg, and /etc/pve/ user.cfg file also does not exists. Does it is mandatory for displaying web gui?
I also did apt -install --reinstall pve-manager proxmox-widget-toolkit and shutdown -r now, but nothing did not help.
As I can see, there is not any error massages in the /var/log/pve/*.
pve-manager is running
pveproxy is running
journalctl -xeu also looks like without any errors.
 
Thanks a lot @ce3rd and @UdoB for your help!

To be able to log into the administration, I installed GUI with the browser (xfce4 with firefox-esr) on the proxmox server itself (which i did not wanted and do not need), and access the configuration at least from the host itself.

With all the respect for other enthusiasts and professionals, I would like share with everyone interested cause of my dissappointment and my point of view. Now, I just do not trust the proxmox even to use it on my own non-production environment. I just do not believe that I would be able to solve any other "non-production proxmox problems", loose too much time, and therefore have to "move back and re-create old" test environment without proxmox from my backup.

It looks from my side, that proxmox could loose some individual subscribers like me because of lack of community with ability to:
* help themself and the new ones with at least basic issues and most of common problems
* filter really basic questions for any more experienced proxmox users and/or professionals saving their time
* help with upgrade of FAQs and even documentation.

I really do not understand the purpose of:
1761720336685.png

I was thinking, that something like "Community support" is and should be free, and anyone could get it with just registering on this proxmox forum. What does this means? Should I pay to get support from people like me before I actually start using proxmox?

I actually do not need proxmox, but i believed in it and wanted to learn. But my believe is gone now.
 
I am so sorry for asking to help with it, but as I can not see the "edit" button/link, I am not able edit the first post to mark it [solved].
 
You must log in or register to reply here.
Top Bottom