Another ERR_ADDRESS_UNREACHABLE issue

[Ruprecht]

Hello everyone,
I have similar problem as discussed in threads I find:

• https://forum.proxmox.com/threads/cant-log-in-to-web-interface.166972/
• https://forum.proxmox.com/threads/pve-7-4-installation-cant-open-gui.165534/
• https://forum.proxmox.com/threads/unable-to-access-proxmox-web-gui.169231/

But I did not get any answer, therefore I decided to create a new thread instead of re-activate the old ones.
My proxmox is 8.4.0 instaled on bookworm, and tested on proxmox 6.8.12-13-pve and proxmox 6.14.8-2-bpo12-pve with the exactly the same result.

proxmox IPv4 = 192.168.253.130/30
router IPv4 = 192.168.253.129/30
notebook IPv4 = 192.168.253.119

192.168.253.130 proxmox added to the /etc/hosts and dnsmasq returns resolved IP.

Network is working, proxmox is installed and is running on the iSCSI target, and I am logged-in via ssh from notebook - router - proxmox without any problem.

My problem should not be caused by the router as mentioned here, because I am able to tcpdump ICMP response directly on proxmox host:
1. start tcpdump on router
2. start tcpdump on proxmox
3. open https://192.168.253.130:8006 (or even https://proxmox:8006) on notebook - resulted to ERR_ADDRESS_UNREACHABLE

I can tcpdump on the router and even proxmox :

IP 192.168.253.119.44086 > 192.168.253.130.8007: Flags [S], seq 738448291, win 64240, options [mss 1460,sackOK,TS val 1037160350 ecr 0,nop,wscale 7], length 0
IP 192.168.253.130 > 192.168.253.119: ICMP host 192.168.253.130 unreachable - admin prohibited filter, length 68

pve-firewall stop did not change anything. I checked that iptables are empty and with ACCEPT default policy.

I dig around a bit, and I can see that pveproxy is running and listening on the port 8006. Whenever i stop it and run with --debug 1 there is never nothing shown. It looks like the request was not delivered to the pveproxy.

When I run directly from the proxmox host curl --insecure 192.168.253.130:8006
I can get http response returned, and this response looks like this one .

I decided to try DNAT with MASQUERADE from port 8007 to the 8006 on the proxmox host:

iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/16 --dport 8007 -j DNAT --to 192.168.253.130:8006
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/16 --dport 8006 -j MASQUERADE

After this, I can get the http response on my notebook from https://192.168.253.130:8007

Now I try: pveproxy stop; pveproxy start --debug 1 and refresh my browser with URL: https://proxmox:8007
I got this result:

worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3368988)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH11 CONN2
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH10 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db338ac00)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH13 CONN3
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3353d40)
worker[9187]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db333ec68)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH10
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH10 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH10 CONN2
worker[9187]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3372168)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH11
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN2
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db33681a8)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3721cb8)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH13
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN2
worker[9189]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH11 CONN2
worker[9188]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9188]: PVE::APIServer::AnyEvent +203: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db335e9a8)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9188]: PVE::APIServer::AnyEvent +203: client_do_disconnect: DISCONNECT CONN1
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3396590)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH10
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db2d09a70)
worker[9189]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9189]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db338aae0)
worker[9187]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN1
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db33689d0)
worker[9187]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH10
worker[9187]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: DISCONNECT CONN0
worker[9188]: PVE::APIServer::AnyEvent +1921: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5e5db3721c88)
worker[9188]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH11

When I try curl --insecure https://proxmox:8006 on the proxmox host, I get the same http response and page source, and pveproxy debug:

worker[9345]: PVE::APIServer::AnyEvent +1871: (eval): ACCEPT FH9 CONN1
worker[9345]: PVE::APIServer::AnyEvent +1871: (eval): Setting TLS to autostart
worker[9345]: PVE::APIServer::AnyEvent +1913: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x5b10a7213218)
worker[9345]: PVE::APIServer::AnyEvent +177: __ANON__: CLOSE FH9
worker[9345]: PVE::APIServer::AnyEvent +1913: client_do_disconnect: DISCONNECT CONN0

I assume, that pveproxy debug is much longer because of more established connections from browser, instead of curl opens just only 1 connection.


And at this point I have 2 questions:

1. What is in front of pve-proxy and could cause the "ICMP host 192.168.253.130 unreachable - admin prohibited filter" response?
2. Why is proxmox serving empty page / short response without any login, etc?

 

[UdoB]

proxmox IPv4 = 192.168.253.130/30
router IPv4 = 192.168.253.129/30
notebook IPv4 = 192.168.253.119

That is not "normal". Usually you would have all of those in one network, e.g. "/24".

 

[Ruprecht]

That is not "normal". Usually you would have all of those in one network, e.g. "/24".

And what do you think is not normal on routing subnets /30 with /27 instead of /24?

 

[Ruprecht]

OK, I will re-formulate my last question: Does it is possible that routing of subnets smaller than /24 could cause any accessibility issue?
And does it could be possible even when the proxmox is accessible via ping and ssh somehow?

 

[ce3rd]

hi, this looks like a firewall answer:

ICMP host 192.168.253.130 unreachable - admin prohibited filter

maybe you got nftables running if iptables are empty?

 

[Ruprecht]

hi, this looks like a firewall answer:

ICMP host 192.168.253.130 unreachable - admin prohibited filter

maybe you got nftables running if iptables are empty?

Thanks for pointing me!
I did not need use nftables yet and never saw the message "admin prohibited filter". Now I can see that it is set-up in chain filter_output.
Now I know what I am looking for and what to learn.

 

[Ruprecht]

Playing with the nftables solves the problem with the "unreachable" response, but it does not solve the "blank" web page sent by proxmox.
Based on this page, I created /etc/pve/access.cfg, and /etc/pve/ user.cfg file also does not exists. Does it is mandatory for displaying web gui?
I also did apt -install --reinstall pve-manager proxmox-widget-toolkit and shutdown -r now, but nothing did not help.
As I can see, there is not any error massages in the /var/log/pve/*.
pve-manager is running
pveproxy is running
journalctl -xeu also looks like without any errors.